Most credential leaks are messy. Someone dumps a pile of raw data, half of it stale, and walks away. What ThreatMon’s research team pulled apart in June 2026 was the opposite: a clean, sorted, validated inventory of network access, put together by an operator who clearly knew what they were doing right up until the moment they left their own front door open.
Here’s the short version. Roughly half the world’s internet-facing Fortinet FortiGate devices show up in this campaign. The leaked dataset holds more than 74,000 records tied to nearly 22,000 organizations across 194 countries. And these aren’t guesses. A sample was tested and confirmed to contain live, working credentials.
That last detail is what changes the math. This wasn’t a collection. It was preparation.
The records on their own would already be bad news. What makes them worse is the structure around them. Each entry carries domain details, industry category, country, annual revenue, and the management port it was found on. Nobody enriches a raw leak like that. You only do it when you intend to sort, prioritize, and sell what you’ve got.
ThreatMon’s read is that the dataset isn’t the endgame at all. It looks like an intermediate product: one stage in a pipeline that runs acquisition, password recovery, validation, enrichment, and access prioritization, then keeps going. Calling it “groundwork for a larger campaign” is fair.
The interesting part isn’t that someone scanned FortiGate boxes. People do that around the clock. The interesting part is the assembly line built to turn raw hits into usable access.
ThreatMon got a look inside because the operator misconfigured their own infrastructure: an open directory sitting on port 9999, and a Hashtopolis web panel on port 8443 still running default credentials. From there the picture filled in quickly.
Hashtopolis is a legitimate open-source tool. It splits big password-cracking jobs into chunks and farms them out to GPU machines, with hashcat doing the actual work underneath. Here it was coordinating around 45 NVIDIA RTX 4090 cards across six agents, backed by serious host hardware: EPYC 96-core and 64-core CPUs and an Intel Xeon Platinum node. This is not a kid with a gaming PC. Someone spent real money on parallel hashing power and tuned it for rule-based and mask attacks at scale. The agents were all running the same client and actively polling for jobs when they were captured, with last-activity timestamps lining up almost exactly with the first detected exploitation on 31 May 2026.
Cracking was only one stage. The recovered Python tooling stitched together a full workflow:
Active Directory recon over LDAP, pulling users, groups, service accounts, SPNs, and anything carrying a privilege flag
SMB and DFS crawlers that walk file shares looking for passwords sitting in config files and scripts
Kerberos data processing, with Kerberoasting and AS-REP targeting
Credential parsers that normalize everything and group records by domain
OSINT enrichment that bolts on country, sector, revenue, and organization name
Strung together, that’s the gap between “we have some hashes” and “we have validated admin access to an $80M telecom in country X, and here’s the port.” The enrichment is the tell. You add revenue and sector data when you plan to sell or rank, not when you’re just hoarding.
Telecom took the biggest slice at almost 20%, followed by tech and IT, then internet and software services. But the spread is wide: banking, manufacturing, retail, education, automotive, real estate all show up.
Geographically, India leads, and not by a little. More than 60% of the public- and government-sector victims trace back to Indian public institutions. The US comes second, and between the two they account for close to a third of the whole set. The named victims read like a who’s-who: Accenture, PwC, Comcast, AT&T, Chevron, Taiwanmobile. Sitting next to them is something more uncomfortable, a US state government domain (dshs.wa.gov), plus government records from Puerto Rico, Brazil, Colombia, El Salvador, Mexico, the Philippines, and others.
That government angle is where this stops being ordinary cybercrime. Firewall management panels for public agencies, exposed and harvested at scale, is a national-security problem, not a fraud problem.
One more pattern is worth flagging. The revenue curve peaks hard in the $50M to $100M band. The operator wasn’t grabbing whatever was lying around. Mid-tier organizations were the sweet spot: big enough to matter, often thin enough on security staff to stay exposed.
On June 12, a user called SantaAd on a well-known Russian-language forum started selling Fortinet VPN access. The listing covered about 34,000 entries across 6,896 unique IPs, roughly 3,100 of them US-based. A follow-up post referenced the FortiGate campaign directly and pushed the price up: starting bid to $60,000 and a blitz (instant-buy) price of $120,000, well above the $25,000 opening ask from a few days earlier.
ThreatMon is careful here, and so am I. There’s no hard proof SantaAd runs the operation. The cleaner read is that SantaAd is an initial access broker, either selling access pulled from this campaign or reselling someone else’s. Either way, the price climbing in step with the campaign’s coverage tells you the market thinks this access is worth real money.
For an operation with this much technical muscle, the operational security was sloppy. The open directory. The default-credential Hashtopolis panel. And a Telegram bot used for command-and-control and exfiltration, tied to a username that was identifiable. Strong automation, weak discipline. That’s the only reason any of this could be reconstructed and attributed in the first place.
The behavior reads as early-stage. No confirmed monetization at scale yet, no sustained forum presence beyond the SantaAd posts. This looks like the quiet phase: collect, validate, organize, and wait. Which is exactly why it’s worth acting on now, before the access actually gets used.
If you run FortiGate, assume you’re in it
The honest default here is uncomfortable but correct. If you have FortiGate or SSL VPN management interfaces reachable from the internet, treat yourself as exposed until you’ve proven otherwise.
The C2 server sits in the United Kingdom (AS211486). Keep an eye on the management ports the campaign favored: 443, 9443, 4443, 8443, and 10443.
The thing that should bother defenders most isn’t the 74,000 records. It’s that someone built a repeatable machine to produce them, tested the output, sorted it by how much each target is worth, and then left it running. The leak is the rough draft. Treat it like one.
More posts
Share this article
Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
Subscribe to our blog newsletter to follow the latest posts
