Disclosure context

About Lynx

Lynx is a relatively new ransomware group that emerged in July 2024, operating with apparent financial motivations and demonstrating rapid scaling capabilities with 397 documented victims within their first few months of operation. The group's origin and specific affiliations remain unclear due to their recent emergence, though their targeting patterns suggest a sophisticated operation that may operate independently rather than as a traditional Ransomware-as-a-Service model. Based on their victim distribution, Lynx appears to employ broad-spectrum targeting methodologies focusing heavily on English-speaking countries, with the United States, United Kingdom, Canada, Germany, and Australia representing their primary geographic targets, while concentrating their attacks on manufacturing, business services, technology, and transportation/logistics sectors, though specific technical details regarding their initial access vectors, encryption methods, and data exfiltration practices have not yet been extensively documented by major security research organizations. Due to the group's recent emergence, there are no widely reported major campaigns or high-profile incidents that have gained significant public attention from law enforcement agencies or established threat intelligence firms. As of late 2024, Lynx appears to remain active with no reported law enforcement disruptions or operational changes. The group has been linked to 410 public disclosures across our corpus. First observed on a leak site on July 29, 2024; most recent post May 10, 2026. The operation is currently active.

Timeline of this disclosure

March 13, 2026Keller Polska listed by Lynxon the group's public leak site

Sector and geography

This disclosure adds to ransomware activity in the Construction sector, which has 415 disclosures indexed across all operators we track. Geographically, Keller Polska is reported in Poland, a country with 7 ransomware disclosures in our corpus.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.

Ransomware victim disclosure

← All victims

Keller Polska

Claimed by Lynx · listed 2 months ago

Age

since listed · data leaked

Status timeline

Listed
Mar 13, 2026
Data leaked

At a glance

Group: Lynx
Status: Data leaked
Country: Poland
Sector: Construction
Listed on leak site: Mar 13, 2026

About the victim

AI dossier — public-source company profile

Keller Polska is a Polish subsidiary of the global Keller Group, specialising in geotechnical engineering and foundation solutions. Operating for over 20 years, the company executes both small local projects and large-scale, economically significant infrastructure works across Poland and the broader Central/Eastern European region. As part of Keller Group, it benefits from global financial resources, technical know-how, and international reach.

Industry: Geotechnical Engineering & Construction

Attack summary

Severity: high — The disclosure status is 'data_published', indicating confirmed exfiltration and public release of company data. As a geotechnical contractor involved in major infrastructure projects, leaked data likely includes sensitive project, financial, and contractual information of significant business and potentially national-infrastructure relevance.

The Lynx ransomware group claims to have exfiltrated data from Keller Polska and has published the data, though no specific data volume or encryption claim is detailed in the post.

high

Data the group says was taken

AI dossier — extracted from the leak post

Corporate financial data
Project documentation
Business correspondence
Employee records
Client/contract information

What the group claims

Keller Polska, operating for over 20 years, is a leader in the geotechnical market in Poland and this part of Europe. We carry out both small local projects and the largest and most important for the economy. As one of the Keller Group companies, we also have the financial capabilities, know-how, skills and global reach to handle the most demanding projects.

Sources

Victim sitewww.kellerpolska.pl
Leak posthttp://lynxchatly4zludmhmi75jrwhycnoqvkxb4prohxmyzf4euf5gjxroad.onion/leaks/69ab22c69c439c5f45a86b32

Source

Indexed 2 months ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.