Alex Yao Alex Yao
Back to news
Cyber Security Published on July 2, 2026

FortiBleed credential theft linked to INC and Lynx ransomware

SOCRadar has linked FortiBleed, a large-scale credential-harvesting campaign targeting FortiGate devices, to the operations of INC and Lynx ransomware groups.

The researchers identified administrative access on 409 targets and confirmed 12 ransomware deployments connected to the stolen credentials. The campaign underscores the risk of unpatched or misconfigured edge devices serving as direct paths to domain compromise.

Organizations running FortiGate appliances are advised to review logs for indicators of credential theft, enforce multi-factor authentication, and ensure devices are running current firmware with all security patches applied.