In June 2026, security researcher Volodymyr “Bob” Diachenko disclosed the existence of a large dataset associated with internet-facing FortiGate deployments worldwide.
The disclosure immediately attracted attention due to the scale of the exposed information and the number of organizations represented within the records. According to publicly available information, the dataset contained approximately 74,000 FortiGate-related records associated with more than 21,000 organizations.
At first glance, the exposed records appeared to be another credential leak.
However, ThreatMon’s independent investigation suggests the operation was significantly more structured than a typical credential collection campaign.
Our analysis indicates that the dataset may have been part of a broader effort to identify, validate, organize, and potentially operationalize access opportunities across thousands of FortiGate deployments spanning multiple industries and geographic regions.
More importantly, ThreatMon’s investigation extended beyond the exposed records themselves. During our analysis, we identified evidence of backend infrastructure, distributed task-processing agents, and credential-processing workflows that provide additional insight into how this operation may have functioned.
This raises an important question:
Why would an adversary invest resources into collecting 74,000 FortiGate records?
The operation first came to public attention when security researcher Volodymyr Diachenko identified and disclosed an exposed dataset containing FortiGate-related information associated with organizations around the world.
The dataset reportedly contained information linked to more than 21,000 organizations and approximately 74,000 FortiGate-related records.
Records observed by ThreatMon included:
While the volume of records attracted immediate attention, the structure of the dataset revealed a much more interesting story.
A threat actor appears to have operated a large repository of FortiGate-related access information spanning multiple industries, countries, and enterprise environments.
Rather than representing a single intrusion or isolated compromise, the dataset appears to reflect a broader effort to aggregate and organize potentially valuable access opportunities.
ThreatMon’s assessment is that the exposed records resemble an operational inventory more than a traditional credential dump.
Organizations identified within the dataset span a broad range of industries. ThreatMon observed records linked to telecommunications providers, energy and oil & gas companies, manufacturing and logistics operators, technology firms, healthcare organizations, and financial services institutions.
Analysis of the records reveals multiple entries associated with the same organizations, often across different countries and infrastructure locations. This suggests deliberate targeting of large distributed enterprise environments rather than opportunistic victim selection.
The operation was global in scope.
ThreatMon observed records associated with organizations across North America, Europe, Asia-Pacific, Latin America, and the Middle East.
The geographic distribution indicates an operation designed to maximize access opportunities rather than focus on a specific region.
The operation came to public attention in June 2026 following the disclosure made by security researcher Volodymyr Diachenko.
While the full timeline of the activity remains unknown, ThreatMon’s investigation identified evidence showing that infrastructure associated with the operation was already active by at least May 31, 2026.
Backend activity logs revealed multiple distributed agents communicating with the command infrastructure and periodically retrieving assigned tasks.
The observed activity indicates that the threat actor’s environment was operational prior to public disclosure and was supporting ongoing processing workflows at the time of discovery.
Based on the available evidence, ThreatMon assesses that the exposed dataset likely represents a snapshot of an already active operation rather than the beginning of one.
This is arguably the most important question.
If the objective were merely to compromise individual organizations, a small number of valid credentials would likely have been sufficient.
Instead, the operators accumulated access information associated with tens of thousands of FortiGate deployments.
From an intelligence perspective, this resembles the creation of a scalable access portfolio.
Such collections can support:
The dataset therefore represents potential operational capability rather than simple data collection.
The complete collection methodology remains unknown.
However, available evidence suggests the operation may have involved multiple credential acquisition and validation techniques, potentially including:
Repeated credential patterns observed across unrelated organizations suggest that the operators were systematically validating and organizing successful access opportunities rather than collecting credentials indiscriminately.
Unlike previous public reporting that focused primarily on the exposed dataset, ThreatMon’s investigation extended into infrastructure analysis and operational telemetry associated with the threat actor environment.
One of the most notable observations is the recurrence of similar administrative usernames and password structures across unrelated organizations.
Repeated credential formats appear throughout the dataset, suggesting the operators were cataloging successful authentication patterns in addition to storing access information itself.
This finding reinforces the risks associated with password reuse, predictable administrative naming conventions, and inherited infrastructure configurations.
ThreatMon observed multiple FortiGate records associated with individual organizations.
Rather than targeting a single perimeter device, the operators appear to have mapped entire FortiGate ecosystems belonging to large enterprises.
This behavior is more consistent with long-term operational planning than opportunistic intrusion.
The dataset shows a notable concentration of organizations in sectors with high strategic value: telecommunications, energy, critical infrastructure, industrial manufacturing, and logistics. These are not random targets.
Such organizations provide strategic value because they enable access to interconnected business networks, supply chains, and operational environments.
The observed victimology suggests prioritization rather than random collection.
While the exposed dataset attracted most of the public attention, ThreatMon’s investigation extended beyond the records themselves.
During analysis of the associated infrastructure, we identified evidence of a distributed backend environment used to coordinate operational activity.
ThreatMon identified multiple backend agents communicating with a centralized task-management system.
Observed activity indicates that agents periodically requested assignments from the backend using recurring task retrieval operations.
Based on observed workflows, infrastructure artifacts, and tasking behavior, ThreatMon assesses that portions of the environment were likely used to support credential processing, validation, and potentially password-cracking operations.
The architecture observed during the investigation resembles distributed task-processing environments commonly associated with large-scale authentication-focused campaigns.
Analysis of the backend management panel revealed multiple active agents retrieving tasks from the command infrastructure.
Agent ID | Last Activity | Source IP |
|---|---|---|
62a766b62902 | 31 May 2026 | 185.229.26.83 |
14ef970d11bc | 31 May 2026 | 213.169.49.142 |
ccdf27b29a0b | 01 Jun 2026 | 38.117.87.37 |
a4efe3f0d349 | 02 Jun 2026 | 198.53.64.194 |
6504b85a71f3 | 31 May 2026 | 175.155.64.221 |
f9d72bd84a5e | 31 May 2026 | 211.72.37.226 |
The presence of multiple simultaneously active agents suggests a distributed operational model rather than activity originating from a single host or operator.
ThreatMon identified infrastructure components associated with the operation and recommends that organizations review historical telemetry for evidence of interaction.
Organizations should review:
Particular attention should be given to:
ThreatMon has independently analyzed portions of the exposed dataset and confirmed that organizations across multiple industries and regions appear within the records. If your organization operates FortiGate devices, exposure is possible until verified otherwise.
At a minimum, organizations should determine whether:
ThreatMon is currently working with affected organizations to conduct exposure verification, assess credential risk, and provide incident response guidance where needed. If you would like to determine whether your organization’s assets, users, or infrastructure appear within the dataset, contact the ThreatMon Research Team directly.
Regardless of whether your organization appears in the dataset, this incident serves as a reminder that internet-facing network infrastructure requires continuous monitoring. Credentials rotate. Configurations drift. Devices that were secure last quarter may not be today. To determine whether your organization appears in the dataset or to request further analysis, contact our team at support@threatmon.io.
The most important question is not how 74,000 FortiGate records were collected.
The more important question is why they were collected.
The dataset first uncovered by Volodymyr Diachenko and independently analyzed by ThreatMon reveals a level of organization, persistence, and operational planning that extends beyond traditional credential theft.
Viewed as a whole, the records resemble a curated access inventory designed to support future operations.
Organizations operating FortiGate devices should assume exposure is possible until verified otherwise.
For defenders, the lesson is clear:
A firewall is not merely a security device.
For an adversary, it is often the front door.
And for some organizations, that door may already be listed in the dataset.