a campaign called fortibleed, active since at least february 2026, deployed custom credential-harvesting tools against fortigate firewalls worldwide, compromising over 430,000 devices and extracting more than 80,000 vpn credentials. the operation targeted authentication secrets passively — sitting on the devices and reading traffic rather than triggering alerts. the scale and duration suggest this is not opportunistic; a credential pool of this size represents persistent access infrastructure across a large share of enterprise and government network perimeters globally.