FortiBleed Campaign Links Two Ransomware Gangs: INC and Lynx

FortiBleed Campaign Links Two Ransomware Gangs: INC and Lynx

First seen 2 Jul 2026, 18:59 UTC GbhackersTheregistersocradar.io 82% similarity 68.0
Share:

Article Content

Browse articles
ThreatCluster

The FortiBleed campaign has been linked to two ransomware groups, INC Ransom and Lynx, following an investigation by SOC Radar’s Threat Research Unit. Researchers discovered that a member of the initial access broker group was logged into both ransomware affiliate panels, indicating a direct connection between the credential theft and ransomware deployment. The campaign targeted over 430,000 Fortinet firewalls, with confirmed admin-level access on 409 targets. The attackers exploited SSL VPN authentication hashes, using a 45-GPU cluster to crack them and gain access to victims' Active Directory environments. This integration of credential theft into ransomware operations raises the threat level for organizations using FortiGate infrastructure. The attack was disclosed on June 17, 2026, and is characterized as a significant escalation in the ransomware economy.

Key Points: • FortiBleed campaign linked to INC and Lynx ransomware groups. • Over 430,000 firewalls targeted, with admin access confirmed on 409. • Attackers exploited SSL VPN authentication hashes using a 45-GPU cluster.

ThreatCluster AI

Timeline

2026-06-17
FortiBleed attack disclosed
The large-scale credential harvesting campaign targeting Fortinet firewalls was publicly revealed.
Theregister
2026-07-02
Link between FortiBleed and ransomware confirmed
SOC Radar's investigation revealed a member of the initial access broker was logged into both INC and Lynx panels.
Theregister
2026-07-02
Scope of FortiBleed campaign detailed
Researchers confirmed admin-level access on 409 targets and linked at least 12 ransomware attacks to FortiBleed victims.
Gbhackers

Community

Browse all →