Skip to content

FortiBleed Campaign Supplies Ransomware Groups with Stolen Credentials

Bottom line: FortiBleed attackers directly supply ransomware groups with stolen FortiGate credentials for immediate use in deployments.

The credential-theft campaign FortiBleed is operated by actors also linked to the ransomware groups INC and Lynx. The stolen FortiGate access credentials are strategically forwarded for ransomware deployments.

FortiBleed is a financially motivated campaign that specifically steals login credentials from FortiGate systems. Security researchers were able to identify an operator of the campaign who is simultaneously active in the negotiation panels of the ransomware groups INC and Lynx.

This connection proves that the stolen access credentials are not only intended for sale on the darknet, but are directly used to prepare ransomware operations. The captured credentials enable the perpetrators, after successful authentication, to compromise systems and carry out downstream intrusion operations.

For CISOs, this means an increased threat to FortiGate installations: credential theft on these systems can immediately lead to a ransomware attack, not just data theft. The connection between credential theft and ransomware operations demonstrates a specialized division of labour among organized cybercriminals.


Source: thehackernews.com · Published July 2, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: