FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Groups 

After announcing last week that SOCRadar Links FortiBleed Campaign to INC and Lynx Ransomware Operations, today the SOCRadar Threat Research Unit (STRU) published its complete report that reveals exactly how INC and Lynx used a measurable, tracked spend on AI credits, an entire swarm of autonomous agents pointed at one target with a deliberate model-selection strategy (cheap model for high-volume scanning, a frontier model reserved for deep code review), and active jailbreak research to defeat model safety controls.

Today’s complete report also puts an identity and a profile behind the coordinating operator and lays out the full internal hierarchy by role.  

Key points:

  • Attribution: STRU assesses with high confidence that FortiBleed is a joint operation run by affiliates of the Lynx and INC ransomware groups.
  • How they know: an OPSEC failure exposed the group’s own artifacts, including a single Windows workstation used to access both ransomware panels and negotiate ransoms. A second exposed INC directory shared victims with FortiBleed target lists, and Lynx is widely believed to be an evolved variant of INC.
  • The operator: an actor we track as TOXMAN (also TOXFOX, and Greenprawn100 on the Exploit[.]in forum), with Russian-language tooling and activity in the UTC +3 time zone.
  • Organized like a business: an internal tracking file mapped 20+ affiliates in defined roles, backed by 450+ operational servers.
  • Scale: roughly 11,250 FortiGate portals scanned across 150+ countries, leading to 409 administrative accesses and 12 organizations encrypted for ransom.
  • Heavy AI investment: about $4,554 spent on AI model credits, including 14 autonomous AI agents pointed at a single target, jailbreak use to bypass model safety controls, and a likely zero-day now in responsible disclosure.
  • Quiet by design: default admin credentials and a VPN-to-management pivot turn one firewall login into full domain compromise, and because the logins are real they rarely trip a perimeter alarm.
  • Who is targeted: opportunistic, small-to-mid-market firms, with managed service providers and manufacturers prized for lateral access into their customers.

For full details, please see the new report: FortiBleed Unmasked: A Joint Operation by Lynx and INC Ransomware Group. A pdf of the report can be found here.  

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading