FortiBleed, a credential-harvesting operation uncovered by multiple independent security researchers, has exposed verified working credentials for approximately 74,000 Fortinet FortiGate firewall devices across 194 countries. The data includes login credentials for corporations including Samsung, Comcast, Siemens, FoxConn, Lenovo, FedEx, Accenture, and Oracle, independently verified as authentic by security researchers.
The attack chain intercepts SSL VPN authentication, cracks hashes on a 45-GPU Hashtopolis cluster, and pivots into internal Active Directory environments. Russian-speaking threat actors processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers during the operation.
FortiBleed Attack Method and the Hashtopolis GPU Cluster
The operation targets Fortinet FortiGate SSL VPN authentication endpoints. Researchers documented the harvester intercepting VPN credentials in transit and forwarding them to infrastructure built around a 45-GPU cluster managed via the open-source Hashtopolis framework. The operator ran both credential campaigns simultaneously.
Shodan data indicates most compromised Fortinet devices remain online and unpatched, meaning the pool of accessible firewalls continues expanding. The scope covers 21,632 unique domains with affected FortiGate devices.
The GPU Cluster Infrastructure and Credential Processing
The 45-GPU Hashtopolis cluster processes captured hashes from FortiGate VPN authentication traffic. Once hashes are cracked, valid credentials are deployed against targeted FortiGate devices across 194 countries. The credential pool spans nearly every global industry sector, meaning every compromised device is a potential lateral movement entry point.
NATO Contractor Breach Confirms Active Exploitation
At least four organizations were fully compromised through the credential set, including a Turkish NATO defense contractor from which classified defense documents were exfiltrated. This case confirms attackers are actively using the stolen credentials for documented espionage rather than merely harvesting them.
Fortinet denies the attacks are fresh, claiming the data combines prior incidents with credential bruteforcing. Regardless, the scale and verification of the leaked credentials prompted CISA to issue an urgent advisory to Fortinet customers.
Shodan Data Confirms Devices Remain Exposed
CISA’s advisory urges Fortinet customers to immediately rotate all VPN and administrative credentials and audit access logs for unauthorized sessions. Most identified devices have not been patched or had credentials rotated, keeping the exposure window expanding well past the dark web appearance of the data dump.
