The FortiBleed campaign, an extensive credential-harvesting operation, has targeted organizations in 150 countries and facilitated the deployment of the INC Ransom and Lynx ransomware families. Discovered in mid-June, this campaign has been exploiting over 430,000 FortiGate firewalls using a network sniffer known as FortigateSniffer. This tool captures traffic to extract cleartext credentials and password hashes, which are then used for further intrusions. The campaign appears to be orchestrated by a Russian initial access broker, aiming to infiltrate Active Directory domains, steal sensitive data, and maintain persistent access. Since its inception in February, FortiBleed has compromised over 110 million credentials. SOCRadar reports observing scanning activity on approximately 11,250 FortiGate portals, with attackers gaining administrative access on 409 targets. The full attack chain was completed on 354 targets, leading to the deployment of ransomware in 12 incidents and encrypting hundreds of endpoints. A security oversight by the attackers allowed SOCRadar to gain insight into their operations, confirming that the same entities were targeted in both the FortiBleed and INC campaigns. Analysis revealed that about 20 individuals are part of the FortiBleed operation, some focusing on high-impact intrusions while others provide technical support. This operation is closely tied to the ransomware economy, feeding directly into it through shared infrastructure and operators. The INC Ransom operation emerged in mid-2023 and has become a prolific ransomware-as-a-service, while Lynx is an updated variant released a year later.