FortiBleed exposed valid credentials for 73,000+ Fortinet firewalls, revealing a large-scale access-brokering operation targeting organizations worldwide.
In mid-June 2026, researcher Volodymyr “Bob” Diachenko found a live, exposed server containing working login credentials for tens of thousands of Fortinet firewalls, a data leak code-named FortiBleed. The headline number, valid remote-access logins for 73,932 devices across 21,632 organizations in 194 countries, roughly half of every internet-facing FortiGate on the planet, is what made it news. The server was left open by accident, complete with the tools, logs, scripts, and credential catalog of a running operation.
But a list of stolen passwords is the output of a crime, not the crime itself. Mysterium VPN traced the operation back to a single vendor trading under the handle “SantaAd” on an underground Russian-speaking cybercrime forum.
The account has been building a vendor reputation since early 2025, and its post history reads like a product catalog with one obsession: Fortinet. Over recent months, the same seller auctioned remote-access credentials to named US manufacturers, listed thousands of Fortinet admin panels, and ran a standing advertisement buying fresh corporate access from US companies above a set revenue threshold.
“The single most telling piece of evidence in the whole affair isn’t a password; it’s the spreadsheet.” reads the report published by MysteriumVPN “The leaked data is annotated, organization by organization, with company name, sector, annual revenue, and employee count, and sorted into tiers by how much they’re worth.”
Espionage actors sort targets by intelligence value. This actor sorted them by price. The revenue column is what marks this as a financially motivated operation whose end product is resale — most likely to ransomware crews for whom a pre-validated foothold in a high-revenue company is exactly what they’re buying.
The operation ran on mostly off-the-shelf parts. A dedicated brute-force server generated and tested credential combinations at scale — over a billion device-and-password pairs drawn from a few thousand common starting points, running tens of thousands of simultaneous attempts through rotating proxy addresses. A separate cracking server ran an open-source password-cracking tool fed by a cluster of roughly 45 high-end GPUs rented by the hour. A third workstation handled manual work: writing code, managing seven disposable Kali Linux virtual machines, and navigating victim networks once access was established.
“The custom code carries the fingerprints of machine-generated software — emoji status messages, tidy ‘Step 1 / Step 2 / Step 3’ formatting, verbose explanatory comments, and ties back to an AI code-editor session created days before the campaign began.” continues the report.
The crew also deployed an AI-driven penetration-testing framework: a tool that lets an operator describe an objective in plain language and have software carry out the network attack automatically. Actions that once required a skilled, experienced attacker are now available to anyone who can rent a server and formulate a prompt.
The broker’s own candor is instructive. In one auction thread, when asked where the data came from, the seller said it was “mostly brute” and that the brute-forcing tool was written in-house. When asked how many credentials actually worked, they admitted that only a fraction had been confirmed valid and that the validation tool had broken. At one point an entire auction was pulled because “the dump had errors.” This is what access brokering looks like from the inside: a noisy, imperfect assembly line, not a clean heist.
“When this made the news, the broker didn’t go quiet. They updated a live auction for access to several thousand Fortinet devices, raised the starting price, and cited the news coverage as an authenticity guarantee.” A journalist’s writeup used as a sales testimonial. That’s a first.
The practical takeaway is architectural. The device organizations buy to keep strangers out became the front door a criminal crew walked through and then cataloged. Get the management interface off the public internet, enforce multi-factor authentication on VPN and admin access, some of the cracked credentials in this dataset were long and complex, which proves password strength alone doesn’t save you, and rotate every credential stored in the device configuration. Then assume your organization is already on a shopping list, because if it could appear in this dataset, access to your network may already be for sale.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FortiBleed)
