A massive trove of stolen firewall configurations and VPN credentials from over 15,000 Fortinet devices has surfaced on the dark web—leaked by a threat actor calling itself the Belsen Group.
The 1.6GB archive, posted freely on the onion version of BreachForums, contains dated—but highly detailed—configuration data stolen from devices across more than 80 countries. Though much of the information was extracted over two years ago, researchers warn the dump still holds considerable value for threat actors aiming to profile corporate networks or stage targeted attacks.
The breach is believed to stem from the now-infamous CVE-2022-40684, a critical authentication bypass vulnerability affecting Fortinet’s FortiOS and FortiProxy systems. The flaw, which allowed unauthenticated remote access, was patched late in 2022—but not before zero-day attackers leveraged it extensively. According to analysts at CloudSEK, the Belsen Group likely exploited the flaw when it was still unknown to the public, harvested global configurations, and waited until January 2025 to leak them.
The archive includes two major components: a “config.conf” file containing device IPs, admin credentials, firewall rules, and certificates, and “vpn-password.txt”, listing stolen SSL-VPN credentials likely sourced from CVE-2018-13379, an even older path traversal bug.
While most of the data is considered “aged,” cybersecurity analyst Kevin Beaumont (aka GossiTheDog) warns that internal network maps, firewall logic, and cached admin credentials could still be useful for attackers—especially for supply chain targeting or reconnaissance.
The geopolitical profile of the leak raises eyebrows: out of 15,474 devices, only one device was traced to Russia, and none were from Iran—despite thousands of active Fortinet endpoints in both nations. Most of the victims are in the US, UK, Belgium, and Poland.
While Belsen Group is new to the public eye, CloudSEK believes they’ve operated under different names since at least 2022, potentially as a faction within a larger threat ecosystem. Their motivations remain unclear, but the leak’s tone was gleeful: “2025 will be a fortunate year for the world,” they wrote—ironically ignoring that the data was already stale.
Still, experts caution that while patches may have been deployed, network exposure, human error, or configuration reuse mean that buried secrets could still resurface in future campaigns.
