As tax filing approaches, hackers target US taxpayers

Published: 29 December 2025
CSA tax Advisory ransomware

A Russia-linked ransomware gang claims to have stolen tax return data and Social Security numbers from a 75-year-old Massachusetts accounting firm, and now it’s waiting to be paid.

With tax filing season on the way, cybercriminals are not hesitating to target taxpayers and accounting firms.

The Lynx ransomware gang recently targeted the long-standing accounting firm CSA Tax & Advisory in Massachusetts, which specializes in tax services.

ADVERTISEMENT

The notice came up on December 26th on the gang's leak site on the dark net, claiming it had exfiltrated the company’s and its clients’ data. This is a common tactic among ransomware gangs to coerce victims into paying a ransom, and it seems to be the case for Lynx as well. On its website, the gang claims to have a clear intention to avoid undue harm to organizations.

“Our operational model encourages dialogue and resolution rather than chaos and destruction,” it says.

The company has not yet publicly confirmed the breach. Cybernews has reached out for comment, and we are awaiting a response.

CSA Tax & Advisory ransomware
Screenshot by Cybernews

What data has allegedly been stolen?

As proof of the attack, the gang provided screenshots of data allegedly belonging to the company. Cybernews examined the data samples, and among the stolen data may include:

  • Full names
  • Social Security numbers (SSNs)
  • Physical addresses
  • Spousal health care coverage agreements
  • Invoices for services
  • Individual income tax return data
  • IRS e-file signature authorization forms
  • Internal corporate correspondence

If the data proves to be legitimate, this puts CSA’s clients at risk of phishing attacks and identity theft.

ADVERTISEMENT

“Such data could make phishing attacks incredibly convincing. Imagine getting a call from someone who knows your address, your spouse's name, and specifics about your recent tax filing. You'd trust them,“ said the Cybernews research team.

What is Lynx ransomware?

Caught on the radar in mid-2024, the gang operates as ransomware-as-a-service (RaaS) and is known to target organizations in the finance, architecture, and manufacturing sectors.

According to Cybernews' in-house surveillance tool, Ransomlooker, the gang has listed 294 victims since 2024, and is among the key players in the ransomware scene.

Previously, the gang claimed to have breached the systems of healthcare giant Henry Schein’s TriMed, leaking sensitive data onto the dark web, which TriMed later confirmed.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The gang also claimed a well-known British construction company, Dodd Group, as one of its latest victims.

In September, Lynx claimed to have stolen data from the largest US sushi and seafood provider, the True World Group LCC.

Among other alleged Lynx victims are Dollar Tree, America’s second-largest egg producer, Rose Acre Farms, and a major CBS affiliate, WDEF-TV.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked