grid
Abstract circular gradient with concentric rings in blue, green, yellow, and red fading into black background.
5 min read

FortiBleed Ransomware Campaign Tied to INC and Lynx Groups

FortiBleed Ransomware
Published on
July 3, 2026

Researchers have found direct evidence linking the FortiBleed credential theft campaign to two active ransomware operations, INC Ransom and Lynx. The discovery confirms what many analysts suspected. The stolen Fortinet credentials were never just sitting in a database. They were feeding real extortion attacks against real victims.

SOCRadar's Threat Research Unit made the connection after analyzing a Windows server tied to the FortiBleed infrastructure. On that server, investigators found browser sessions logged into the ransomware negotiation panels used by both Lynx and INC. Those panels contained live victim chats. They are the same dashboards ransomware operators use to haggle over payment with compromised companies.

How the FortiBleed Ransomware Link Was Confirmed

The FortiBleed campaign first drew attention when a server turned up exposed on the open internet. It held credentials stolen from more than 73,000 Fortinet devices. Researchers also found downloaded FortiGate configuration files on it, plus tools built to crack password hashes and run credential-stuffing attacks against other systems.

A later investigation added another layer. Researchers discovered the operation had deployed a custom packet-sniffing tool called FortiGate Sniffer on compromised firewalls. That tool intercepted VPN credentials and other authentication data straight from network traffic. It gave attackers a steady stream of fresh logins without needing to breach each target individually.

The new findings go further. SOCRadar says the individual with access to the FortiBleed infrastructure also had access to the negotiation platforms both ransomware groups use with victims. That overlap is not circumstantial. It places the same person, or the same small group, inside both the credential theft operation and the extortion process that follows it.

A Larger Operation Than First Reported

SOCRadar's research shows the FortiBleed campaign was substantially bigger than early reporting suggested. The operation targeted more than 430,000 FortiGate firewalls worldwide. It planted traffic sniffers on roughly 19,000 devices. After affected organizations received notifications, that number dropped to around 11,000 still-compromised systems.

Investigators also identified about 500 servers used across the operation. That is over 200 more than were previously tied to the campaign. Victim data collected during FortiBleed overlaps with organizations that later appeared on the INC ransomware leak site.

This reinforces the direct pipeline between credential theft and extortion. Evidence gathered so far points to an operation with around 20 members, each with a defined role.

That structure matters for defenders. A loosely organized crew scraping credentials looks very different from a 20-person operation with dedicated infrastructure and a repeatable playbook. This one has both, plus direct access to the negotiation platforms where ransom payments get settled.

Nextcloud Zero-Day and Persistent Backdoors

Researchers believe the attackers used a previously undisclosed Nextcloud vulnerability to expand their access once inside a target network. SOCRadar has not released technical details on the flaw. Organizations running Nextcloud should watch for an eventual advisory rather than assume they are unaffected in the meantime.

Investigators also found persistent backdoor accounts using the username "adminin" planted across compromised systems. Accounts like this let attackers return to a network long after the initial breach, even after the original entry point gets patched. SOCRadar says it is continuing to work on recovering ransomware decryption keys tied to the campaign.

INC and Lynx: One Group, Two Names

INC Ransom has run as a ransomware-as-a-service platform since mid-2023. It has hit healthcare, education, and government targets across multiple countries. Lynx emerged roughly a year later, in mid-2024, and researchers widely consider it a rebrand of INC rather than a distinct group.

That distinction matters here. The FortiBleed ransomware link is not evidence of two separate groups buying stolen access from the same broker. It looks more like one continuous criminal enterprise. That enterprise is using a single credential pipeline to feed its own extortion campaigns under different brand names.

What Organizations Should Do Now

SOCRadar plans to release a second technical white paper once its investigation wraps up. That paper will include indicators of compromise and additional attribution evidence. Until then, organizations running FortiGate devices should treat any credentials active during the exposure window as potentially compromised, even if their device shows no sign of an active sniffer.

Rotating VPN credentials is a reasonable first step. Reviewing firewall configurations for unauthorized changes and auditing for unfamiliar administrator accounts should follow close behind. The FortiBleed campaign has already scaled from one exposed database to hundreds of thousands of targeted devices. Its confirmed ties to active ransomware operations mean the consequences of inaction are no longer theoretical.

Subscribe to newsletter

Subscribe to receive the latest blog posts to your inbox every week.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.