SOCRadar, a threat-intelligence firm, has attributed the theft of 86,644 Fortinet FortiGate firewall credentials to the Lynx/INC Ransom ransomware operation, the company said this week. The set was flagged by Britain's National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) on 18 June as privately held ; SOCRadar assesses the crew has run it since at least February 2026. Lynx needs no software exploit to use it. It logs in. Named in the exposed set are Samsung, Siemens, Oracle, DHL, Accenture, Infosys and Foxconn. 1
Lynx cracked the passwords offline on a 45-GPU Hashtopolis cluster, a rig of 45 graphics processors coordinated to test guesses at speed, working against legacy FortiOS credentials still stored as SHA-256 hashes. Fortinet's 2025 upgrade re-hashed stored credentials to PBKDF2, but estates that skipped the upgrade never made the switch. SHA-256 computes fast, so a graphics-card rig can test billions of guesses a second against a stolen hash; PBKDF2 deliberately runs each guess through thousands of iterations, which is what makes an offline crack uneconomic.
Because the cracking ran on Lynx's own hardware, no failed-login telemetry appeared on any victim device. The first thing a defender sees is a successful login with a valid credential, not a brute-force spike. For the seven named blue-chips, that inverts the usual detection assumption and leaves credential rotation, not a patch, as the only clean reset.
