A Russian-speaking initial access broker harvested more than 110 million credentials from roughly 430,000 internet-facing FortiGate firewalls in a campaign researchers have named FortiBleed, according to analysis published by Arctic Wolf on June 23, 2026. The operation, active from at least February through mid-June 2026, targeted organizations with exposed management interfaces and without multi-factor authentication, converting every compromised device into a potential foothold available for sale to ransomware affiliates.
The Scale of the Harvest
Arctic Wolf’s reverse engineering of the campaign’s infrastructure reveals a credential factory of unusual scale. Between May 31 and June 15, 2026, a single documented collection run produced 121.43 gigabytes of exfiltrated authentication data. That tranche included 14.8 million RADIUS credentials, 924,000 NTLM hashes, 130,000 Kerberos hashes, and roughly 89 million MySQL tokens. The attacker’s database at time of discovery held entries for between 73,932 and 86,644 unique FortiGate devices across 194 countries.
Small and medium-sized businesses with fewer than 200 employees were disproportionately represented among compromised organizations. The IT services sector faced the highest concentration of intrusions, with the United States and India accounting for the largest geographic share of victim organizations. The breadth of the campaign reflects a systematic, automated approach to mass credential collection rather than targeted espionage.
Advertisement
300 × 250
How Attackers Gained Entry
No zero-day vulnerability or newly disclosed CVE enabled FortiBleed. The threat actor gained initial access through credential stuffing and password spraying against internet-exposed management interfaces. Organizations that had not enforced strong, unique credentials on administrative accounts, or that lacked multi-factor authentication on SSL VPN access, were the primary targets.
Once inside, the attacker retrieved configuration exports from compromised devices. Those exports contained password hashes, including some that persisted in a legacy field even after operators believed they had rotated credentials during a firmware upgrade. The actor’s infrastructure then cracked those hashes offline using GPU-accelerated tooling.
Post-authentication, the attacker deployed a Golang-based tool researchers identified as FortigateSniffer, which passively captured authentication traffic crossing the compromised appliances across 24 protocols including TACACS+, Kerberos, LDAP, SMB, and RDP. Compromised firewalls were effectively converted into surveillance nodes against their own downstream users and connected infrastructure.
The Initial Access Broker Model
The operator, communicating under the handle @Clarksome in Russian-language forums, appears to be an initial access broker rather than a ransomware operator. Russian-language interface elements in the tooling and operational communications suggest Russian-speaking operators, though Arctic Wolf notes that insufficient evidence exists for definitive attribution.
The IAB model separates the work of gaining persistent network access from the work of deploying ransomware or exfiltrating large data volumes. Brokers sell verified footholds to ransomware-as-a-service affiliates, who then execute the final stage of the attack. This division of labor compresses the time between initial network compromise and a ransomware event, because affiliates purchase proven access rather than establishing it themselves.
The campaign aligns with a broader pattern across the threat landscape: financially motivated actors systematically converting misconfigured perimeter devices into a commodity supply of network access. At the scale FortiBleed operated, every organization with an exposed, weakly authenticated FortiGate became a potential line item in an access marketplace.
What It Means for the Security Leader
FortiBleed demonstrates that perimeter devices operating without multi-factor authentication are not hardened assets. The attack required no sophisticated exploit chain. It required only that management interfaces were internet-accessible and that credential hygiene was insufficient. The credentials harvested can enable attackers to authenticate as legitimate administrators and pivot deeply into internal networks before detection tools generate meaningful alerts.
For organizations whose FortiGate devices were, or may have been, internet-exposed over the past six months, assuming credential compromise is the prudent starting point for response planning. Waiting for a confirmed indicator of compromise before acting is a strategy that advantages attackers, not defenders.
The persistence of hashed credentials from prior firmware versions is a particular concern. Operators who believe they have already rotated credentials may be working from an incomplete picture of their exposure.
Recommended Actions
Arctic Wolf recommends the following immediate steps for organizations with internet-facing FortiGate deployments:
- Terminate all active SSL VPN and administrative sessions immediately and invalidate existing tokens.
- Reset every administrative and VPN credential regardless of whether exposure has been confirmed.
- Enable phishing-resistant multi-factor authentication on all administrative accounts and SSL VPN access.
- Restrict the management interface to a dedicated jump host on a segmented management VLAN, removing it from direct internet accessibility.
- On FortiOS 7.6.x, enable the login-lockout-upon-weaker-encryption setting; on 7.2.x and 7.4.x, enable login-lockout-upon-downgrade to prevent hash-downgrade attacks.
- Review 90 days of VPN session logs for unexpected geographic origination patterns that may indicate unauthorized access.
- Audit configuration export events from the past six months and treat any export as a potential source of stolen credential material.
- Hunt for anomalous outbound SSH data transfers and for unusual Active Directory enumeration activity originating from VPN IP pools.
Source: Arctic Wolf