The FortiBleed credential theft campaign, which exposed credentials harvested from more than 73,000 Fortinet devices, has been directly tied to operators behind the INC and Lynx ransomware-as-a-service (RaaS) groups, according to new research from SOCRadar’s Threat Research Unit.
How the Link Was Established
Investigators identified a Windows server belonging to the FortiBleed infrastructure and found that the operator had accessed negotiation panels for both Lynx and INC ransomware groups. SOCRadar shared screenshots showing browser sessions open to administration dashboards containing active victim negotiation chats for both platforms. The researchers describe this as direct evidence connecting FortiBleed infrastructure to ransomware deployment activity.
Scope Larger Than Initially Understood
Earlier analysis had already revealed that the campaign used a custom packet-sniffing tool, called FortiGate Sniffer, deployed directly on compromised FortiGate firewalls to intercept VPN credentials and other authentication data from live network traffic. The updated investigation expands the known scale considerably:
- More than 430,000 FortiGate firewalls were targeted worldwide.
- Traffic sniffers were deployed on approximately 19,000 devices; after vendor and researcher notifications, active compromises have been reduced to roughly 11,000.
- Approximately 500 operational servers were identified, more than 200 of which were not previously associated with the campaign.
- The operation appears to involve roughly 20 members with defined roles.
Overlap With INC Ransomware Victims
SOCRadar also found that victim information harvested during FortiBleed overlaps with organizations subsequently listed on the INC ransomware leak site, further corroborating the operational connection between credential theft and downstream ransomware deployment.
Additional Findings
Researchers identified persistent backdoor accounts using the username adminin on compromised systems. SOCRadar says it is continuing efforts to recover ransomware decryption keys associated with the operation.
The researchers also believe the attackers exploited a previously undisclosed zero-day vulnerability in Nextcloud as part of post-compromise access expansion, though technical details have not yet been released pending further investigation.
Background on the Ransomware Groups
INC Ransom has operated as a RaaS platform since mid-2023, targeting healthcare, education, government, and other sectors. Lynx emerged in mid-2024 and is assessed by security researchers to be a rebrand of the INC ransomware group rather than an independent operation.
SOCRadar says a second technical white paper containing indicators of compromise, attribution evidence, and additional analysis will be published once its investigation is complete. Organizations running FortiGate devices should audit for the adminin backdoor account, review VPN credential exposure, and monitor for lateral movement consistent with RaaS affiliate tradecraft.
