FortiBleed is not just a leak, it is an operation. A multi-operator crew has been running industrial-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide. The numbers are not subtle: 1.16 billion login attempts against 320,777 FortiGate targets, 2.1 billion more against 163,650 MSSQL servers, intercepted hashes cracked on a 45-GPU cluster, and live VPN sessions hijacked to pivot straight into Active Directory. This is the attack chain, the infrastructure behind it, and what it means for defenders.
How the operation surfaced
The crew’s own infrastructure gave it away. Security researcher Volodymyr “Bob” Diachenko of SecurityDiscovery.com surfaced the operation in June 2026 after spotting exposed working files and a live hash-cracking server reachable on the open internet. What he found was not a single dump but a running production line: thousands of top-vendor appliance instances listed with potentially working passwords, from Chevron to Fortinet itself, all obtained by brute-forcing and then cracking the credentials out of FortiGate configurations.
That working set is the same body of data we parsed for the FortiBleed investigation: tens of thousands of FortiGate devices with cracked administrator credentials in circulation. This piece is about the machine that produced it.
The attack chain, step by step
The operation runs as a clean, repeatable pipeline. Each stage feeds the next, and the whole thing is built for scale rather than stealth.
Reconnaissance and brute force. The crew mass-scans 320,777 FortiGate /remote/login endpoints and more than 247,000 Sophos /userportal endpoints. FortiGate logins are then sprayed with 3,639 base credential pairs across every target, 1.16 billion combinations in total, through a custom tool called forticheck running 25,000 threads. A parallel campaign hammers 163,650 MSSQL servers with 12,900 credentials each, 2.1 billion attempts at 50,000 threads.
Harvest and crack. Once inside reachable infrastructure, the operators drop network sniffers that scrape cleartext credentials out of HTTP, FTP, SMTP, POP3, IMAP, LDAP, SNMP, and Telnet traffic. Intercepted Kerberos and NTLM hashes are shipped to a 45-way NVIDIA RTX 4090 cracking cluster orchestrated through Hashtopolis. This is where the “cracked passwords out of FortiGate configs” part happens.
Intrusion and lateral movement. With valid credentials in hand, the crew pivots through the SSL VPN into internal networks and hijacks live FortiGate sessions by replaying captured session cookies through OpenConnect. From there it is standard Active Directory looting: dump AD over LDAP and SMB, exfiltrate fileshares, extract Kerberos ticket-granting tickets, and harvest Group Policy templates.
Operational security and target selection. Every action is executed from Kali Linux virtual machines sitting behind NAT, so the command-and-control server never touches a victim’s Active Directory directly. Targets are not random. They are ranked by revenue, with a top tier above 113 billion dollars, using open-source intelligence enrichment. Multiple operators work the same machines at once, coordinating live over shared tmux terminals.
What they did with the access
According to Diachenko’s investigation report, this is a Russian-speaking, multi-operator group, and at least four organisations were fully compromised: across Japan, Taiwan and Vietnam, Iraq, and Turkey. The most serious claim concerns a Turkish defence contractor with NATO ties whose classified defence documents were exfiltrated. Ransomnews has not independently verified the contents of those exfiltrations. We are reporting the investigator’s findings and the indicators that support them, and treating the attribution as his assessment rather than settled fact.
The infrastructure behind it
The operation’s back end was partly exposed, which is how it was caught. The structure below was surfaced in the investigation. We have anonymised the raw network identifiers, but the shape of the back end is instructive. The cracking server, tellingly, was left running on default credentials, the same opsec sloppiness the crew exploits in its victims.
| Indicator | Detail |
|---|---|
| Operator handle | Telegram handle withheld; operator seen using a cloud IDE session tied to the C2 |
| C2 storage | Two hosts on the same hosting range (IPs withheld) |
| Hash-cracking server | Hashtopolis 0.14.3 exposed on port 8443, left on default credentials (IP withheld) |
| GPU agent nodes | Six cracking agents across multiple hosting providers (IPs withheld) |
| Operator egress (Kali VMs) | Several NAT egress addresses across three subnets (withheld) |
| Tooling | forticheck (FortiGate brute force), Hashtopolis (hash cracking), OpenConnect (SSL VPN session replay) |
Where the exposure landed
The working set that came out of this pipeline covers 73,932 exposed FortiGate devices across 21,613 organisations in 207 countries. The geography is not where most readers would guess. India leads on raw volume, and Latin American telecoms carry the densest fleets. Explore the full breakdown on the live map below.
