Security company SOCRadar says a large-scale FortiBleed campaign that is targeting Fortinet FortiGate firewalls to steal authentication credentials from organizations worldwide used custom sniffers to collect data.
According to a report, the campaign has been active since at least February 2026 and has targeted more than 430,000 FortiGate devices. Researchers believe the attackers act as an Initial Access Broker (IAB), gaining access to networks through credential stuffing, brute-force attacks, and password cracking.
SOCRadar says the attackers used a custom Golang-based tool called ‘FortigateSniffer’ on compromised firewalls. The tool abuses FortiOS's built-in packet-sniffing feature to capture network traffic and collect authentication data, including usernames, passwords, password hashes, and other login secrets.
The stolen traffic was processed and analyzed to extract credentials from protocols such as Kerberos, LDAP, RADIUS, SMTP, IMAP, and several database services. The attackers then reportedly used Hashcat running on a distributed GPU cluster to crack captured password hashes.
Fortinet said that the exposed credentials were from previous compromises and not linked to a new security issue. However, SOCRadar's findings indicate the campaign is ongoing and actively targeting FortiGate VPN devices.
Cybersecurity expert Kevin Beaumont also reported that attackers may have downloaded FortiGate configuration files from compromised devices to obtain additional hashed credentials for cracking.
Organizations using FortiGate firewalls are advised to check their device security, monitor for unauthorized access, and update credentials.