A large-scale cyberattack known as ‘FortiBleed’ has infiltrated more than 430,000 FortiGate firewalls worldwide, extracting over 110 million credentials from live network traffic since February 2026. This extensive breach was uncovered when security expert Volodymyr ‘Bob’ Diachenko located an exposed directory at IP address 85.11.187[.]8:9999.
Global Reach of FortiBleed Campaign
The FortiBleed attack is a sustained effort that transforms enterprise-grade FortiGate firewalls into covert data collection tools. These firewalls, positioned at network boundaries, are exploited to capture all passing authentication traffic. Attackers utilized a built-in diagnostic command, ‘diagnose sniffer packet,’ in FortiOS to intercept and extract credentials from ongoing traffic without triggering security alerts.
Investigations by SOCRadar’s Threat Research Unit suggest the operation is driven by a financially motivated initial access broker, likely originating from Russian-language cybercriminal circles. The campaign’s scale indicates possible resale of access to ransomware operators or state-affiliated groups.
Advanced Tools and Techniques
The operation relies on a custom Golang-developed tool, ‘FortiGateSniffer,’ capable of monitoring 24 network protocols concurrently. This tool parses authentication data using FortiOS’s diagnostic command, converting a legitimate feature into a weapon against organizations. Notably, AI-powered autonomous penetration testing agents enhance the sophistication of the attack, marking a new level of adversarial automation.
Data shows that about 66% of affected organizations have fewer than 200 employees, and 89.5% report annual revenues under $100 million. This suggests the attack targets entities large enough for FortiGate infrastructure but lacking the resources to detect such breaches effectively. Affected regions include the United States and India among others, impacting both small firms and Fortune Global 500 enterprises.
Implications and Recommendations
At the time of analysis, SOCRadar identified more than 80,553 FortiGate devices and 23,406 unique domains involved, with active data interception observed on over 19,000 firewalls. Attackers have built an extensive infrastructure, including a distributed GPU password-cracking cluster managed by Hashtopolis and a custom Telegram bot, illustrating the operation’s industrial scale.
The attack follows a five-phase chain: credential sourcing, initial access, traffic harvesting, credential exploitation, and data exfiltration. Victims span a wide geographic area, with India and the United States leading in affected domains, followed by Taiwan, Mexico, and other regions. Organizations are advised to rotate FortiGate-related credentials immediately, enforce multi-factor authentication, and minimize the exposure of management interfaces to the internet.
To safeguard against FortiBleed, companies should examine logs for indicators of compromise, such as FortiBleed infrastructure artifacts, FortiGateSniffer traces, and unusual RADIUS/NTLM/Kerberos activities. Enhancing detection around network-level sniffing and large-scale credential harvesting is crucial to defending against such sophisticated attacks.
