"Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar said in a fresh report.
How FortiBleed operates: a five-stage pipeline
SOCRadar describes FortiBleed as a coordinated, multi-stage credential-harvesting operation that has been active since February 2026. The campaign runs in distinct phases: mass reconnaissance with Masscan and Shodan, country-based filtering with FortiProbe-fast and GeoSplit, automated credential stuffing and SSH access using a tool called "forticheck," deployment of a Golang sniffer (FortigateSniffer) via SSH, offline cracking with Hashmat and Hashtopolis orchestrated by a Telegram bot named HASHBOT, and finally lateral movement, Active Directory enumeration, and exfiltration of sensitive data and session cookies.
FortigateSniffer: passive collection using a native diagnostic command
The operation's centerpiece is FortigateSniffer, a Golang-based tool that leverages the FortiOS diagnostic command -diagnose sniffer packet to passively capture authentication traffic on compromised FortiGate appliances. SOCRadar says the sniffer monitors traffic across 24 protocols — including TACACS+, Kerberos, RPC, SMB, LDAP, SMTP, FTP, Telnet, RDP, WinRM, MS-SQL, MySQL, PostgreSQL, and RADIUS — parsing authentication data to extract both cleartext credentials and password hashes.
Scale: 430,000 FortiGate devices and 110 million credentials
According to the reporting, FortiBleed has targeted more than 430,000 FortiGate firewalls worldwide. Security teams cataloged no fewer than 659 credential‑harvesting pipelines on May 31 and June 15, 2026, which together produced more than 110 million identified credentials. The harvested material includes 14.8 million RADIUS credentials, 924,000 NTLM hashes, 130,000 Kerberos hashes, and 89 million MySQL authentication tokens.
Targets, timing, and operational tradecraft
SOCRadar notes a strategic focus on small and medium businesses with fewer than 200 employees, with notable emphasis on targets in the United States and India and a particular interest in IT services firms. The campaign is not limited to Fortinet appliances: actors also automated brute-force attacks against Synology NAS, Sophos firewalls, RDWeb portals, Citrix SSL‑VPNs, and MS‑SQL servers, with activity traced to at least February 28, 2026.
Operational controls reveal tradecraft tailored to limit exposure. The sniffing mechanism applies geofencing to restrict collection to selected IP ranges and confines harvesting to between 7 a.m. and 6 p.m. Moscow Time. SpyCloud reports that FortiGate-related capture began on May 19, 2026, and that hash‑cracking infrastructure was established toward the end of May. Zenox described the attack pipeline as running in 300‑minute cycles with status updates every minute, validating targets using 1,000 simultaneous threads and, in early cycles, achieving a successful validation rate near 90%.
What this means for SMBs, IT service providers, and policymakers
- SMBs and IT service providers: SOCRadar highlights IT services firms as high-value targets because compromised providers can yield downstream access to customers. Organizations with outsourced infrastructure or fewer than 200 employees should assume credential risk and prioritize verification of external-facing appliances.
- Security teams and incident responders: the use of native diagnostic commands and passive sniffing means detection relies on monitoring for unexpected diagnostic usage and anomalous SSH deployments. The pipeline’s use of Hashmat, Hashtopolis, and HASHBOT implies rapid crack-and-reuse cycles that defenders must track.
- Policymakers and defenders tracking hostile commerce: the report assesses a Russian‑speaking initial access broker driven by financial gain as the likely operator behind FortiBleed. Separately, a Russian‑language account named "SantaAd" advertised access to thousands of Fortinet devices—initially priced at $30,000, then $60,000 hours later—though SOCRadar and SpyCloud say any direct link to FortiBleed is unclear.
SOCRadar also flagged signs that some username/password pairs were repeated across thousands of IPs, raising the possibility that attackers planted accounts to create clandestine backdoors. The report further notes possible use of open-source, AI-native offensive tools — including a platform called CyberStrike and a related framework CyberStrikeAI previously linked to automated FortiGate scanning by Amazon Threat Intelligence.
FortiBleed's scale, automation, and cross‑vendor scope make it an unusual, financially motivated campaign: broad reconnaissance, mass brute‑forcing, passive credential capture via a native command, rapid offline cracking, and reuse for lateral access. The operation leaves an immediate question unclosed by the reporting: whether advertised device access markets such as "SantaAd" are downstream monetization for this specific campaign or simply parallel criminals exploiting the same exposed appliances.
