{ "id": "b9b5c29f-1276-4da2-941d-8d7d350accc5", "created_at": "2026-04-06T00:13:20.4964Z", "updated_at": "2026-04-10T03:31:46.668321Z", "deleted_at": null, "sha1_hash": "cec5d8d5b9cd2ed53b40f1a250aaa668cdf5042f", "title": "Linkc Ransomware: The New Cybercriminal Group Targeting Artificial Intelligence Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 248488, "plain_text": "Linkc Ransomware: The New Cybercriminal Group Targeting\r\nArtificial Intelligence Data\r\nBy RHC Dark Lab\r\nPublished: 2025-02-20 · Archived: 2026-04-05 18:11:36 UTC\r\nIn the DarkLab group’s underground analysis activity, we ventured onto an onion site that is apparently a Data\r\nLeak Site (DLS) of a new ransomware cyber gang.\r\nThis new actor called Linkc, was the author of a recent heist against H2O.ai. Their Data Leak Site-a minimalist\r\npage devoid of any further information-leaks only the essentials: a leak of sensitive data and source code\r\nbelonging to a company specialising in artificial intelligence.\r\nA New Group, Familiar Methods?\r\nEven though Linkc appears to be a brand-new group, their operation follows the well-known double extortion\r\nmodel:\r\nAdvertising\r\nhttps://www.redhotcyber.com/en/post/linkc-ransomware-the-new-cybercriminal-group-targeting-artificial-intelligence-data/#google_vignette\r\nPage 1 of 4\n\n1. Compromising and encrypting the victim organization’s systems.\r\n2. Stealing and gradually releasing sensitive data on a Data Leak Site.\r\nWhat’s novel in this case is the site’s extreme minimalism, featuring:\r\nA logo and a brief post\r\nDetails regarding the breach at H2O.ai\r\nNo additional sections (no FAQ, contact page, or “about us”)\r\nThis approach could serve operational security purposes (reduced traceability) and create a stronger media impact\r\nby showcasing the target and stolen data right away.\r\nThe First Alleged Victim: H2O.ai\r\nLinkc’s first reported target is a company specializing in the development of Machine Learning platforms and AI\r\nservices. According to the leak:\r\nNon-anonymized customer datasets were stolen, intended for AI model training.\r\nhttps://www.redhotcyber.com/en/post/linkc-ransomware-the-new-cybercriminal-group-targeting-artificial-intelligence-data/#google_vignette\r\nPage 2 of 4\n\nComplete source code from Git projects was exfiltrated, including software for autonomous driving and\r\nGPT models.\r\nAt present, we cannot confirm the accuracy of this information, as the organization has not released any official\r\npress statement on its own website regarding the incident. Therefore, this article should be viewed as an\r\n“intelligence source.”\r\nWhy H2O.ai Specifically?\r\nHigh Visibility: Targeting a company working in AI garners significant media attention.\r\nData Value: Proprietary datasets and AI source code are prime assets for unfair competition, industrial\r\nespionage, and cybercrime activity.\r\nReputational Pressure: Tech companies are often scrutinized—and sometimes penalized—for security\r\nbreaches.\r\nConclusions\r\nLinkc has made its debut on the cybercrime scene with an intimidating approach and a minimalist web presence.\r\nTheir choice to target H2O.ai highlights their inclination to go after organizations involved in Artificial\r\nIntelligence, potentially to monetize high-value data and technologies. For cybersecurity professionals, it is\r\nessential to:\r\nMaintain strict vigilance over AI platforms and sensitive assets\r\nInvestigate the Indicators of Compromise (IoCs) and TTPs of new groups like Linkc\r\nShare threat intelligence in real time, pooling resources and expertise to counter ransomware threats\r\nThe cybercrime world is constantly evolving, and Linkc is yet another confirmation of that trend. It remains to be\r\nseen whether this group will launch more high-profile attacks or focus on selected cases. In the meantime, security\r\nexperts must further refine their monitoring and defense tools, preparing for new digital extortion tactics.\r\nAs is our custom, we extend an invitation to the company involved to provide any updates on the incident. We will\r\nbe glad to publish those details in a dedicated article to shed more light on the situation.\r\nRHC will continue monitoring the matter to post any significant developments on the blog. Anyone with relevant\r\ninformation who wishes to remain anonymous can use the whistleblower’s encrypted email address.\r\nFollow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news,\r\ninsights or content for publication.\r\nhttps://www.redhotcyber.com/en/post/linkc-ransomware-the-new-cybercriminal-group-targeting-artificial-intelligence-data/#google_vignette\r\nPage 3 of 4\n\nRHC Dark Lab is a group of experts from the Red Hot Cyber community dedicated to Cyber Threat Intelligence\r\nled by Pietro Melillo. Participating in the collective, Sandro Sana, Alessio Stefan, Raffaela Crisci, Vincenzo Di\r\nLello, Edoardo Faccioli. Their mission is to spread knowledge about cyber threats to improve the country's\r\nawareness and digital defences, involving not only specialists in the field but also ordinary people. The aim is to\r\ndisseminate Cyber Threat Intelligence concepts to anticipate threats.\r\nSource: https://www.redhotcyber.com/en/post/linkc-ransomware-the-new-cybercriminal-group-targeting-artificial-intelligence-data/#google_vi\r\ngnette\r\nhttps://www.redhotcyber.com/en/post/linkc-ransomware-the-new-cybercriminal-group-targeting-artificial-intelligence-data/#google_vignette\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.redhotcyber.com/en/post/linkc-ransomware-the-new-cybercriminal-group-targeting-artificial-intelligence-data/#google_vignette" ], "report_names": [ "#google_vignette" ], "threat_actors": [ { "id": "0e370d67-4094-4c0a-894d-8c14a6a5ad39", "created_at": "2025-03-21T02:00:03.845864Z", "updated_at": "2026-04-10T02:00:03.838595Z", "deleted_at": null, "main_name": "LinkC Pub", "aliases": [ "LinkC" ], "source_name": "MISPGALAXY:LinkC Pub", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434400, "ts_updated_at": 1775791906, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cec5d8d5b9cd2ed53b40f1a250aaa668cdf5042f.pdf", "text": "https://archive.orkl.eu/cec5d8d5b9cd2ed53b40f1a250aaa668cdf5042f.txt", "img": "https://archive.orkl.eu/cec5d8d5b9cd2ed53b40f1a250aaa668cdf5042f.jpg" } }