FortiBleed Campaign Exposing Credentials for 73,932 FortiGate Systems

A dataset containing valid administrative and VPN credentials for tens of thousands of Fortinet FortiGate firewalls has been attributed to a Russian-speaking threat group, with confirmed impacts across government, critical infrastructure, and multinational corporations. Organizations should verify exposure immediately and rotate credentials.

Latest Updates

Based on analysis by Insikt Group, we have determined that at least two threat actors are attempting to sell data allegedly from the FortiBleed campaign impacting FortiGate VPN credentials. Also, based on analysis by Insikt Group, we assess that only one of the two sellers of this FortiBleed data is likely credible.

Insikt Group assesses that the threat actor SantaAd, a member of the top-tier Exploit Forum who posted an advertisement on June 12, 2026, claiming to auction off 34,000 lines of FortiGate VPN data, is likely a credible seller of this data. However, Insikt Group did not observe a sample posted in this advertisement thread, and at this time, we cannot confirm whether the FortiGate VPN data advertised by SantaAd is the same data involved in the FortiBleed incident.

On June 21, 2026, Insikt Group identified another seller of data related to the FortiBleed campaign being offered by an illegitimate group with low credibility, leveraging the ShinyHunters branding and operating under the moniker shinymontanna within a public Telegram channel. Within this Telegram channel, shinymontanna is reusing verbatim language used in the auction post by SantaAd. Based on current and historical analysis by Insikt Group, we assess that shinymontanna is likely attempting to re-extort victims of other threat actors and groups, as it has previously done, to capitalize on these incidents by creating greater urgency and fear to entice victims into paying. shinymontanna active since at least late fall 2025, has engaged in extortion attempts, claiming to possess sensitive data, including internal databases and employee information, and has set ransom demands ranging from $100,000 to $2 million for the data’s removal. The group has used Telegram for communication and advertisement of their exploits, including illegitimate forums such as BreachForums clones and copies in order to build credibility.


Figure 1: shinymontanna claiming responsibility for the FortiBleed incident in the Telegram channel The Underground _ Uwu 😻 (Source: Recorded Future)

What Happened

On June 13, 2026, security researcher Volodymyr “Bob” Diachenko reported on the “FortiBleed” dataset, which allegedly contains valid administrative and SSL VPN credentials for approximately 73,932 FortiGate firewall URLs across 194 countries and more than 21,600 domains. Diachenko attributed the campaign to a Russian-speaking threat group.

Cybersecurity researcher Kevin Beaumont and threat intelligence firm Hudson Rock subsequently validated portions of the dataset. Beaumont confirmed that sampled administrative credentials were authentic. Many affected devices reportedly remained online at the time of disclosure, ran recent FortiOS versions, and had management interfaces exposed to the internet.

Affected organizations span government, telecommunications, financial services, healthcare, manufacturing, and critical infrastructure sectors, including multinational corporations.

How the Attack Was Executed

According to Diachenko’s investigation, threat actors:

  • Conducted approximately 1.16 billion credential attempts against 320,777 FortiGate targets
  • Conducted approximately 2.1 billion credential attempts against 163,650 Microsoft SQL Server (MSSQL) systems
  • Intercepted SSL VPN authentication hashes
  • Used a 45-GPU cluster managed through Hashtopolis to crack hashes and recover plaintext credentials
  • Accessed internal Active Directory environments using recovered credentials

Researchers assessed that the dataset likely originated from exported FortiGate configuration files, which enabled offline credential recovery without ongoing access to the targeted devices.

Scale and Impact

The FortiBleed dataset covers organizations in 194 countries. Confirmed or reported compromises include organizations in Japan, Taiwan, Vietnam, Iraq, and Türkiye. Among those affected is a Turkish NATO defense contractor from which threat actors allegedly exfiltrated classified documents.

Why This Matters

Several factors make FortiBleed a high-priority incident:

  • A subset of credentials have been independently verified as authentic
  • Affected devices in many cases remain online with no indication of remediation
  • The campaign’s scale (73,932 firewall URLs, 194 countries) makes this one of the largest confirmed FortiGate credential exposures on record
  • Attribution to a Russian-speaking threat group, combined with confirmed targeting of a NATO defense contractor, raises the likelihood of espionage objectives alongside opportunistic access
  • The offline cracking methodology means organizations may have no logs of the initial credential theft

Timeline of Events

  • June 13, 2026: Researcher Volodymyr Diachenko publicly reports the FortiBleed dataset and attributes activity to a Russian-speaking threat group
  • June 13, 2026: Kevin Beaumont publishes analysis confirming sampled credentials are authentic; notes many affected devices remain online and internet-exposed
  • June 13, 2026: Hudson Rock validates portions of the dataset and releases a free FortiBleed lookup tool for organizations to check domain exposure

Recorded Future Independent Analysis

Insikt Group analysts identified malicious activity originating from the IP address 85[.]11[.]187[.]8, which is linked to the FortiBleed attacks, during internal analysis and associated it with AS211486 within the 85[.]11[.]187[.]0/24 range. Analysts observed HTTP activity on port 9999 on June 7, 2026, and SSH, VNC, RDP, and additional attack-capture-related activity from June 14 to June 15, 2026.

Artifacts identified on this infrastructure were consistent with a full credential harvesting and follow-on intrusion workflow, including:

  • A sniffer log associated with Fortinet credential capture (fg_capture.log);
  • Cracking orchestration files tied to Hashcat, Hashtopolis, and Telegram-coordinated tasking (bot.py, hashpanel.log, setup_hashcat.sh, and setup_hashtopolis.sh;
  • Active Directory and LDAP enumeration scripts (ad_enum.py and ad_full_audit.py);
  • Password-spraying tooling (spray_*.sh, spray_*.py, and spray_results.txt);
  • SMB/DFS collection scripts with staged exfiltration capability backup_dfs.py, backup_dfs2.py, spider.py, and smb_test.py); and
  • Log-clearing markers were also present, indicating efforts to remove evidence of activity.

A June 18, 2026 PwnDefend blog post corroborated these findings by independently identifying 85[.]11[.]187[.]8 as a source IP associated with the FortiBleed campaign. The overlap between Insikt Group’s internal findings and subsequent public reporting increases confidence in this IP’s association with FortiBleed-related credential harvesting, cracking, and follow-on network access activity.

What You Need to Do Now

Immediate actions if your organization runs Fortinet:

  • Rotate all FortiGate admin and SSL VPN credentials immediately
  • Enforce multi-factor authentication on all remote and administrative access
  • Review Fortinet logs for unusual logins, admin sessions, config changes, and new accounts. Consider replacing devices that have had suspicious activity.
  • Restrict or remove internet exposure for management interfaces
  • Patch FortiOS and review hardening settings
  • Hunt for downstream compromise inside the network if exposed credentials were in use

Recorded Future customers with affected domains will receive automated credential alerts if their organization is in the dataset as sources are ingested into the Platform. Customers can access related data from any of the following sources:

  • FortiBleed URL, Login, Password (ULP) Credential Leak
  • FortiBleed Login and Password List
  • FortiBleed Impacted Domains
  • FortiBleed Domain Attribution

Recorded Future customers can access the full Analyst Note and FortiBleed Intelligence Card in the Recorded Future Portal for additional indicators, affected organization context, and threat actor attribution detail.

Learn how to stay ahead of emerging threats. Understand all of the critical vulnerabilities that may be affecting your organization. Speak to our threat intelligence experts today.

Scroll to Top