Dark Web Profile: CoinbaseCartel

CoinbaseCartel is a financially motivated threat actor that emerged on the Dark Web in September 2025. Unlike traditional ransomware groups, the group does not encrypt victim systems. Instead, it relies exclusively on data theft, threatening to publish exfiltrated data on its dark web leak site unless victims pay a ransom. This approach is commonly described as a single-extortion model.

The group’s name carries no connection to the legitimate cryptocurrency exchange Coinbase. On its leak site, CoinbaseCartel describes itself as “redefining data extortion” and explicitly states that its operations have no political, personal, or activist agenda.

Since posting its first victim listings in September 2025, CoinbaseCartel has claimed over 160 victims across sectors, including healthcare, technology, transportation, and logistics. Researchers attribute the group’s rapid expansion primarily to the reuse of stolen credentials obtained from infostealer logs.

Who Is CoinbaseCartel?

CoinbaseCartel first appeared on September 15–16, 2025, when its Tor-based leak site was identified by SOCRadar’s Dark Web researchers. The group made an unusually aggressive debut, posting between 10 and 17 victim listings simultaneously, a volume that immediately drew analyst attention.

Researchers have placed CoinbaseCartel among the top ten most active ransomware and extortion groups for both September and December 2025. By April 2026, the group’s cumulative victim count had surpassed 160, spanning 17 distinct industry verticals across North America, Europe, Asia-Pacific, South America, and the Middle East.

The group operates independently and does not function as a traditional Ransomware-as-a-Service (RaaS) platform. However, it actively recruits affiliates and partners through a dedicated partnerships section on its leak site, offering both fixed-fee and revenue-sharing arrangements. Prospective partners are required to submit a proposal alongside evidence of an existing compromise.

CoinbaseCartel follows a single-extortion model with no file encryption. The group exfiltrates sensitive data and lists victims on its leak site under one of three statuses: Active, Leaking, or Leaked. Victims are given 48 hours to initiate contact through the group’s negotiation portal, followed by a 10-day window to pay or renegotiate the terms. Ransom payments are accepted

exclusively in Bitcoin. The leak site also includes an auctions section added in early 2026, allowing third parties to purchase stolen datasets directly.

The group describes itself as “redefining data extortion” and states that its operations carry no political, personal, or activist agenda. In late 2025, CoinbaseCartel publicly advertised a budget exceeding $2 million USD in underground communities to acquire zero-day exploits, signaling access to significant financial resources. Its name carries no connection to the legitimate cryptocurrency exchange Coinbase.

The group is also tracked under the alias shinysp1d3r by some researchers, who have hypothesized a connection between CoinbaseCartel and the threat actors known as ShinyHunters, Scattered Spider, and Lapsus$. Under this hypothesis, CoinbaseCartel is thought to share personnel or infrastructure with the Scattered LAPSUS$ Hunters (SLSH) alliance, which publicly emerged via Telegram in August 2025. The shinysp1d3r alias is also associated with a RaaS encryptor project reportedly under development by SLSH-affiliated actors, targeting VMware ESXi environments. These assessments remain contested, and attribution beyond superficial operational overlaps has not been validated.

Who Does CoinbaseCartel Target?

CoinbaseCartel has claimed victims across 36 countries and 17 industry verticals, with target selection driven by data value and credential availability rather than sector-specific focus.

Top 10 industries targeted by CoinbaseCartel

Technology leads all targeted industries at 30.4%, followed by Manufacturing (~13%), Business Services, and Consumer Services (~10% each). The group has shown no intent to avoid sensitive sectors; healthcare, energy, and critical infrastructure all appear in its victim listings.

Geographically, the United States dominates at 37.3% of all victims, consistent with the high volume of U.S. enterprise credentials circulating in infostealer markets. The UAE, Germany, France, Brazil, Canada, and the UK follow, reflecting a multi-regional, opportunistic posture.

Top 10 countries targeted by CoinbaseCartel

One anomaly stands out: researchers observed an unusual cluster of approximately ten UAE-based healthcare organizations claimed within a single month, atypical for a purely financially motivated group, though no geopolitical attribution has been established.

CoinbaseCartel shows a clear preference for high-revenue targets, with a significant portion of victims reporting annual revenues exceeding $1 billion USD. This aligns directly with the group’s credential-reuse model: infostealer logs from large enterprise employees offer a wide attack surface and the potential for outsized payouts.

How Does CoinbaseCartel Operate?

CoinbaseCartel’s attack chain follows a consistent pattern: credential-based initial access, low-noise lateral movement, large-scale data collection, and exfiltration through trusted cloud infrastructure, all without deploying a single line of encryption code.

Initial Access (TA0001)

Researchers have identified stale infostealer logs as the dominant initial access vector. Credentials harvested by malware families such as RedLine, Lumma, and Vidar are reused to authenticate against corporate cloud environments, FTP servers, SFTP endpoints, and managed file transfer services. In several confirmed cases, the credentials exploited had been sitting in underground markets for months or years before the group weaponized them (T1078: Valid Accounts).

Additional access methods include compromised VPN and RDP credentials, hard-coded or exposed credentials discovered in code repositories such as GitHub and Bitbucket (T1552.001: Credentials in Files), and OAuth application abuse, where users are tricked into authorizing malicious applications, including a modified version of the Salesforce Data Loader, that grant persistent access to cloud environments (T1550.001: Application Access Token). The group has also been linked to the use of Initial Access Brokers (T1199: Trusted Relationship) and, in some reported cases, insider recruitment and contractor bribery, though these claims are not consistently corroborated across sources.

