Operator dossier

Lynx is a ransomware operator currently active on public leak sites. Darkfield has indexed 410 public victims claimed by this operator between July 29, 2024 and May 10, 2026. Lynx is a relatively new ransomware group that emerged in July 2024, operating with apparent financial motivations and demonstrating rapid scaling capabilities with 397 documented victims within their first few months of operation. The group's origin and specific affiliations remain unclear due to their recent emergence, though their targeting patterns suggest a sophisticated operation that may operate independently rather than as a traditional Ransomware-as-a-Service model. Based on their victim distribution, Lynx appears to employ broad-spectrum targeting methodologies focusing heavily on English-speaking countries, with the United States, United Kingdom, Canada, Germany, and Australia representing their primary geographic targets, while concentrating their attacks on manufacturing, business services, technology, and transportation/logistics sectors, though specific technical details regarding their initial access vectors, encryption methods, and data exfiltration practices have not yet been extensively documented by major security research organizations. Due to the group's recent emergence, there are no widely reported major campaigns or high-profile incidents that have gained significant public attention from law enforcement agencies or established threat intelligence firms. As of late 2024, Lynx appears to remain active with no reported law enforcement disruptions or operational changes.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Lynx

410 victims indexed · first seen 2 years ago · last activity 11 days ago

410

Victims indexed

#23 of 348 tracked operators

1y 10m

Active period

Jul 2024 → May 2026

Countries hit

top United States · 178

At a glance

Status: active
First seen: 2 years ago
Last activity: 11 days ago
Onion sites: 17 known endpoints
Primary sector: Not Found · 102 hits

About

Lynx is a relatively new ransomware group that emerged in July 2024, operating with apparent financial motivations and demonstrating rapid scaling capabilities with 397 documented victims within their first few months of operation. The group's origin and specific affiliations remain unclear due to their recent emergence, though their targeting patterns suggest a sophisticated operation that may operate independently rather than as a traditional Ransomware-as-a-Service model. Based on their victim distribution, Lynx appears to employ broad-spectrum targeting methodologies focusing heavily on English-speaking countries, with the United States, United Kingdom, Canada, Germany, and Australia representing their primary geographic targets, while concentrating their attacks on manufacturing, business services, technology, and transportation/logistics sectors, though specific technical details regarding their initial access vectors, encryption methods, and data exfiltration practices have not yet been extensively documented by major security research organizations. Due to the group's recent emergence, there are no widely reported major campaigns or high-profile incidents that have gained significant public attention from law enforcement agencies or established threat intelligence firms. As of late 2024, Lynx appears to remain active with no reported law enforcement disruptions or operational changes.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/lynx

Timeline

21 months

2024-07-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

178

🇬🇧 United Kingdom

🇨🇦 Canada

🇩🇪 Germany

🇦🇺 Australia

🇸🇬 Singapore

🇮🇹 Italy

🇫🇷 France

United States dossier →United Kingdom dossier →Canada dossier →Germany dossier →

Top sectors

Not Found

102

Manufacturing

Business Services

Technology

Transportation/Logistics

Agriculture and Food Production

Energy

Construction

Not Found dossier →Manufacturing dossier →Business Services dossier →Technology dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

17 known

http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion
http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion/api/v1/blog/get/announcements?page=1&perPage=10
http://lynxblog.net
http://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion
http://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion
http://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion
http://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion
http://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion
http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion
http://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion
http://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion
http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion
+ 5 more endpoints

Source

Updated 11 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.