// FORTIBLEED · GLOBAL EXPOSURE MAP
Where the exposed firewalls are
Aggregated across the entire FortiBleed dataset. Hover the map, or search every country and industry below. Device counts only, no credentials.
Countries
| # | Country | Devices | Orgs |
|---|---|---|---|
| Loading… | |||
Industries
| # | Industry | Orgs | Devices |
|---|---|---|---|
| Loading… | |||
Why this matters
Strip away the scale and the signature is clear: this is financially motivated cybercrime running like a factory, not a quiet espionage actor. The tells are everywhere. Internet-wide brute force at billion-combination scale is loud, the opposite of careful intelligence tradecraft. The tooling is commodity and open source. Targets are ranked by ability to pay, not by intelligence value. The end of the chain is Active Directory access and bulk fileshare theft, the exact raw material that feeds ransomware deployment, data extortion, or resale to affiliates.
It also lines up with what we found when we cross-referenced the FortiBleed working set against other data. In a random sample of exposed organisations, 88% also appeared in stealer-log or breach data and 38% had staff with active infostealer infections. Around 590 are already named on ransomware leak sites. An exposed FortiGate is rarely an isolated problem. It is one visible symptom of an organisation attackers have already found more than once.
What to do about it
If you run FortiGate, assume any internet-facing device is in scope. Take the management and SSL VPN interfaces off the public internet wherever possible. Rotate every administrator and local credential, then upgrade FortiOS and have admins sign back in to trigger the stronger credential-storage path. Enforce phishing-resistant MFA, and invalidate active VPN sessions so replayed cookies stop working. Because the infostealer overlap is so high, reset exposed employee credentials too, not just the firewall accounts. Watch for the tooling and tradecraft described above.
FAQ
What is the FortiBleed operation?
A multi-operator crew running large-scale credential harvesting against Fortinet FortiGate SSL VPN appliances worldwide: brute-forcing logins, cracking the credentials out of device configurations, and pivoting into internal networks. It produced a working set of tens of thousands of FortiGate devices with valid administrator credentials.
How big is it?
1.16 billion login attempts against 320,777 FortiGate targets, plus 2.1 billion attempts against 163,650 MSSQL servers. Hashes are cracked on a 45-way RTX 4090 cluster. The resulting dataset spans 73,932 exposed devices across 21,613 organisations in 207 countries.
Who is behind it?
Researcher Bob Diachenko assesses it as a Russian-speaking, multi-operator group. Operationally the signature is financially motivated cybercrime, an industrial access-broker or pre-ransomware pipeline, rather than a classic nation-state espionage actor.
Is the NATO contractor breach confirmed?
That claim comes from Diachenko’s investigation report, which states a Turkish defence contractor with NATO ties had classified documents exfiltrated. Ransomnews has not independently verified the exfiltrated contents and reports it as the investigator’s finding.
How do I check if my organisation is exposed?
Use the free FortiBleed Checker. Enter your domain for a device-level result plus a global exposure map and country and industry statistics. No passwords or IP addresses are ever shown.
What should I do if my domain is listed?
Take the management and VPN interfaces off the public internet, rotate all FortiGate and local credentials, upgrade FortiOS, enforce MFA, invalidate active VPN sessions, and reset exposed employee credentials flagged in stealer-log monitoring.
Sources
Operation details, attribution, and indicators: Volodymyr “Bob” Diachenko, SecurityDiscovery.com, investigation disclosed June 2026. FortiBleed working set parsed and aggregated by the Ransomnews Research Team. Credential, cookie, and breach overlap via the Alerts.bar exposure index. Ransomware victim corpus via ransomlook.io. Device, country, and industry statistics computed by Ransomnews from the FortiBleed dataset.