At least 12 confirmed ransomware deployments now trace to the FortiBleed credential haul, threat-intelligence firm SOCRadar reported on Wednesday 8 July, the first hard count linking the stolen Fortinet logins to live encryption 1. The firm logged scanning against roughly 11,250 FortiGate portals across more than 150 countries, confirmed administrator access on 409 targets, and full attack-chain completion on 354. FortiBleed is the credential-theft campaign that harvested Fortinet logins; the 86,644 flagged in June have become a working intrusion pipeline.
The same report placed one operator on the negotiation panels of both INC Ransom and Lynx at once, two crews the ransomware-as-a-service (RaaS) model files as separate businesses 2. RaaS rents infrastructure and branding to freelance affiliates, so a single person can sit on two brands' extortion desks off one credential set. The Lynx attribution that read as provisional a fortnight ago now rests on shared human labour rather than overlapping tooling alone.
Bitdefender flagged the same brand-blurring six weeks earlier through cross-claiming affiliates , making this the second independent data point in six weeks. Affiliate overlap in RaaS has been documented for years, and one shared negotiator does not render the brand labels meaningless. It does weaken them as a prioritisation input: knowing your Fortinet exposure tells a chief information security officer (CISO) more than knowing which crew's logo lands on the ransom note.
Whoever sits on the extortion panel, not whoever wrote the malware, sees each victim's pay ceiling and wallet addresses across every brand they work. That is why one operator spanning two panels matters more than shared tooling would. Cyber insurers and threat-intel platforms that price risk by named-group frequency inherit a taxonomy that no longer maps to distinct organisations.
