Menu
Browse

Cyber Threat Actor: Lynx

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
United States of America
2 incidents
Profile

Lynx, also referred to asLynx Hacker, is a threat actor known by the alias Lynx and is reported to be based in the United States of America. The alias appears in both security research disclosures and ransomware activity, though the sources do not confirm that these refer to the same individual or group. The actor’s location is the only geographic detail explicitly provided in the context.

In the ransomware incident dated January 1 2025, Lynx was identified as the operator of a ransomware group that targeted an Australian auto parts manufacturer, claiming the theft of 350 gigabytes of internal operational data. The group employed double extortion tactics, threatening to publish the stolen data unless a payment was made, indicating a financially motivated objective. The same source notes that Lynx, described as a relatively new ransomware group, has claimed responsibility for attacks on over 100 entities worldwide, with additional Australian businesses among the victims.

The actor’s tactics, techniques, and procedures include exploiting a path traversal vulnerability in a web upload script used for product customizations, as demonstrated in the January 1 2020 breach of a mobile device case retailer. This initial access allowed the actor to retrieve employee resumes, approximately nine gigabytes of personal customer photos, Zendesk ticketing data, API credentials, and customer information such as hashed passwords, addresses, email addresses, phone numbers, and transaction records. In the ransomware case, the actor used ransomware malware to encrypt systems and exfiltrate data prior to encryption, following a double extortion model. No specific malware families, tools, or command‑and‑control infrastructure are detailed in the provided material. Attribution information is limited to the stated location in the United States; no public linkage to a state sponsor, criminal consortium, or other affiliations is presented in the sources. The actor’s nationality or any organizational ties remain unspecified beyond the geographic indicator.

Two publicly reported operations illustrate the actor’s activity: the 2020 data breach of Slickwraps achieved through a path traversal flaw in an upload script, and the 2025 ransomware attack on an Australian auto parts manufacturer involving data theft and double extortion. These examples represent the confirmed campaigns associated with the Lynx alias according to the available information.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source