A large-scale, ongoing credential-harvesting campaign dubbed \u201cFortiBleed\u201d<\/a> has silently compromised more than 430,000 FortiGate firewalls globally, siphoning over 110 million credentials directly from live network traffic since at least February 2026.<\/p>\n The campaign came to light after security researcher Volodymyr \u201cBob\u201d Diachenko discovered an exposed directory on 85.11.187[.]8:9999.<\/p>\n FortiBleed is not a single intrusion; it is a sustained, industrialized credential collection operation in which threat actors turned enterprise-grade FortiGate firewalls into covert listening posts. Every FortiGate firewall sits at the boundary of a network, where it sees all authentication traffic passing through it.<\/p>\n The attackers exploited this privileged vantage point by abusing a native FortiOS built-in diagnostic command The operation, tracked by SOCRadar\u2019s Threat Research Unit, has been active since at least February 2026 and is attributed to a financially motivated initial access broker (IAB) with a likely Russian\u2011language origin, potentially selling access to ransomware or state\u2011aligned groups.<\/p>\n At the heart of the operation is a custom-built Golang tool called FortiGateSniffer<\/a>, designed to monitor 24 network protocols simultaneously and parse authentication data from intercepted network flows.<\/p>\n The tool is driven through FortiOS\u2019s own diagnostic command interface, effectively weaponizing a legitimate administrative feature against the organizations it was meant to protect. Notably, parts of the attack workflow appear to be assisted by an AI-powered autonomous penetration testing agent, marking a significant escalation in adversarial automation.<\/p>\n Approximately 66% of victims have fewer than 200 employees, and 89.5% report under $100M in annual revenue, confirming this is mass opportunistic exploitation targeting organizations large enough to run FortiGate infrastructure but rarely staffed to detect such a compromise.<\/p>\n Victims span the United States, India, and other regions, with exposure ranging from sub-100-million-dollar companies to Fortune Global 500 enterprises.<\/p>\n At the time of SOCRadar analysis<\/a>, more than 80,553 FortiGate devices and 23,406 unique domains were implicated, with active sniffing still observed on over 19,000 firewalls.<\/p>\n The infrastructure also includes a distributed GPU password\u2011cracking cluster orchestrated with Hashtopolis and a custom Telegram bot<\/a>, highlighting the industrial scale of the operation.<\/p>\n SOCRadar researchers identified<\/a> that FortiBleed follows a methodical five-phase attack chain, blending mass automation with targeted exploitation.<\/p>\n Credential Sourcing & Recon:<\/strong> Attackers use leaked credentials, custom wordlists, and internet scanning tools to identify exposed FortiGate devices and profile targets.<\/p>\n Initial Access:<\/strong> Automated tools pair discovered hosts with credentials to target FortiGate, Synology, and MSSQL services, validating access opportunities.<\/p>\n Traffic Harvesting:<\/strong> After gaining SSH access, a custom FortiGate sniffer captures sensitive traffic and extracts credentials and authentication hashes.<\/p>\n Credential Exploitation:<\/strong> Stolen hashes are cracked and used for Active Directory enumeration<\/a>, privilege escalation, and credential reuse.<\/p>\n Data Exfiltration:<\/strong> Attackers steal data from SMB\/DFS shares and replay captured web cookies to hijack authenticated sessions and maintain persistent access.<\/p>\n The campaign is global, with no single dominant region, though India (11.4%) and the United States (10.1%) lead by affected domains, followed by Taiwan, Mexico, Turkey, the UAE, and Malaysia. South and Southeast Asia collectively account for approximately 27% of affected domains.<\/p>\n Defenders are urged to immediately rotate FortiGate\u2011related VPN and admin credentials, enforce multi\u2011factor authentication and remove management interfaces from direct internet exposure.<\/p>\n Organizations should also search logs and telemetry for FortiBleed infrastructure indicators, FortigateSniffer artifacts, anomalous RADIUS\/NTLM\/Kerberos activity and suspicious SSH access to FortiGate devices, while hardening detection around gateway\u2011level network sniffing and large\u2011scale credential harvesting.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post FortiBleed Attack Hit 430,000+ FortiGate Firewalls, Stealing 110M+ Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\ndiagnose sniffer packet<\/code> to intercept and extract usernames, passwords, and password hashes from live traffic in real time, without triggering perimeter alarms.<\/p>\nNew FortiGateSniffer Tool<\/strong><\/h2>\n
![\"Attackers\u2019](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhxIU1QO6u6DxlQS1HqIlab5T37R_f3we1x8dUyheu-TZT_16n_FFO4tZInDbK8vZLJTeq2KY_8p9MdNg-XRV8nD4wf6naf44ncxEGxMW5DyMl_XsDHT97ZC_XStJJip7jADl3Y_VDfbdBxPVZMbBENZIFB_6V-mtzwHobHFIIxV3swPDIrmIPJNKelQx4\/s1600\/Screenshot%25202026-06-24%2520114001%2520%25281%2529.webp?ssl=1\")
Five\u2011Phase FortiBleed Attack Chain<\/strong><\/h2>\n
![\"FortiBleed](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh7iaTCTC_IBNckHYJGnHtLDhPyMgK_HMC2bYO0-LV2rBQVJhCpqJeG2spx1XKDYOmdeEEGHsUIw78LhXakBZR-oA-Z5NWdJE3OOi-nHkm09gPW4aZkdHa6ZvJ2S9LOdByMCONwIN0MrsbgJ-Ojo3SBljgUdCBrzHYMTdNEvlG1qDX6RYSFZz_BmHcTvg0\/s1600\/Screenshot%25202026-06-24%2520113738%2520%25281%2529.webp?ssl=1\")
![\"Top](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj-OibsXEwexndVIue7oTSAryh3R6Xs_czQwFHEq7G4pJuNCcd50v7dfNu0PaaWUA6eyULymoX107sGrK_xzDjJO7nG88gzpVbqocqS7CLE4AwKle58HUjH9oVu5s_0MJNwlS1humSHMa4AX77Oku4JIr5yhVb7CvAPwWa6AlYPqztoyxC2eEAY3rcvOOU\/s1600\/Screenshot%25202026-06-24%2520114135%2520%25281%2529.webp?ssl=1\")