For three weeks, the biggest open question about FortiBleed was not how it worked — that was documented in painful detail — but who was cashing in. Now we know. An operational security failure on the attackers’ own infrastructure has directly linked the credential-harvesting campaign that compromised more than 430,000 Fortinet firewalls to two of the most active ransomware-as-a-service operations running today: INC Ransom and Lynx.

The smoking gun, according to research published by SOCRadar and corroborated in reporting from Cybersecurity Dive, SecurityWeek, and Dark Reading, was almost embarrassingly simple: a member of the initial access broker crew behind FortiBleed was found logged into the affiliate negotiation panels of both ransomware operations — at the same time, from infrastructure tied to the campaign.

The campaign we have tracked since June 17 now has names attached.

The Server That Talked

The break came from an exposed server that functioned as the operation’s staging and coordination hub. When researchers got a look inside, they found the full anatomy of an industrialized intrusion business: target inventories, harvested credential data, automation scripts, configuration files, and the operational artifacts of a crew coordinating large-scale credential harvesting against internet-facing network appliances.

Among those artifacts sat the session evidence tying an operator to active logins on the affiliate panels of both INC Ransom and Lynx. Affiliate panels are the members-only dashboards where ransomware-as-a-service partners manage victims, negotiations, and payouts. You do not end up authenticated to two of them by accident. It is the digital equivalent of a burglar being photographed holding the keys to two different fencing operations.

For threat intelligence teams, this is the rare case where attribution is not inferred from tooling overlap or shared infrastructure quirks — it is observed directly. The initial access broker feeding FortiBleed credentials into the criminal ecosystem is working, hands-on, with at least two named ransomware brands.

A Twenty-Person Business, Not a Lone Wolf

The exposed server also gave researchers an unusually clear view of the organization itself. SOCRadar assesses the FortiBleed operation as an initial access broker (IAB) crew of roughly 20 people with an organized internal structure — a division of labor spanning reconnaissance, exploitation, credential processing, and sales.

Tooling, logs, and working hours point to a Russian-speaking actor, consistent with the Cyrillic-language tooling comments we noted in our earlier coverage of the campaign’s true 430,000-firewall scale. Targeting data recovered from the server shows deliberate focus rather than opportunistic spray: manufacturing, technology, and logistics organizations, concentrated in Latin America and the Asia-Pacific region.

The technical playbook remains what made FortiBleed infamous. The crew’s custom Golang tool, FortigateSniffer, abuses FortiOS’s native diagnose sniffer packet diagnostic command to passively intercept authentication traffic across two dozen protocols — turning each compromised firewall into a wiretap at the network boundary. SSL VPN authentication hashes intercepted from targeted firewalls were fed into a 45-GPU cracking cluster, and the resulting plaintext credentials were used to gain admin-level access and establish persistence inside victim Active Directory environments.

That is the full supply chain of modern ransomware in a single operation: harvest at the edge, crack at scale, escalate to domain admin, then hand the keys to whoever pays.

From Stolen Hashes to Encrypted Networks

The attribution matters because it closes the loop between credential theft and real-world damage. Researchers have now tied at least 12 ransomware deployments to access derived from FortiBleed credentials, with hundreds of endpoints encrypted across the affected organizations.

Both beneficiaries are established players. INC Ransom has been a persistent presence in healthcare, government, and industrial victim listings since 2023. Lynx — widely assessed as a successor to the INC codebase — has built a steady victim cadence across manufacturing and professional services. The overlap between the two brands has long been suspected at the code level; FortiBleed now demonstrates overlap at the operational level, with a single access broker feeding both pipelines.

This is how the ransomware economy actually functions in 2026. The people who break in are not the people who encrypt. The IAB model means a single upstream compromise — one campaign against one vendor’s firewalls — fans out into dozens of downstream extortion events, spread across multiple ransomware brands, months after the original credential theft. Rotating a password in July does not help if the hash was cracked in March and the access already sold.

Three Weeks From Anomaly to Attribution

The velocity of this story is worth pausing on. When we first covered FortiBleed on June 17, it looked like a massive but conventional credential exposure affecting roughly 74,000 Fortinet firewalls. Within a day, we documented access to those devices being actively sold on criminal markets. By June 30, SOCRadar’s analysis had exploded the scope to 430,000 compromised firewalls and over 110 million harvested credentials.

Now, barely a week later, the campaign has confirmed ransomware outcomes and named beneficiaries. Each revision of the story has made it worse, and there is no reason to believe this is the final chapter — a 110-million-credential inventory does not get exhausted by 12 deployments. The access sold to INC and Lynx affiliates is a fraction of what the crew is holding.

What Defenders Should Take From This

The defensive guidance from our earlier coverage stands, but the attribution sharpens the stakes:

  • Assume ransomware, not just credential theft. If your organization runs FortiGate devices that were exposed during the campaign window (February 2026 onward), the realistic threat model is now an INC Ransom or Lynx affiliate holding cracked admin credentials — not a hypothetical future buyer.
  • Hunt for Active Directory persistence. The crew’s pattern is admin-level access and durable AD footholds. Credential rotation alone does not evict an attacker who has already planted persistence mechanisms.
  • Prioritize by sector and geography. Manufacturing, technology, and logistics organizations in Latin America and APAC should treat FortiBleed exposure as an active incident, not a patching exercise.
  • Watch the affiliate ecosystems. INC Ransom and Lynx victim listings over the coming weeks will likely include organizations whose only mistake was an internet-facing FortiGate in the wrong quarter.

One exposed staging server turned FortiBleed from an abstraction into an indictment. The attackers’ infrastructure told the story their victims could not — and it says the encryption phase of this campaign is just getting started.

Sources