The threat actors engineered a Golang-based sniffer to target 430,000 FortiGate firewalls and identify 110 million credentials in the ongoing global campaign.

June 23, 2026

The threat actors behind the global "FortiBleed" credential-harvesting campaign engineered a sniffer tool to compromise hundreds of thousands of FortiGate routers and turn them into passive stealers in a wave of attacks that's now known to be much broader than initially thought.

Researchers from SOCRadar have unpacked the attack chain behind the ongoing threat campaign, which they believe is targeting more than 430,000 FortiGate firewalls globally and has resulted in the breach of high-value targets such as a NATO-aligned defense contractor, according to a white paper published this week.

Based on the observed activity, the threat actor is most likely an initial access broker (IAB) motivated by financial gain, according to SOCRadar, whose researchers reverse-engineered the attack chain to understand the origin and nature of the attack.