Newly surfaced technical intelligence on the FortiBleed credential-harvesting campaign reveals a far more engineered operation than previously reported. What began as a story about massive scale — 430,000 FortiGate firewalls and 110 million stolen credentials — turns out to involve a purpose-built five-stage attack framework deployed by a Russian-speaking initial access broker (IAB), with custom tooling at every phase.
The Five-Stage FortiBleed Chain
Stage 1: Precision Reconnaissance
The campaign opens with automated scanning infrastructure designed to isolate high-value targets:
- Masscan and Shodan for internet-wide FortiGate discovery
- FortiProbe-fast — a custom tool that fingerprints firmware versions and identifies unpatched devices
- GeoSplit — filters targets by country and ASN to align with buyer demand
Scans operate on 300-minute operational cycles with up to 1,000 simultaneous validation threads, and activity is restricted to 07:00–18:00 Moscow Time — a strong indicator of a disciplined, professionally-run operation.
Stage 2: Initial Compromise
No zero-days. The IAB leverages pure credential force:
- "forticheck" — a custom credential-stuffing tool targeting FortiGate SSH admin panels
- Dictionary attacks against default
adminaccounts - Credential stuffing using curated dumps from previous enterprise breaches
The estimated ~90% initial success rate against targeted devices reflects how many organizations still run unprotected admin interfaces or default credentials on perimeter appliances.
Stage 3: In-Memory Credential Capture
The campaign's technical crown jewel: FortigateSniffer, a Golang-based packet capture agent deployed using FortiGate's own native diagnostic CLI commands. Once installed, it monitors 24 authentication protocols simultaneously:
| Protocol Category | Protocols Captured |
|---|---|
| Windows Auth | NTLM, Kerberos, RPC, SMB, LDAP, WinRM |
| SMTP | |
| Remote Access | Telnet, RDP, FTP |
| Database | MS-SQL, MySQL, PostgreSQL |
| Network Auth | RADIUS, TACACS+ |
This broad protocol coverage means the sniffer doesn't just steal FortiGate credentials — it intercepts all authentication traffic transiting the firewall, yielding credentials for backend systems, domain controllers, databases, and email servers in a single sweep.
Credential Harvest Breakdown
| Type | Volume |
|---|---|
| MySQL authentication tokens | 89 million |
| RADIUS credentials | 14.8 million |
| NTLM hashes | 924,000 |
| Kerberos hashes | 130,000 |
Stage 4: Automated Hash Cracking
Harvested hashes are piped directly into a Telegram bot called HASHBOT, which orchestrates cracking jobs across a distributed fleet:
- Hashmat — custom orchestration layer
- Hashtopolis — distributed hash cracking management
- Hashcat — GPU-accelerated cracking
Supported hash modes include NetNTLMv2, FortiGate256, RAKP (IPMI), MS-SQL, and Kerberos TGS hashes. The Telegram interface allows the operator to submit jobs and receive cracked plaintext passwords asynchronously, keeping the infrastructure modular and resilient.
Stage 5: Lateral Movement and Monetization
Cracked credentials feed directly into post-exploitation:
- Impacket — used for Active Directory enumeration, SMB authentication, and data exfiltration
- Access packaging — validated accesses are graded by organization type (enterprise, government, MSP) and listed on Russian-language criminal markets at $30,000–$60,000 per target
659 credential-harvesting pipelines were observed active at peak operation (May 31 – June 15, 2026).
Scope of Targets
FortiGate is not the only target. The same infrastructure has been directed at:
- Synology NAS devices
- Sophos firewalls
- Citrix SSL-VPN gateways
- RDWeb portals
- MS-SQL servers directly exposed to the internet
Why This Matters for Enterprise Defenders
The FortiBleed operation demonstrates that high-volume IAB campaigns have evolved well beyond simple credential stuffing. Purpose-built tools like FortigateSniffer — deployed via legitimate diagnostic APIs — represent a significant detection evasion advantage: no external malware signature, no unusual process, just native diagnostic traffic.
Detection Signals
Look for these indicators in FortiGate and network logs:
# Suspicious FortiGate CLI activity
diag sniffer packet any 'host x.x.x.x' 6 # Diagnostic sniff to external host
diag debug flow filter # Unexpected debug sessions
exec log display # Bulk log reads
# Network-level indicators
- Outbound SSH to non-managed hosts from FortiGate mgmt interface
- RADIUS/Kerberos traffic captured and forwarded to external IPs
- Auth logs showing 1,000+ parallel login attempts in < 5 minutes
Prioritized Response Actions
| Priority | Action |
|---|---|
| Critical | Enable MFA on SSL-VPN — invalidates stolen plaintext credentials immediately |
| Critical | Patch FortiOS to latest stable — eliminate known auth bypass vectors |
| High | Rotate all admin and VPN credentials site-wide |
| High | Audit FortiGate diagnostic command history (diagnose debug logs) |
| High | Review AD for new accounts created via Impacket (atypical SAM-Account-Name patterns) |
| Medium | Geo-restrict admin panel access to known management IP ranges |
| Medium | Monitor RADIUS/Kerberos traffic for lateral exfiltration patterns |
Attribution
The actor — possibly operating under the alias "SantaAd" on Russian criminal forums — shows hallmarks of a mature, well-resourced IAB: Moscow business-hours operations, geofenced targeting aligned with buyer demand, and a modular toolchain that limits exposure if any single component is burned.
No nation-state affiliation has been identified. The operation is assessed as purely financially motivated, with harvested accesses serving as raw material for downstream ransomware deployments by groups including Fog, BlackSuit, and similar affiliates.