A mirror of the Belsen Group FortiGate configs leak

In January 2025, a new account popped up on BreachForums and claimed to freely share leaked configuration details (incl. passwords, configurations, etc.) from 15k FortiGate devices on the internet. This leak was genuine but misleading as the configuration data is confirmed real, but was from 2022 (collected after CVE-2022-40684 was exploited as a zero-day) and is not complete (ex. several countries are conspicuously missing or underrepresented, such as Iran and Russia). This leak was made available for free on the Belsen Group’s Tor site. FortiNet published an advisory and their analysis here shortly after the leak was published.

I went hunting for real copies of the FortiGate.zip file leaked by Belsen Group after I noticed SmartLoader-laden lures posted on GitHub, and the Belsen Group’s Tor site was unbearably slow as people clamored to get the file to study (and the Belsen Group doesn’t offer HTTP Range support for resumable downloads - lame!), so my download repeatedly failed.

Thankfully, an anonymous benefactor was able to complete their download and kindly sent over a copy of the data to me. I’ve mirrored it and created a torrent, so researchers can (safely) deep dive and learn from this leak without fighting through a glacial download, hunting through dead links, or paying a fee(?!)). You can find the torrent file and magnet link at the top of the page.

There is a ton of interesting information you can extract - not only passwords, but IPsec VPN tunnels, DDNS, etc. that can help InfoSec practicioners assess impact to their business or customers, as well as allowing researchers to study the in-the-wild network security posture of companies globally.

File Tree Sample

% tree FortiGate
FortiGate
├── AE
│   ├── 109.177.208.227_443
│   │   ├── config.conf
│   │   └── vpn-passwords.txt
│   ├── 151.253.137.138_443
│   │   ├── config.conf
│   │   └── vpn-passwords.txt
│   ├── 151.253.141.203_443
│   │   └── config.conf
│   ├── 151.253.141.2_8443
│   │   └── config.conf
... (continues for 15,574 leaked configs)

Leaked servers are grouped by country. The config.conf in each file is purportedly original, and (where applicable) Belsen Group created vpn-passwords.txt with the list of any passwords identified in the config.

Config Sample

% cat FortiGate/AE/109.177.208.227_443/config.conf 
#config-version=FGT60E-7.0.0-FW-build0066-210330:opmode=0:vdom=0:user=Local_Process_Access
#conf_file_ver=175681342316356
#buildno=0066
#global_vdom=1
config system global
    set alias "FGT60E4Q16037415"
    set fgd-alert-subscription advisory latest-threat
    set hostname "FGT60E4Q16037415"
    set switch-controller enable
    set timezone 04
end
config system accprofile
    edit "prof_admin"
        set authgrp read-write
        set sysgrp read-write
        set netgrp read-write
        set loggrp read-write
        set fwgrp read-write
        set vpngrp read-write
        set utmgrp read-write
        set wifi read-write
    next
end
config system npu
end
config system interface
    edit "wan1"
        set vdom "root"
        set mode pppoe
        set allowaccess https
... (continues for 6911 more lines)

VPN Passwords Sample

% cat FortiGate/AE/109.177.208.227_443/vpn-passwords.txt 
-=-= Belsen Group -=-=

muzamilabbas:MunKuntoMola@!!)2022
wajidabbas:DxBPaK*@)@)5060
mshaheer:$Ecu@!ty(^@287
bilalashraf:bil@l@shr@f12
adeel:P00Ja@1947@o
gms1:Dj)nN8SD*
gms2:k0ti*&^%9060
gms3:J0th*&^%9060
fortinet:F0rt!n!t@1994

Notes

As of January 22nd, Belsen Group is now charging $100 for original copies this leak, presumably due to demand. Please enjoy this torrent - free forever as long as people can help seed - and consider donating to charity instead.

What happened to "information wants to be free?"

Considered Risks

This should not introduce substantial risk, as:

The leak was already available, for free, as published by the Belsen Group on their Tor site (ex. I am not leaking the data, only mirroring it), and
People had already started sharing the leak publicly through sites like Google Drive and SwissTransfer, and
FortiNet’s advisory highlights the risk of the leak is “small” given the amount of time all impacted customers will have had to remediate (over 2 years)

From FortiNet’s advisory:

The threat actor has leaked data obtained in dated campaigns that has been aggregated to appear like a new disclosure. Our analysis of the devices in question show that the majority have long since upgraded to newer versions. If your organization has consistently adhered to routine best practices in regularly refreshing security credentials and taken the recommended actions in the preceding years, the risk of the organization’s current config or credential detail in the threat actor’s disclosure is small. We continue to strongly recommend that organizations take the recommended actions, if they have not already, to improve their security posture.

HTTPS Download

If you cannot use a torrent client, you can download FortiGate.zip from my GetRight server, though I rate limit it whenever usage gets too high. Where possible, use torrents!