a russian initial access broker has been running a credential harvesting campaign against fortigate firewall infrastructure since february, with 430,000 devices exposed, 80,000 identified as targets, and over 19,000 still actively exploited as of late june. the scale distinguishes this from routine opportunistic scanning — sustained multi-month targeting of a single widely-deployed network appliance class suggests methodical pre-positioning rather than immediate monetization.