CoinbaseCartel

CoinbaseCartel is a data extortion crew that emerged in September 2025. Reporting cited in the content describes it as focused on data theft and extortion rather than traditional ransomware, and states that it does not use ransomware during attacks. The group reportedly relies on stolen credentials and social engineering for initial access. Halcyon and Fortinet FortiGuard Labs assess CoinbaseCartel as an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems; one report further describes it as a data-theft offshoot of the larger Scattered Lapsus$ Hunters collective. The content states that the group has attempted to extort more than 100 companies since September 2025, and another cited report says it has amassed 170 victims. Mentioned victim sectors include healthcare, technology, transportation, manufacturing, business services, and specifically FinTech and crypto-adjacent organizations. Reported incidents and claims include Grafana Labs, SK Telecom, and Renesas Electronics. In the SK Telecom case, the group claimed in October 2025 to have infiltrated the company through a compromised Bitbucket account and stolen 19.6 MB of source code, project files, Dockerfiles, and AWS keys. In May 2026, CoinbaseCartel listed Grafana Labs on its dark web site and claimed responsibility for an intrusion involving theft of code from Grafana’s GitHub environment. The content also notes that CoinbaseCartel’s activity increased from 37 incidents in March 2026 to 45 incidents in April 2026. Known alias in the provided content: coinbasecartel.