FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation

A Russian-speaking threat actor, motivated by financial gain, is behind a credential-harvesting operation named FortiBleed, which has targeted over 430,000 FortiGate firewalls worldwide. This campaign, active since February 2026, involves collecting credential lists, identifying exposed services, attempting brute-force logins on accessible systems, and deploying custom malware. The operation has successfully harvested approximately 110 million credentials. The threat actor is believed to be an initial access broker (IAB) that sells compromised credentials to other cybercriminals for further exploitation, such as ransomware attacks. Fortinet, the vendor of FortiGate firewalls, has been alerted to the campaign and is investigating the vulnerabilities exploited. The attackers are reportedly using a combination of techniques, including exploiting known vulnerabilities in FortiGate devices and leveraging previously compromised credentials to gain initial access. The scale of the operation suggests a sophisticated and persistent effort to compromise network security devices. The harvested credentials could grant attackers access to sensitive internal networks and data, posing a significant risk to organizations relying on these firewalls for their security infrastructure. The ongoing investigation aims to identify the full scope of the breach and implement necessary mitigation strategies.