FortiBleed Actors Collaborating With Inc, Lynx Ransomware Gangs
After gaining a foothold in thousands of Fortinet firewalls, the attackers are starting to monetize that access, and are also piling on a Nextcloud zero-day bug..
VERDICT — CONFIRMED

Actors behind the FortiBleed credential-theft campaign are collaborating with the Inc and Lynx ransomware operations, BleepingComputer reported on July 1, citing research from SOCRadar's Threat Research Unit.
The campaign targeted more than 430,000 FortiGate firewalls worldwide, deploying a custom "FortiGate Sniffer" tool that harvested VPN credentials and authentication data on roughly 19,000 devices — a count that fell to around 11,000 after notifications — with about 500 operational servers identified, per SOCRadar's findings as reported by BleepingComputer. The researchers put the gang at approximately 20 members with defined roles.
The ransomware link rests on a Windows server in FortiBleed infrastructure that showed access to negotiation panels for both the INC and Lynx groups, plus victim overlap between FortiBleed-harvested data and organizations listed on INC's leak site, per the report. INC Ransom has operated since mid-2023; Lynx emerged in mid-2024 and is suspected to be an INC rebrand. Researchers also believe the attackers exploited a previously undisclosed Nextcloud zero-day to expand access after initial compromise; no technical details or CVE identifiers were released, per BleepingComputer. The Hacker News, SecurityWeek and Dark Reading also covered the research. The zero-day attribution and the ransomware ties reflect SOCRadar's analysis and were not confirmed by Fortinet or Nextcloud in the material reviewed.
Background
FortiGate firewalls, made by California-based Fortinet, sit at the network edge of hundreds of thousands of organizations worldwide, terminating the VPN connections through which remote employees reach internal systems. That position has made them, along with rival edge and VPN appliances, one of the most attacked classes of device on the internet: a single exploitable flaw yields credentials and a foothold inside thousands of networks at once, and both criminal groups and state actors have repeatedly industrialized such campaigns.
The division of labour described by the researchers — one crew harvesting access at scale, ransomware operations monetizing it — reflects the mature ransomware economy, in which initial-access brokers, encryption crews and leak-site extortion function as separable, tradeable services. Rebranding, as suspected between INC and Lynx, is likewise a standard manoeuvre for ransomware groups seeking to shed law-enforcement attention and sanctions exposure.
What comes next
Watch for responses from Fortinet and Nextcloud, neither of which had confirmed the findings in the material reviewed — in particular any Nextcloud advisory or CVE assignment for the alleged zero-day. For defenders, the operative fact is that harvested VPN credentials remain valid until rotated: organizations notified in the campaign face the follow-on ransomware risk the SOCRadar research describes, and the leak sites of INC and Lynx will show whether that monetization accelerates.