Supercomputing on a Credit Card From The AI Rush Enabled The Massive FortiBleed Campaign

When Hudson Rock researchers first disclosed the FortiBleed campaign, the cybersecurity community was staggered by the sheer volume. Exposing valid credentials for nearly 75,000 internet facing Fortinet FortiGate firewalls across 21,632 domains was an unprecedented compromise of global enterprise gateways.

But beyond the raw numbers, the mechanics of how the threat actors processed this data reveals a profound paradigm shift in cybercrime. The cybersecurity industry is heavily focused on advanced GenAI malware and deepfakes while often ignoring a much more practical operational risk: the commoditization of supercomputer class infrastructure.

The Terrifying Asymmetry of Cheap Compute

Historically, executing massive cryptographic attacks, processing billions of mathematical operations per second to break encryption, required building custom hardware arrays or investing tens of millions into supercomputers. That level of industrial scale cryptographic power was the exclusive domain of state sponsored intelligence agencies.

Today, a financially motivated Initial Access Broker with sloppy OPSEC and a credit card can simply rent that exact same capability by the hour. This creates a terrifying asymmetry: attackers operating with capital-efficient, highly leveraged models can now completely bypass the bloated, high-burn legacy security stacks most enterprises rely on.

Instead of building a massive password cracking server, the FortiBleed attackers waited until they harvested a massive trove of encrypted configuration files from exposed Fortinet devices. They then turned to the decentralized cloud compute provider Vast.ai to rent raw, enterprise grade AI hardware.

They spun up six high powered worker instances on demand, consisting of three instances with 4 GPUs each and three with 8 GPUs each. This created a distributed cluster of 36 enterprise class GPUs managed entirely via a Telegram bot.

By running parallel jobs through the open source framework Hashtopolis, the attackers were able to process massive volumes of stolen data at a velocity that traditional security models simply fail to account for.

An Entirely AI Driven Pipeline

The reliance on the AI boom did not stop at the hardware. Analysis of the attacker infrastructure reveals that the threat actors utilized AI assisted code editors like Cursor to write the scripts and Telegram bots that managed their massive cracking cluster. Furthermore, once they obtained the plaintext passwords and pivoted into the internal networks, the operators utilized open source agentic penetration testing frameworks to automate their Active Directory enumeration.

This means the operators used AI to write their management code, AI pentesting frameworks to map the internal networks, and AI boom GPU clusters to crack the passwords. It is a highly optimized, fully modern intrusion pipeline.

The Cryptographic Math: Billions of Hashes per Second

To put this into perspective, we must look at the raw hash cracking velocity this rented cluster provided. GPUs are exceptionally efficient at parallelized integer math, which is the foundation of password cracking. At current market rates on Vast.ai, renting an enterprise-class RTX 4090 costs approximately $0.40 per hour. This means the entire 36-GPU cluster cost the attackers roughly $14.40 per hour, or under $350 for a full day of operation – a trivial operational expense for the devastating access it provided.

• Legacy Fortinet Hashes (Salted SHA-256): For years, Fortinet used a custom salted SHA-256 implementation. Running in perfect parallel, a 36 GPU cluster composed of modern hardware (like RTX 4090s) is capable of processing up to 720 Billion raw hashes every single second. At these speeds, standard complex passwords are mathematically exhausted in a matter of minutes.
• Modern Fortinet Hashes (PBKDF2): Newer FortiOS versions utilize PBKDF2, an algorithm designed to intentionally bog down GPU performance. Yet, even with the algorithm actively fighting the hardware, the distributed cluster still produced a combined output of roughly 180 Million to 360 Million hashes per second. This allows attackers to run massive, highly targeted dictionary and rule based attacks against internal network credentials in seconds.

This is what commoditized super-computing on a credit card looks like. They ingested exported FortiOS configuration files, instantly exposed the plaintext passwords of firewall administrators, and subsequently deployed network sniffers to capture and crack roughly 143,000 Kerberos and 33,000 NetNTLM hashes targeted directly at internal domain controllers.

The Supply Chain Blast Radius

While the initial credential cracking of the FortiGates is an impressive technical feat, the real enterprise panic sets in when connecting the dots to what happens next. These compromised edge devices serve as the perfect beachhead for lateral movement.

Attackers aren’t just stopping at the initial perimeter. They are using these access points to pivot into third-party vendors, managed service providers (MSPs), and trusted partners. If a company’s trusted vendor is one of the thousands exposed in this campaign, the risk is immediately inherited. This domino effect transforms a localized firewall issue into a cascading supply chain crisis, highlighting the absolute necessity of continuous, real-time supply chain monitoring.

The Irony of the GenAI Craze

Renowned cybersecurity researcher Kevin Beaumont recently highlighted this exact dynamic in his own analysis of the FortiBleed infrastructure on DoublePulsar.

In his update on the victim organizations, Beaumont points out the dark irony of the current tech landscape:

“This is a side impact of the drunk GenAI stupidity gripping organisations worldwide… Get a VISA card, rent by the hour and log in a few minutes later. All your irreversibly encrypted passwords aren’t looking so hot in the age of on demand compute at scale…

Organisations are constantly worrying about Generative AI threats, but this incident has tens of thousands of organisations without even multi factor authentication setup… Generative AI craze has lowered the bar so Mr Bean can crack passwords quickly using his mums credit card. Thanks, Sam Altman.”

The Commoditization of Initial Access

While the scale of FortiBleed is unprecedented, the underlying business model is not new. Initial access to Fortinet servers has long been commoditized data, frequently packaged and sold on underground cybercrime forums. Threat actors operate in a highly structured economy where network compromise is treated as a volume business.

For instance, Initial Access Brokers like the Russian speaking threat actor “SantaAd” are regularly observed selling bulk access to compromised Fortinet devices to ransomware affiliates and other cybercriminals.

FortiBleed represents the weaponization of this exact business model. By pairing commoditized Initial Access Broker tactics with rented, enterprise grade AI hardware, the attackers industrialized the entire process from scanning to cracking to sales.

Identity & Infostealers: The Engine and The Fuel

From a practical security perspective, the FortiBleed campaign underscores a fundamental truth that we continually emphasize at Hudson Rock: Perimeter defenses are only effective if their authentication mechanisms are secure.

This raw compute power isn’t operating in a vacuum—it is being fueled by the massive, existing underground economy of infostealer logs. Attackers heavily relied on old, harvested credentials to gain that initial configuration access. In this highly effective cybercrime ecosystem, the rented GPUs are just the engine; the harvested credentials are the fuel.

When an attacker possesses a valid plaintext credential, whether systematically cracked from config files or harvested wholesale via Infostealer malware infections, traditional signature based network defenses become blind. The threat actors do not need to exploit a complex zero day vulnerability; they simply walk through the front door using valid, authorized accounts. The speed at which Initial Access Brokers operate today means organizations have zero margin for error.

Technical Triage Protocol

For exhausted incident responders dealing with a disclosure campaign of this sheer magnitude, separating signal from noise is critical. If your organization is on the exposure list, implement this high-level triage protocol immediately:

• Audit for Anomalous Config Exports: Review system event logs specifically for unexpected configuration backups or exports, which was the primary method attackers used to harvest hashes.
• Hunt for Credential Reuse Pivoting: Cross-reference active administrative accounts against known infostealer exposures. Attackers frequently rely on old, harvested credentials to gain that initial foothold.
• Force Rotation and Scrutinize MFA: Treat any exposed configuration as a full credential compromise. Enforce a mandatory password reset for all firewall administrators and audit MFA configurations for bypasses or dormant accounts.