
Lynx
Ransomware-as-a-service crew; shares an operator and code lineage with INC Ransom.
Last refreshed: 14 July 2026
Same operator, two ransomware brands: is Lynx really separate from INC Ransom?
Timeline for Lynx
One operator ran both ransomware brands
Cybersecurity: Threats and DefencesIs Lynx ransomware the same group as INC Ransom?
What is the Lynx ransomware group?
How is Lynx connected to the FortiBleed breach?
Background
Lynx is a ransomware-as-a-service operation that surfaced in mid-2024, running its own dark-web leak site and its own double-extortion model: encrypt victim systems, exfiltrate data, then threaten publication to force payment. It operates as a distinct brand with its own victim postings, negotiation panels and public identity, separate from the older INC Ransom crew.
Analysts have long noted code-lineage overlap between Lynx and INC Ransom, pointing to shared tooling and, as of July 2026, a shared operator. The two remain separate criminal brands rather than one group operating under two names.
Lynx's current relevance stems from the FortiBleed credential-harvesting campaign. Threat-intelligence firm SOCRadar found in July 2026 that a single operator ran the negotiation panels for both Lynx and INC Ransom, tying the 86,644-credential FortiGate haul to confirmed ransomware deployments rather than a dormant hit list.
SOCRadar traced the FortiBleed access chain to admin-level compromise on 409 targets and a completed attack chain on 354, with at least 12 confirmed ransomware deployments split across the INC Ransom and Lynx brands. The finding is the first confirmed case of the FortiBleed harvest converting into live encryption events rather than remaining unused.