Researchers report that the FortiBleed campaign, a financially motivated effort focused on stealing credentials from Fortinet FortiGate devices, is linked to the INC and Lynx ransomware operations. Across coverage, investigators describe FortiBleed as harvesting large volumes of verified login information from “hundreds of thousands” of exposed or compromised FortiGate firewalls. The stolen credentials are said to be actively used as part of follow-on access, rather than remaining only as standalone data theft. Security analysts also point to operational connections between FortiBleed infrastructure and the ransomware groups, including findings that an operator associated with the campaign is involved in activity tied to both INC and Lynx. This connection suggests the credentials support later intrusion steps, enabling attackers to access internal networks, expand privileges, or reach systems needed for ransomware deployment. The reporting emphasizes that the campaign’s scale and the verification of credentials make it valuable for subsequent attacks, while the attributed links indicate coordination or shared infrastructure between the credential-theft activity and ransomware operations.