Based on reporting by The Hacker News →
Introduction
A financially motivated Russian-speaking broker is systematically raiding exposed FortiGate firewalls, snatching credentials from over 430,000 devices worldwide. The operation, dubbed FortiBleed, has already amassed a staggering 110 million credentials.
The problem
According to a report by The Hacker News, a persistent credential-harvesting campaign known as FortiBleed has been active since February 2026. The campaign is attributed to a financially driven, Russian-speaking initial access broker (IAB). The attackers have targeted more than 430,000 FortiGate firewalls globally. Their methodology involves collecting credential lists, scanning for exposed services, brute-forcing accessible systems, and deploying custom tools to harvest credentials at scale.
Consequences
The immediate consequence is the potential compromise of over 110 million credentials, giving attackers a massive foothold into government networks, enterprise VPNs, and critical infrastructure. Each harvested credential represents a possible initial access point for ransomware deployment, data exfiltration, or further lateral movement. The scale of this operation means that a single broker now controls a vast inventory of compromised access, which can be sold to other threat actors.
Causes
The root cause is twofold: first, the widespread exposure of FortiGate management interfaces (such as HTTPS admin panels or SSH) to the public internet, and second, weak or default credentials on these devices. The attackers did not need a new zero-day exploit; they leveraged poor operational hygiene—exposed services and weak passwords—to brute-force their way in. The campaign’s success hinges entirely on organizations failing to lock down administrative access to their firewall appliances.