Threat ActorCoinbase Cartel Ransomware
Description
Coinbase Cartel is a cyber‑extortion threat actor first observed in September 2025. Rather than encrypting systems, the group focuses on data theft, threatening to publish or sell stolen information unless a ransom is paid. Victims are given 48 hours to make contact and 10 days to pay or negotiate.
The group operates a dark web leak site and uses staged disclosures to pressure victims, releasing limited samples before escalating to full publication. Over 60 victims have been claimed across healthcare, technology, transportation, finance, and telecom sectors. Various analysts assess the group may be comprised of affiliates from ShinyHunters, Scattered Spider, and Lapsus$. The group is also believed to be developing ESXi-targeted ransomware, suggesting a potential shift toward double-extortion in the future.
There is no affiliation with the legitimate cryptocurrency company Coinbase.
Targeted Industries
- Finance
- Healthcare
- Technology
- Telecommunications
- Transportation
Objectives
Financial Gain
Known Tools Used
- Administrative Access Tools (Built-in OS utilities)
- Data Leak Site (Custom Platform)
- Initial Access Broker Tooling
- Log Manipulation Utilities
- Stolen Credential Tooling
- VPN/Anonymization Services
Known Infection Vectors
- Compromised VPN Credentials
- Exploitation of Public-Facing Applications
- Exposed RDP Services
- Phishing
- Credential Reuse
- Social Engineering
References
#StopRansomware: Ransomware and Data Extortion Guide
https://www.cisa.gov/stopransomware/ransomware-guide
Official Alerts & Statements (CISA StopRansomware Portal)
https://www.cisa.gov/stopransomware/official-alerts-statements-cisa
.png)