The Broker Behind FortiBleed: Anatomy of a Russian-Speaking Access Operation

Key Takeaways

• FortiBleed was not a zero-day: There’s no previously unknown Fortinet software vulnerability here. The credentials were harvested by brute force at industrial scale – automated software tried over 1.16B username-and-password combinations against 320,000+ FortiGate targets, plus a parallel run of roughly 2.1B attempts against 160,000+ Microsoft SQL servers. Nobody found a secret back door; they just kept knocking until the doors opened.
• The leak is one product line of a working business: The attack also scanned hundreds of thousands of Sophos firewall portals and Synology network storage devices. Fortinet simply produced the most sellable inventory.
• The actor is a broker, not a hoarder: The dataset contains each victim's industry, annual revenue, and headcount – the kind of information a salesperson prepares before a pitch, not what a spy collects.
• AI made it easy: The operators wrote custom attack tools with the help of an AI and leaned on an agentic penetration-testing framework (software that can perform a multi-step attack based with minimal human guidance). They then rented GPU computing power by the hour to crack stolen password hashes.
• They effectively claimed it: Shortly after the public disclosures, the broker raised the asking price on a Fortinet-access auction and pointed potential buyers to the news coverage as proof their goods were genuine, using a journalist's write-up as a sales testimonial.

At Mysterium VPN, we often think about who gets to sit in the middle of someone else's connection. Usually, that means a camera, a router, or an internet provider. This time, it’s something heavier: a firewall. The exact device a company buys to keep strangers out of its network turned out to be the front door a criminal crew walked through — and then cataloged, priced, and put up for sale.

In mid-June 2026, security researcher Volodymyr "Bob" Diachenko posted on LinkedIn that he had stumbled upon a live, exposed server containing what appeared to be working login credentials for tens of thousands of Fortinet firewalls (Fortinet is one of the world's largest makers of network security hardware). 

The press named the dataset FortiBleed. The headline number – valid remote-access logins for 73,932 firewalls across 21,632 organizations in 194 countries, roughly half of every internet-facing FortiGate device on the planet – is what made it news.

But the dataset was never the interesting part. A list of stolen passwords is the output of a crime, not the crime itself. We wanted to understand the person feeding the machine. This investigation looks past the leak and at the operator behind it: a financially motivated initial access broker (someone who breaks into systems not to exploit them, but to sell that access to other criminals), who has all but signed their name to FortiBleed on an underground Russian-speaking cybercrime forum.

What Happened?

Diachenko's find was a server the crew had left accidentally open to the internet, complete with the tools, logs, scripts, and credential catalog of a running operation. Independent researchers confirmed that a sample of the administrator logins was genuine, and noted that the affected devices were different from earlier Fortinet leaks, meaning this was a newer and larger collection. 

The credentials appear to have been pulled from exported device configuration files, which is why fields normally visible only within a firewall's internal settings – such as the registered administrator email address – appear in the stolen data.

That’s essentially the whole event: a crew brute-forced their way into a large number of edge devices, harvested credentials, enriched them with business intelligence, and got caught because they left the door open. The detailed public technical reconstruction is well covered by Bob Diachenko's disclosures and by Ransomnews. Our contribution starts where the leak ends – with the operator.

The Operator: A Portrait of a Modern Access Broker

The persona at the center of this is a vendor we'll refer to by the handle they trade under – "SantaAd" – on an underground Russian-speaking cybercrime forum. Secondary handles, contact identifiers, and the account's numeric forum identity are known to us but withheld from this publication. What matters isn’t the label but the behavior.

This isn’t a hobbyist. The account has been building a vendor reputation on the forum since the start of 2025. Its post history reads like a product catalog with a single obsession: Fortinet. Over recent months, the same seller has auctioned remote-access credentials to named US manufacturers, listed thousands of Fortinet admin panels for sale, advertised a multi-gigabyte database of tens of thousands of Fortinet credential records in structured database format, and run a standing "buy" advertisement soliciting fresh corporate access from US companies above a set revenue threshold. The portfolio rounds out with the usual criminal-market miscellany, including stolen payment-card fraud and a dispute thread chasing an unpaid $2,000 invoice, but Fortinet is the consistent thread.

