Skip to main content

Operator dossier

Lynx is a ransomware operator currently active on public leak sites. Darkfield has indexed 414 public victims claimed by this operator between July 29, 2024 and June 18, 2026. Lynx is a relatively new ransomware group that emerged in July 2024, operating with apparent financial motivations and demonstrating rapid scaling capabilities with 397 documented victims within their first few months of operation. The group's origin and specific affiliations remain unclear due to their recent emergence, though their targeting patterns suggest a sophisticated operation that may operate independently rather than as a traditional Ransomware-as-a-Service model. Based on their victim distribution, Lynx appears to employ broad-spectrum targeting methodologies focusing heavily on English-speaking countries, with the United States, United Kingdom, Canada, Germany, and Australia representing their primary geographic targets, while concentrating their attacks on manufacturing, business services, technology, and transportation/logistics sectors, though specific technical details regarding their initial access vectors, encryption methods, and data exfiltration practices have not yet been extensively documented by major security research organizations. Due to the group's recent emergence, there are no widely reported major campaigns or high-profile incidents that have gained significant public attention from law enforcement agencies or established threat intelligence firms. As of late 2024, Lynx appears to remain active with no reported law enforcement disruptions or operational changes.

Most-targeted sectors

Most-affected countries

Recent disclosures by Lynx

Most recent 150 of 414 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Lynx

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Lynx

414 victims indexed · first seen 2 years ago · last activity 27 days ago

414
Victims indexed
#23 of 364 tracked operators
1y 11m
Active period
Jul 2024 → Jun 2026
30
Countries hit
top United States · 215

At a glance

Status
active
First seen
2 years ago
Last activity
27 days ago
Onion sites
17 known endpoints
Primary sector
Not Found · 103 hits

About

Lynx is a relatively new ransomware group that emerged in July 2024, operating with apparent financial motivations and demonstrating rapid scaling capabilities with 397 documented victims within their first few months of operation. The group's origin and specific affiliations remain unclear due to their recent emergence, though their targeting patterns suggest a sophisticated operation that may operate independently rather than as a traditional Ransomware-as-a-Service model. Based on their victim distribution, Lynx appears to employ broad-spectrum targeting methodologies focusing heavily on English-speaking countries, with the United States, United Kingdom, Canada, Germany, and Australia representing their primary geographic targets, while concentrating their attacks on manufacturing, business services, technology, and transportation/logistics sectors, though specific technical details regarding their initial access vectors, encryption methods, and data exfiltration practices have not yet been extensively documented by major security research organizations. Due to the group's recent emergence, there are no widely reported major campaigns or high-profile incidents that have gained significant public attention from law enforcement agencies or established threat intelligence firms. As of late 2024, Lynx appears to remain active with no reported law enforcement disruptions or operational changes.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-07-01T00:00:00+00:00 · 22024-08-01T00:00:00+00:00 · 212024-09-01T00:00:00+00:00 · 62024-10-01T00:00:00+00:00 · 132024-11-01T00:00:00+00:00 · 282024-12-01T00:00:00+00:00 · 162025-01-01T00:00:00+00:00 · 432025-02-01T00:00:00+00:00 · 392025-03-01T00:00:00+00:00 · 312025-04-01T00:00:00+00:00 · 312025-05-01T00:00:00+00:00 · 132025-06-01T00:00:00+00:00 · 222025-07-01T00:00:00+00:00 · 182025-08-01T00:00:00+00:00 · 142025-09-01T00:00:00+00:00 · 292025-10-01T00:00:00+00:00 · 142025-11-01T00:00:00+00:00 · 22025-12-01T00:00:00+00:00 · 142026-01-01T00:00:00+00:00 · 262026-02-01T00:00:00+00:00 · 102026-03-01T00:00:00+00:00 · 52026-04-01T00:00:00+00:00 · 52026-05-01T00:00:00+00:00 · 82026-06-01T00:00:00+00:00 · 1
2024-07-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
215
🇬🇧 United Kingdom
25
🇨🇦 Canada
23
🇩🇪 Germany
16
🇦🇺 Australia
16
🇫🇷 France
11
🇸🇬 Singapore
8
🇯🇵 Japan
8

Top sectors

Manufacturing
66
Business Services
50
Technology
35
Transportation/Logistics
24
Agriculture and Food Production
16
Energy
15
Construction
15
Healthcare
14

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

17 known
  • http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion
  • http://lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion/api/v1/blog/get/announcements?page=1&perPage=10
  • http://lynxblog.net
  • http://lynxblogco7r37jt7p5wrmfxzqze7ghxw6rihzkqc455qluacwotciyd.onion
  • http://lynxblogijy4jfoblgix2klxmkbgee4leoeuge7qt4fpfkj4zbi2sjyd.onion
  • http://lynxblogmx3rbiwg3rpj4nds25hjsnrwkpxt5gaznetfikz4gz2csyad.onion
  • http://lynxblogoxllth4b46cfwlop5pfj4s7dyv37yuy7qn2ftan6gd72hsad.onion
  • http://lynxblogtwatfsrwj3oatpejwxk5bngqcd5f7s26iskagfu7ouaomjad.onion
  • http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion
  • http://lynxblogxutufossaeawlij3j3uikaloll5ko6grzhkwdclrjngrfoid.onion
  • http://lynxch2k5xi35j7hlbmwl7d6u2oz4vp2wqp6qkwol624cod3d6iqiyqd.onion
  • http://lynxchatbykq2vycvyrtjqb3yuj4ze2wvdubzr2u6b632trwvdbsgmyd.onion
  • + 5 more endpoints

Source

Updated 27 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Lynx posts a victim.

Add Lynx to your watchlist — Pro pings you within 5 minutes of any new Lynx leak-site post, Telegram callout, or affiliate-rebrand inference.