A Russian-speaking initial access broker known as FortiBleed has operated an automated credential-harvesting campaign against internet-facing FortiGate (FortiOS) devices since February 2026, capturing over 110 million credentials across 659 pipelines between May 31 and June 15. The campaign exploits absent MFA and weak passwords, not a CVE, deploying a passive Go-based sniffer on compromised devices to extract cleartext credentials and NTLM/Kerberos hashes. Harvested credentials feed downstream Active Directory compromise and ransomware staging.