Three things about this actor are worth dwelling on, because together they explain how an operation like FortiBleed actually works.

Candor About the Mess

In one auction thread, when asked where the data came from, the seller said that it was "mostly brute" (meaning mostly automated guessing) and that the brute-forcing tool was written in-house. When asked how many of the credentials actually worked, they admitted that only a fraction had been confirmed valid, that the validation tool had broken, and that tens of thousands of records were simply unchecked. 

At one point, an entire auction was pulled because "the dump had errors," while the seller had moved on to "working on RCE" (remote code execution, the ability to run commands on a victim's computer remotely) This is what real access brokering looks like from the inside: not a clean heist but a noisy, imperfect assembly line, run by someone juggling a sales pipeline and exploitation at the same time.

The Value Layer

The single most telling piece of evidence in the whole affair isn’t a password; it's the spreadsheet. The leaked data is annotated, organization by organization, with company name, sector, annual revenue, and employee count, and sorted into tiers by how much they're worth. Espionage actors triage by target; brokers triage by price. 

The presence of a revenue column is, more than anything else, what marks this as a financially motivated operation whose end goal is resale – most likely to ransomware and extortion crews, for whom a pre-validated foothold in a high-revenue company is exactly the product they buy.

The Soft Confession

When this made the news, the broker didn't go quiet. They updated a live auction for access to several thousand Fortinet devices, raised the starting price, and cited the news coverage as an authenticity guarantee. It’s basically a signed admission, but in the underground economy, it functions as one.

How a Few People Brute-Forced Half the Fleet

The reason a small crew could attack a third of a million firewalls is that almost none of the heavy lifting was custom-built. The operation, reconstructed from its own logs and our analysis of the captured material, ran on commodity parts:

1. A dedicated brute-force server generated and tested credential combinations at enormous scale – over a billion device-address-and-password pairs, drawn from a few thousand common credential starting points, running tens of thousands of simultaneous attempts through rotating proxy addresses, on a daily scan-and-sleep cycle (IP addresses for all infrastructure are removed from this publication.)
2. A separate operator workstation is where people worked manually: writing code, managing a lab of seven disposable Kali Linux virtual machines (an operating system used for testing and exploiting networks), and manually navigating inside victim networks once access was gained.
3. A third cracking server ran an open-source password-cracking tool fed by a cluster of roughly 45 high-end GPUs – graphics processors, the same hardware used for gaming and AI training – rented by the hour. This was stood up only once the crew had accumulated enough stolen authentication tokens to make the investment worthwhile.

Beyond brute force, the intrusion techniques were equally off-the-shelf: replaying captured VPN session tokens to bypass login screens without needing a password, and using standard Windows network tools to harvest credentials, authentication tickets, and internal directory data — with every hands-on action routed through the throwaway VM lab so the command server never touched a victim's network directly.

Two details elevate this from "noisy but ordinary" to a sign of where the whole field is heading.

1. It was built for a team, in Russian. The tooling's working language (bot interfaces, brute-forcer prompts, code comments) is Russian throughout, and the system was plainly designed for more than one person: shared terminal sessions, separate operator accounts, and an administrator-and-helper structure suggesting at least two people of differing skill working the same machines.
2. It was built with AI. The custom code carries the fingerprints of machine-generated software — emoji status messages, tidy "Step 1 / Step 2 / Step 3" formatting, verbose explanatory comments, and ties back to an AI code-editor session created days before the campaign began. The crew also deployed an agentic, AI-driven penetration-testing framework: a tool that lets an operator describe an objective in plain language and have software carry out the network attack automatically. That’s worth losing sleep over. Actions that once required a skilled, experienced attacker are now available to anyone who can rent a server and formulate a prompt.

