Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

Lynx crew cashes in FortiBleed haul

3 min read
08:46UTC

SOCRadar tied the 86,644-credential FortiGate harvest to the Lynx ransomware crew, which cracked legacy passwords offline on a 45-GPU rig rather than exploiting any flaw.

TechnologyDeveloping
Key takeaway

Rotation, not patching, resets a FortiGate estate once Lynx has cracked its stored credentials.

SOCRadar, a threat-intelligence firm, has attributed the theft of 86,644 Fortinet FortiGate firewall credentials to the Lynx/INC Ransom ransomware operation, the company said this week. The set was flagged by Britain's National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) on 18 June as privately held ; SOCRadar assesses the crew has run it since at least February 2026. Lynx needs no software exploit to use it. It logs in. Named in the exposed set are Samsung, Siemens, Oracle, DHL, Accenture, Infosys and Foxconn. 1

Lynx cracked the passwords offline on a 45-GPU Hashtopolis cluster, a rig of 45 graphics processors coordinated to test guesses at speed, working against legacy FortiOS credentials still stored as SHA-256 hashes. Fortinet's 2025 upgrade re-hashed stored credentials to PBKDF2, but estates that skipped the upgrade never made the switch. SHA-256 computes fast, so a graphics-card rig can test billions of guesses a second against a stolen hash; PBKDF2 deliberately runs each guess through thousands of iterations, which is what makes an offline crack uneconomic.

Because the cracking ran on Lynx's own hardware, no failed-login telemetry appeared on any victim device. The first thing a defender sees is a successful login with a valid credential, not a brute-force spike. For the seven named blue-chips, that inverts the usual detection assumption and leaves credential rotation, not a patch, as the only clean reset.

Deep Analysis

In plain English

A FortiGate is a firewall and remote-access box made by Fortinet that many companies use to let staff log in from home. Researchers found that 86,644 passwords for these devices had been stolen. British and American cyber-security agencies knew about the theft in June but treated it as a private matter rather than a public warning. A criminal group called Lynx, which also goes by INC Ransom, is now accused of cracking those passwords using 45 powerful graphics cards of the kind used for gaming, chained together to guess them fast. The problem is that Fortinet stored the passwords in an old, weak format that makes guessing far easier than it should be. Anyone still using one of the leaked logins could have their network broken into.

Deep Analysis
Root Causes

Fortinet has never forced a password reset across its FortiGate install base when hashing weaknesses surface, because a mass reset would sever SSL-VPN sessions for every customer at once; the vendor treats reset campaigns as a continuity risk rather than a security obligation, leaving legacy SHA-256 hashes live on firmware branches still under support.

Many FortiGate SSL-VPN portals authenticate straight against on-premises Active Directory without enforcing multi-factor login on the VPN hop itself, a configuration Fortinet's own hardening guides discourage but do not block by default. A cracked portal password on this class of device can open a route straight to the domain controller, well beyond the firewall it was meant to guard.

Escalation

Lynx/INC Ransom's usual pattern, per Recorded Future's ransomware tracking, runs two to six weeks from initial access to deploying an encryptor. Any organisation with an unreset leaked password may already be inside that window without knowing it.

What could happen next?
  • Risk

    Any organisation that reused a FortiGate SSL-VPN password included in the 86,644-credential set remains exposed until it forces a reset, regardless of whether Lynx/INC Ransom or another buyer holds the cracked list.

  • Precedent

    The six-week gap between the June private flag and July's public cracking claim will likely sharpen debate over when agencies should convert a privately held credential warning into a public one.

First Reported In

Update #9 · FortiBleed harvest linked to Lynx crew

BleepingComputer· 4 Jul 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.