Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. FortiBleed Credential-Theft Campaign Linked to Lynx Ransomware Group
FortiBleed Credential-Theft Campaign Linked to Lynx Ransomware Group
NEWS

FortiBleed Credential-Theft Campaign Linked to Lynx Ransomware Group

Researchers have connected the massive FortiBleed credential-theft operation — which harvested credentials from over 86,000 FortiGate firewalls — directly...

Dylan H.

News Desk

July 1, 2026
3 min read

FortiBleed Meets Ransomware

The FortiBleed credential-theft campaign — one of the largest Fortinet exploitation operations ever documented — has now been explicitly linked to the INC Ransom and Lynx ransomware groups, according to new findings published by BleepingComputer. The connection confirms long-standing suspicions that the stolen Fortinet VPN credentials were being stockpiled as initial access inventory for future ransomware intrusions.

The FortiBleed campaign targeted Fortinet FortiGate firewalls at massive scale, compromising credentials from an estimated 73,000 to 86,644 devices and intercepting over 110 million credentials through custom packet-sniffing malware deployed directly on victim firewalls.

How the Connection Was Made

Investigators identified a Windows server used by the FortiBleed operators that contained active browser sessions logged into both the INC Ransom and Lynx ransomware negotiation panels simultaneously. The shared infrastructure provides direct forensic evidence that the same threat actors are managing both the credential-harvesting operation and downstream ransomware negotiations.

Lynx ransomware, which emerged in mid-2024, is widely believed to be a rebrand or fork of INC Ransom, which has been operating since mid-2023. The overlap in infrastructure reinforces this relationship and suggests a small core group drives activity across both brands.

Campaign Scale and Infrastructure

The FortiBleed operation revealed a sophisticated, multi-tiered threat actor:

  • ~500 operational servers supporting credential harvesting and exfiltration
  • A custom "FortiGate Sniffer" tool deployed on compromised firewalls to intercept live VPN authentication traffic
  • Persistent backdoor accounts using the username "adminin" on compromised systems
  • Infrastructure for password hash cracking and credential-stuffing attacks
  • Evidence of exploiting a previously undisclosed Nextcloud zero-day to expand access

The operation employed a roughly 20-member team with defined roles including senior operators, specialists, and junior support staff — a structure more reminiscent of a criminal enterprise than opportunistic hacking.

Why This Matters

Fortinet firewalls sit at the outermost perimeter of enterprise networks, making compromised credentials exceptionally dangerous. An attacker holding valid VPN credentials can bypass perimeter controls entirely, land inside a trusted network segment, and proceed with lateral movement and ransomware deployment with minimal friction.

The link to Lynx and INC Ransom suggests the stolen credentials are not being sold on forums but rather retained for direct exploitation — a more patient, high-value approach that tends to produce larger ransom demands against well-resourced targets.

Remediation Steps

Organizations running Fortinet FortiGate devices should take the following actions immediately:

  1. Rotate all VPN credentials and SSL-VPN service account passwords
  2. Review FortiGate configurations for unauthorized admin accounts, particularly any account named "adminin"
  3. Apply all available FortiOS patches, especially those addressing the FortiBleed-related vulnerabilities
  4. Enable logging on all authentication events and forward to SIEM for anomaly detection
  5. Audit active sessions and terminate any unrecognized SSL-VPN connections
  6. Check for unauthorized packet capture processes running on firewall management interfaces

Fortinet previously notified affected customers when the FortiBleed campaign was initially disclosed, and active notification efforts reduced the number of devices with live sniffers from ~19,000 to approximately 11,000. However, credentials harvested before notification remain at risk.

References

  • BleepingComputer — FortiBleed campaign linked to Lynx ransomware
#Ransomware#Fortinet#FortiBleed#Lynx#INC Ransom#Cybercrime

Related Articles

FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations

SOCRadar uncovered FortiBleed — a large-scale credential-harvesting campaign targeting 11,250 FortiGate portals across 150+ countries, resulting in 110...

3 min read

Canada's Spy Agency Reports Hacking Three Criminal Groups in 2025

Canada's Communications Security Establishment publicly disclosed offensive cyber operations against a ransomware-as-a-service gang, a foreign online extremist group, and a drug trafficking network in its 2025–2026 annual report — a rare admission of state-level offensive hacking against criminal organizations.

4 min read

JadePuffer: The First Fully Autonomous LLM-Driven Ransomware Attack

Security researchers at Sysdig have documented JadePuffer — an agentic threat actor powered entirely by a large language model that independently exploited a Langflow RCE flaw, moved laterally, exfiltrated a MySQL database, destroyed it, and demanded ransom. No human operator was in the loop at any stage.

4 min read
Back to all News