A large-scale, ongoing credential-harvesting campaign dubbed “FortiBleed” has silently compromised more than 430,000 FortiGate firewalls globally, siphoning over 110 million credentials directly from live network traffic since at least February 2026.
The campaign came to light after security researcher Volodymyr “Bob” Diachenko discovered an exposed directory on 85.11.187[.]8:9999.
FortiBleed is not a single intrusion; it is a sustained, industrialized credential collection operation in which threat actors turned enterprise-grade FortiGate firewalls into covert listening posts. Every FortiGate firewall sits at the boundary of a network, where it sees all authentication traffic passing through it.
The attackers exploited this privileged vantage point by abusing a native FortiOS built-in diagnostic command diagnose sniffer packet to intercept and extract usernames, passwords, and password hashes from live traffic in real time, without triggering perimeter alarms.
The operation, tracked by SOCRadar’s Threat Research Unit, has been active since at least February 2026 and is attributed to a financially motivated initial access broker (IAB) with a likely Russian‑language origin, potentially selling access to ransomware or state‑aligned groups.
New FortiGateSniffer Tool
At the heart of the operation is a custom-built Golang tool called FortiGateSniffer, designed to monitor 24 network protocols simultaneously and parse authentication data from intercepted network flows.
The tool is driven through FortiOS’s own diagnostic command interface, effectively weaponizing a legitimate administrative feature against the organizations it was meant to protect. Notably, parts of the attack workflow appear to be assisted by an AI-powered autonomous penetration testing agent, marking a significant escalation in adversarial automation.
Approximately 66% of victims have fewer than 200 employees, and 89.5% report under $100M in annual revenue, confirming this is mass opportunistic exploitation targeting organizations large enough to run FortiGate infrastructure but rarely staffed to detect such a compromise.
Victims span the United States, India, and other regions, with exposure ranging from sub-100-million-dollar companies to Fortune Global 500 enterprises.
At the time of SOCRadar analysis, more than 80,553 FortiGate devices and 23,406 unique domains were implicated, with active sniffing still observed on over 19,000 firewalls.
The infrastructure also includes a distributed GPU password‑cracking cluster orchestrated with Hashtopolis and a custom Telegram bot, highlighting the industrial scale of the operation.
Five‑Phase FortiBleed Attack Chain
SOCRadar researchers identified that FortiBleed follows a methodical five-phase attack chain, blending mass automation with targeted exploitation.
Credential Sourcing & Recon: Attackers use leaked credentials, custom wordlists, and internet scanning tools to identify exposed FortiGate devices and profile targets.
Initial Access: Automated tools pair discovered hosts with credentials to target FortiGate, Synology, and MSSQL services, validating access opportunities.
Traffic Harvesting: After gaining SSH access, a custom FortiGate sniffer captures sensitive traffic and extracts credentials and authentication hashes.
Credential Exploitation: Stolen hashes are cracked and used for Active Directory enumeration, privilege escalation, and credential reuse.
Data Exfiltration: Attackers steal data from SMB/DFS shares and replay captured web cookies to hijack authenticated sessions and maintain persistent access.
The campaign is global, with no single dominant region, though India (11.4%) and the United States (10.1%) lead by affected domains, followed by Taiwan, Mexico, Turkey, the UAE, and Malaysia. South and Southeast Asia collectively account for approximately 27% of affected domains.
Defenders are urged to immediately rotate FortiGate‑related VPN and admin credentials, enforce multi‑factor authentication and remove management interfaces from direct internet exposure.
Organizations should also search logs and telemetry for FortiBleed infrastructure indicators, FortigateSniffer artifacts, anomalous RADIUS/NTLM/Kerberos activity and suspicious SSH access to FortiGate devices, while hardening detection around gateway‑level network sniffing and large‑scale credential harvesting.
