When the FortiBleed campaign first surfaced in mid-June, the headline number was alarming enough: valid administrative and SSL VPN credentials for roughly 73,932 FortiGate firewalls across 194 countries, surfaced by researcher Volodymyr โ€œBobโ€ Diachenko. We covered that initial disclosure in our report on FortiBleed exposing credentials for nearly 74,000 Fortinet firewalls. New analysis says that figure was the tip of the iceberg.

According to research published by SOCRadar and reported by Dark Reading and SC Media, FortiBleed is not a single credential dump โ€” it is a sustained, industrialized harvesting operation that has silently compromised more than 430,000 FortiGate firewalls worldwide and siphoned over 110 million credentials directly out of live network traffic since at least February 2026. The story did not get smaller on closer inspection. It got an order of magnitude larger.

Turning the Firewall Into a Listening Post

The brilliance โ€” and the danger โ€” of FortiBleed is its abuse of where a firewall sits. Every FortiGate device lives at the boundary of a network, the chokepoint through which authentication traffic flows. Whoever controls that device gets a front-row seat to credentials in motion.

The attackers exploited that vantage point using a native FortiOS diagnostic command, diagnose sniffer packet, to intercept and extract usernames, passwords, and password hashes from live traffic in real time. SOCRadar identified the Golang-based tool driving the operation โ€” dubbed FortigateSniffer โ€” which, in the firmโ€™s words, โ€œturns compromised firewalls into passive credential collectors across 24 authentication protocols.โ€

That phrase is the whole story. This is not smash-and-grab. A compromised FortiGate does not crash, encrypt files, or announce itself. It quietly listens, decoding authentication across two dozen protocols, and forwards the harvest to its operators. The device keeps doing its job as a firewall while moonlighting as a wiretap โ€” which is precisely why the campaign ran for months before its true scale came into focus.

A Five-Phase, Industrialized Operation

SOCRadar laid out the full attack chain, and it reads like a mature offensive program rather than an opportunistic intrusion. The campaign moves through five phases:

  1. Reconnaissance โ€” identifying internet-exposed FortiGate devices at scale.
  2. Initial access โ€” gaining a foothold on the firewall.
  3. Network sniffing โ€” deploying FortigateSniffer to passively collect credentials from live traffic.
  4. Password cracking and lateral movement โ€” turning harvested hashes into usable credentials and pivoting deeper into victim networks.
  5. Exfiltration โ€” pulling the stolen credentials out to attacker-controlled infrastructure.

The progression from a single compromised edge device to lateral movement is the part defenders should fixate on. A firewall is not just one more endpoint โ€” it is a position of trust at the network perimeter. Credentials captured there are not limited to the firewall itself; they include the logins of every user and service whose authentication traffic crossed that boundary. One compromised FortiGate becomes a skeleton key to the network behind it.

Who Is Behind It

Attribution is not yet definitive, but the signal is strong. SOCRadar notes that tooling comments associated with the campaign use the Cyrillic alphabet, leading researchers to assess the perpetrators are likely Russian. That is a soft indicator rather than hard proof โ€” comments can be planted as a false flag โ€” but combined with the scale, sophistication, and patience of the operation, it points to a well-resourced actor running this as a long-term credential-harvesting program rather than a quick payday.

A pool of 110 million credentials is not a ransom target. It is raw material โ€” fuel for credential stuffing, initial-access brokering, espionage, and follow-on intrusions that may not surface for months or years. The value of FortiBleed is not in any single breach; it is in the standing inventory of valid logins it has built across 194 countries and tens of thousands of domains.

Why Edge Devices Keep Becoming the Battleground

FortiBleed is the latest and largest entry in a pattern we have tracked all year: attackers are relentlessly targeting the security appliances that sit at the network edge. Firewalls, VPN concentrators, and gateways are attractive precisely because of their privileged position and because they are often under-monitored โ€” organizations watch their endpoints and servers closely while treating the firewall as a trusted black box.

The exposure has been visible for weeks in adjacent reporting. We documented the secondary market forming around these devices in our coverage of FortiGate firewall access being sold for some 74,000 devices โ€” compromised access being packaged and sold to other criminals. FortiBleed shows what that access enables at scale when an actor chooses to harvest rather than resell.

What Organizations Must Do Now

If you run FortiGate firewalls, treat them as potentially compromised until proven otherwise. The defensive priorities are clear and urgent:

  • Rotate all credentials tied to Fortinet VPN and administrative interfaces. Any credential that traversed a FortiGate during the campaign window โ€” February 2026 onward โ€” should be considered exposed.
  • Enforce multi-factor authentication on VPN and admin access, so harvested passwords alone do not grant entry.
  • Remove FortiGate management interfaces from direct internet exposure. Management planes should never be reachable from the open internet.
  • Hunt in your logs. Review gateway and authentication logs for unauthorized use of the diagnose sniffer packet command, unexpected processes on the device, and anomalous outbound connections that could indicate exfiltration.
  • Assume lateral movement. If a firewall was compromised, the credentials it captured may already have been used elsewhere in your environment. Scope your investigation beyond the device itself.

The Bottom Line

The most sobering thing about FortiBleed is how quiet it was. For months, more than 430,000 firewalls did exactly what their owners expected โ€” filtered traffic, terminated VPNs, guarded the perimeter โ€” while simultaneously feeding 110 million credentials to an external operator. There was no ransom note, no downtime, no obvious tell. The initial 73,932-device disclosure was not an overstatement that later deflated; it was an undercount that grew nearly sixfold on closer analysis.

That trajectory should reset expectations. When a campaign weaponizes the device that sees all of your authentication traffic, the breach is not at the door โ€” it is the door. Organizations that have not yet rotated their Fortinet credentials and pulled their management interfaces off the internet should treat that work as overdue, not optional.

Sources