Discovery and Privilege Escalation (TA0007 / TA0004)

Following initial access, CoinbaseCartel moves to identify high-value data repositories and escalate privileges. The group leverages built-in operating system administrative tools and living-off-the-land techniques to avoid introducing detectable binaries (T1059: Command and Scripting Interpreter). Administrative account acquisition allows the group to access cloud management consoles, file servers, and CRM platforms at scale.

Collection (TA0009)

CoinbaseCartel conducts large-scale data collection using custom Python tooling designed to mimic the legitimate Salesforce Data Loader, enabling bulk CRM exports that blend into normal administrative traffic (T1119: Automated Collection). The group stages collected data into large compressed archives prior to exfiltration (T1560: Archive Collected Data).

Defense Evasion (TA0005)

To hinder forensic investigation, the group truncates log files in bulk, disables syslog forwarding, and manipulates system-wide audit settings (T1562.002: Disable Windows Event Logging / T1070: Indicator Removal). Operating through trusted cloud platforms and legitimate administrative tooling significantly reduces the group’s detection surface throughout the intrusion.

Exfiltration (TA0010)

Exfiltration is carried out through trusted cloud platforms including AWS, Google Cloud, and Cloudflare, allowing outbound transfers to blend with legitimate traffic (T1567: Exfiltration Over Web Service). Data volumes in confirmed cases have ranged from tens of gigabytes to multiple terabytes. Transfers are conducted over encrypted channels, with Tor used in some observed cases for final delivery.

What Sectors Does CoinbaseCartel Target?

CoinbaseCartel has demonstrated broad sectoral reach since its emergence in September 2025. Researchers have identified 17 distinct industry verticals among the group’s confirmed and claimed victims, a range that exceeds many comparable extortion groups and reflects a target-selection approach driven primarily by data value and credential availability rather than sector-specific expertise.

Healthcare, technology, and transportation and logistics account for the largest share of victims, representing more than half of all confirmed cases from 2025. Manufacturing, retail, finance, energy and oil and gas, construction, aerospace, education, food and beverage, media, and packaging have also appeared consistently across the group’s victim listings.

One geographic anomaly stands out in the group’s targeting pattern. Researchers observed an unusual cluster of approximately ten healthcare organizations based in the United Arab Emirates claimed within a single month. This concentration is atypical for a financially motivated group and has led some researchers to question whether geopolitical considerations may have supplemented financial incentives in that campaign. No state-sponsored attribution has been established.

The group shows a clear preference for large-revenue targets. A significant portion of CoinbaseCartel’s claimed victims are organizations with annual revenues exceeding one billion USD, including companies in the $10 billion to $90 billion range. This preference aligns with the group’s credential-reuse model: infostealer logs harvested from employees of large enterprises provide a wide attack surface and the potential for high-value payouts.

CoinbaseCartel does not appear to exclude any sector from targeting. Unlike some ransomware groups that publicly claim to avoid healthcare or critical infrastructure, the group has made no such declarations, and its victim list reflects no observable exclusions.

How Can Organizations Defend Against CoinbaseCartel?

Given that CoinbaseCartel relies primarily on stale infostealer credentials rather than sophisticated exploitation chains, a significant portion of the group’s attack surface can be eliminated through credential hygiene and identity-centric defenses.

• Credential and Identity Security: Organizations should routinely monitor underground markets and infostealer log repositories for employee credentials. Any account exposed in a known infostealer infection should be treated as fully compromised and rotated immediately, regardless of when the infection occurred. Enforcing phishing-resistant multi-factor authentication — preferably FIDO2 or WebAuthn — across all cloud consoles, VPN gateways, remote access solutions, and SaaS platforms significantly reduces the risk of credential reuse attacks.

• Code Repository and Secret Management: Development teams should audit repositories such as GitHub and Bitbucket for hard-coded credentials, API keys, and access tokens. All secrets should be managed through a dedicated secrets management solution with short-lived, automatically rotated tokens. CI/CD pipelines, Dockerfiles, and build configuration files should be treated as critical infrastructure and subject to the same access controls applied to production systems.

• OAuth and SaaS Governance: Organizations should restrict the ability to authorize third-party OAuth applications within platforms such as Microsoft 365, Google Workspace, and Salesforce. Existing application grants should be reviewed and any permissions that allow broad data export should be revoked unless explicitly required. Conditional access policies should flag or block OAuth approvals from unmanaged devices or unusual locations.

• Cloud and Data Exfiltration Monitoring: Security teams should establish baselines for API call volumes, CRM export activity, and outbound data transfers. Deviations from these baselines — particularly large archive creation events, bulk exports outside business hours, or transfers to unfamiliar cloud storage endpoints — should trigger immediate investigation. Immutable, segregated log storage should be enforced to prevent the log truncation and syslog disabling tactics the group employs.

• File Transfer and Remote Access Hardening: SFTP, FTP, and managed file transfer services represent a primary target for credential-reuse attacks. Access to these services should be restricted to known IP ranges where operationally feasible, and all authentication events should be logged and monitored. VPN and RDP access should be gated behind MFA and subject to anomaly detection for logins originating from Tor exit nodes or commercial VPN services.

• Backup and Data Inventory: Because CoinbaseCartel’s leverage is entirely data-based, organizations should maintain a current inventory of sensitive data assets and their storage locations. Immutable, regularly tested backups reduce recovery time and limit the negotiating leverage available to the group. Incident response plans should account for extortion-without-encryption scenarios, including pre-established legal and communications protocols for handling leak threats.

What TTPs Does CoinbaseCartel Use?

The table below maps CoinbaseCartel’s observed tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK® Enterprise framework. Techniques marked as projected reflect capabilities under active development that have not yet been fully deployed in the wild.