Why This Matters

It would be easy to file FortiBleed under "another big leak" and move on. We think it marks three shifts that will outlast this particular dataset.

1. The perimeter device is the weakest point in the perimeter. Organizations buy a firewall to be the wall. But a VPN appliance is, by design, a door that accepts connections from the entire internet. When half of an exposed fleet shows up in a single broker's catalog, the wall has become the on-ramp. The device most trusted to keep attackers out is now the first thing they go through.
2. Brute force is viable again – at machine scale. The conventional wisdom that strong passwords defeat guessing assumes a human-speed attacker trying a few combinations before getting locked out. A two-person crew running rented GPUs, AI-written automation, and a billion attempts works faster. Notably, some of the cracked credentials were long and complex; passwords that should, by any standard rule, have been safe. But password strength isn’t a substitute for a second factor (like an authenticator app or hardware token) when the attacker can simply try forever.
3. A breach is now a supply chain. The most important thing in the dataset is the revenue column, because it tells you what comes next. This actor's role is to acquire access cheaply and resell it. The buyers are the ransomware affiliates and extortion groups who would rather purchase a validated foothold in a target company than extract one themselves. FortiBleed is best understood not as an endpoint but as the early-warning stage of attacks that haven't happened yet, which is precisely the framing Ransomnews used, and we agree with it. Every organization in that file should assume it’s on a shopping list.

What To Do If You Run Fortinet (or Any Edge VPN)

The fix is mostly in defenders' hands, because the root cause is exposure and configuration rather than an unpatchable software flaw:

• Rotate every credential stored in the device configuration: Local user accounts, administrator accounts, directory service bind credentials, API keys, and treat all of them as already compromised.
• Enforce MFA on VPN and admin access: The long, complex passwords in this dataset are proof that password strength alone did not save anyone. A second factor (a one-time code from an app, a hardware key, or a push notification) would have blocked the attack even when the password was known.
• Get the management interface off the public internet: Restrict administrator access to known, approved internal or VPN-only sources. There’s no reason a firewall's control panel should be reachable from anywhere in the world.
• Invalidate active VPN sessions and watch for session-token replay: C concurrent sessions from different locations, logins that appear from impossible geographic distances within short time windows, or sessions that resume from new locations.
• Hunt inside the network, not just at the edge: Look for signs that an attacker has already moved past the firewall: unusual scanning of internal directory services, unexpected copying from file shares, and attempts to harvest Windows authentication data that would indicate the intruder is already working from inside.
• Assume you’re now in the inventory: If your organization could appear in this dataset, behave as though access to your network is already for sale, and prioritize your response accordingly.

How We Approached This

This analysis draws on primary material (captured listings and profile activity from the underground forum where the broker trades, a technical summary of the operation's methods, and a reconstruction of the operator's infrastructure), combined with the public disclosures by Bob Diachenko and the reporting by Ransomnews. 

We have deliberately reproduced no victim data: no credentials, no company names from the dataset, no exfiltrated material, and no live infrastructure addresses. Identifying details for the actor beyond the trading handle are withheld pending further verification.

We also want to be clear about confidence. That the dataset is real and was produced by an industrial brute-force operation is well established by public disclosures. That the broker we profile here is connected to that operation is strongly indicated by the match between their forum inventory and the dataset's structure, and by their own conduct after the leak, but full real-world attribution remains open. At least one downstream claim circulating about a high-value victim data exfiltration is, as far as we can verify, still unconfirmed. We flag it as such rather than repeat it as fact.

The broker's own words, in an auction thread, sum up the entire economy better than we could: "mostly brute. Bruter wrote it himself." The barrier to compromising tens of thousands of organizations is no longer a matter of skill. It's a server, some rented GPUs, an AI assistant, and the patience to let the machine run.