FortiBleed: 11,000 Fortinet Firewalls Still Compromised, Now Tied to INC and Lynx Ransomware
Researchers say the same crew that hoarded credentials from hundreds of thousands of Fortinet firewalls has been sitting inside the negotiation panels of two major ransomware gangs.

Key points
- A credential-theft campaign known as FortiBleed hit more than 430,000 Fortinet firewalls worldwide, according to SOCRadar research published this month.
- Around 19,000 devices had traffic-sniffing malware installed; roughly 11,000 remain compromised after victim notifications.
- SOCRadar says operators of the campaign also logged into the ransomware negotiation panels used by the INC and Lynx gangs.
- Investigators estimate the crew has about 20 members with defined roles and runs some 500 servers.
- The attackers are believed to have used an unpatched flaw in Nextcloud, the popular file-sharing software, to widen their access.
The hackers behind FortiBleed did not just steal logins. They appear to be the same people running ransomware attacks against the victims those logins belong to.
That is the finding from SOCRadar's Threat Research Unit, which has been unpicking the campaign since a server holding credentials from more than 73,000 Fortinet devices was found sitting open on the public internet earlier this month. Fortinet makes the firewalls and VPN gear — the network gatekeeping equipment — used by tens of thousands of companies and government offices.
The exposed server held configuration files pulled from FortiGate firewalls, harvested usernames and passwords, and the tools used to crack password hashes and try those credentials against other systems.
Investigators dubbed the operation FortiBleed because of the sheer volume.
Who is actually behind this?
SOCRadar says the crew is directly linked to two ransomware-as-a-service operations: INC Ransom and Lynx. Ransomware-as-a-service means the gang rents out its file-locking malware to affiliates, who share the profits from extorted victims.
The evidence, according to SOCRadar, came from a Windows server that was part of FortiBleed's own infrastructure. When researchers examined it, they found browser sessions logged into the private negotiation dashboards used by both INC and Lynx to chat with victims about ransom payments.
"During the investigation of that server, analysis of the collected artifacts revealed that the threat actor had accessed the ransomware negotiation panels of both the Lynx / INC ransomware group," SOCRadar told BleepingComputer, which first reported the link.
Screenshots reviewed by researchers show victim chat panels open in the same browser sessions used to run FortiBleed. SOCRadar also says some organisations whose data was harvested during FortiBleed later appeared on INC's public leak site — the shame-list where ransomware gangs publish stolen files to pressure victims into paying.
Lynx, which surfaced in mid-2024, is widely believed by security researchers to be a rebrand of INC rather than a separate group. INC has been active since 2023 and has hit hospitals, schools and government bodies.
How did they get so many firewalls?
The attackers installed a custom traffic-sniffing tool called FortiGate Sniffer on compromised firewalls. A sniffer quietly copies data as it flows through the device, so every VPN login typed by a remote worker was captured in plain sight.
SOCRadar puts the reach at roughly 19,000 firewalls sniffed and 430,000 probed. After the company began notifying victims, the number of still-compromised devices dropped to around 11,000. That is 11,000 organisations whose network entry points may still be leaking credentials as you read this.
Investigators also found persistent backdoor accounts named "adminin" left on compromised systems, and evidence the crew used an unknown flaw in Nextcloud to expand access once inside. Technical details of that flaw have not yet been published.
What affected organisations should do
If you run FortiGate equipment, treat any device that was internet-exposed during 2024 as suspect. Rotate every credential that has ever touched it, including VPN accounts, admin logins and any shared service accounts. Check user lists for the name "adminin" or other accounts you did not create. Pull configuration backups and diff them against known-good copies.
End users whose employers use Fortinet VPNs should expect a password reset request. Take it seriously when it arrives.



