Coinbase Cartel
Coinbase Cartel is a cyber-extortion group, also referenced as STORM-2981, that emerged around September 2025. Reporting in the provided content consistently describes it as a data-exfiltration-only or data-theft-focused extortion actor that rejects or deemphasizes the traditional ransomware model and typically leaves victim systems available rather than deploying encryptors. The group uses dedicated leak-site pressure and staged disclosure, with victim statuses such as "Active," "Leaking," and "Leaked," and has claimed in some cases to hold multi-terabyte datasets. The content states the group has claimed more than 60 victims, and other reporting in the same content says more than 100 victims. Coinbase Cartel has targeted organizations in multiple regions, including South Korea, the United States, and Slovenia, and is described as having a history of targeting technology companies and publishing stolen code on data leak sites. A documented example in the provided content is the May 2026 Grafana Labs incident, where Coinbase Cartel claimed responsibility after attackers used a compromised GitHub token to access Grafana’s GitHub environment and source code repositories, then attempted to extort the company by threatening publication of the stolen code. The content also notes researcher reporting linking Coinbase Cartel to the broader ecosystem around ShinyHunters, Scattered Spider, and Lapsus$, though no firm attribution beyond that linkage is stated.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Software & Services
Tradecraft
6 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware group claiming attacks across multiple regions, including victims in South Korea, the United States, and Slovenia.
Data-theft and extortion group that claimed the Grafana breach, listed the victim on its leak site, and demanded ransom to prevent publication of stolen source code. The group is described as active since at least September 2025 and as focusing on stealing data and extorting companies rather than encrypting systems.
Cyber-extortion group that claimed the Grafana Labs breach, allegedly accessed Grafana Labs’ GitHub environment, downloaded the company’s codebase, and threatened to leak the stolen code unless a ransom was paid. The group is described as having a history of targeting technology companies and publishing stolen code on data leak sites.
Extortion-only actor that rejects the ransomware label; uses staged/controlled disclosure with victim status tracking and a private verification phase; claims 'authorized access' suggesting credential/affiliate/insider-enabled access paths.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.