Skip to content
You can now search across every topic, entity and event.What's new
Lynx
Organisation

Lynx

Ransomware-as-a-service crew; shares an operator and code lineage with INC Ransom.

Last refreshed: 14 July 2026

Key Question

Same operator, two ransomware brands: is Lynx really separate from INC Ransom?

Timeline for Lynx

#108 Jul

One operator ran both ransomware brands

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
Is Lynx ransomware the same group as INC Ransom?
No. Lynx and INC Ransom are separate brands with their own leak sites, but SOCRadar found in July 2026 that they share code lineage and one operator running both groups' negotiation panels.Source: SOCRadar
What is the Lynx ransomware group?
Lynx is a ransomware-as-a-service crew active since mid-2024, running double-extortion attacks (encrypt then threaten to leak data) from its own dark-web leak site.Source: SOCRadar
How is Lynx connected to the FortiBleed breach?
SOCRadar found that Lynx and INC Ransom share one operator, who ran negotiation panels for both, and traced 12 confirmed ransomware deployments from the FortiBleed FortiGate credential haul to the two brands.Source: SOCRadar

Background

Lynx is a ransomware-as-a-service operation that surfaced in mid-2024, running its own dark-web leak site and its own double-extortion model: encrypt victim systems, exfiltrate data, then threaten publication to force payment. It operates as a distinct brand with its own victim postings, negotiation panels and public identity, separate from the older INC Ransom crew.

Analysts have long noted code-lineage overlap between Lynx and INC Ransom, pointing to shared tooling and, as of July 2026, a shared operator. The two remain separate criminal brands rather than one group operating under two names.

Lynx's current relevance stems from the FortiBleed credential-harvesting campaign. Threat-intelligence firm SOCRadar found in July 2026 that a single operator ran the negotiation panels for both Lynx and INC Ransom, tying the 86,644-credential FortiGate haul to confirmed ransomware deployments rather than a dormant hit list.

SOCRadar traced the FortiBleed access chain to admin-level compromise on 409 targets and a completed attack chain on 354, with at least 12 confirmed ransomware deployments split across the INC Ransom and Lynx brands. The finding is the first confirmed case of the FortiBleed harvest converting into live encryption events rather than remaining unused.

More questions
When did Lynx ransomware first appear?
Lynx surfaced roughly a year after INC Ransom, which emerged in mid-2023, putting Lynx's debut at around mid-2024.Source: SOCRadar