coinbasecartel

Ransomware group profile

167Victims

85Impact score

Description

Coinbase Cartel is a cyber-extortion group that emerged in September 2025, focusing on data exfiltration to extract ransom rather than conventional ransomware tactics. They utilize partnerships with other cybercriminals and exploit stolen credentials to penetrate target systems, often leaving victims unaware until they demand payment. Their strategy emphasizes stealth and immediate financial gain through a unique extortion model without significant operational disruption.

Key insights

•Coinbase Cartel specializes in data exfiltration for financial gain without encrypting files.
•They primarily use old infostealer credentials to access cloud environments and FTP servers.
•The group employs tactics like staged data leaks and a dedicated chat interface for ransom negotiations.
•Their operation is characterized by partnerships with cybercriminals and bids for zero-day exploits.
•Attacks are typically aimed at enterprise-level organizations across various sectors.

Industries

Education Energy & Utilities Financial Services Government & Defense Healthcare Hospitality Manufacturing Other Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For coinbasecartel · Based on incidents in selected period

2.2threat level

Aggressiveness5/ 10

Lethality0.1/ 10

Criticality1.4/ 10

Status Breakdown

Data Leaked1.8%3

Claimed97.6%163

First seenAug 2025

Last seenJun 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 20, 2026

Recent activity

Monthly attack count for coinbasecartel in the selected period

167Total attacks

47peak in Apr

15.2avg / month

↑ 2 vs first month

Intelligence

IOCs, YARA/Sigma rules, and related families for coinbasecartel

e96325bbb60a04cad182891515c14964dbd873cb9d7625fa5a4d736dc68246d1
04461a6b8ac0fea7f089d739aee9ed081d9a1fa30c837214ef3cd50e60be0804
dc3ae750cf807ffbc0fc8730e72bf1151cb5ddd8f5ba9c92c22e79ad14078a63
5f9e5448da034de96febe86d86e32db73b30597abd5d83266301666f21f784e7
560f0836fb6ba9e4d52cffc05d11f3bd11ab1d9830ded2bf21342394693cb02b
a686b29f491b1779cf0e616dbee999e8
a42656e5ad3c22bc0833ddb2d250bfa1839a28f8a27f941e2ec5e5dbc9ad757e
ec5d494f2a6b8dac323887096152bd4851766d4119be1487597a4bcc86f12d36
a61851cb441f303f337d4f04713cd0c5238bf99d96263ea4b9c9d6e0da4de44b
ffce3a027191888d44de16e546429396c49dbe6fd7bd7caba8512a65f5686296
9ecb62824c4a6a7e1d9c35836391fcdfcc192a36742816161b0babfd368ec5a9
7406a9fc765bf2c160805e9640c30c92f59ef6b967f6df9d50b73b709e6a9e8f
7589cbbe2825a9ed7fcdbaf303a50a71f94601333ecae536caa26f45805eb32f
fa1067298bed9e95fc864e95c91012d98593c019e1c11910fa6a1cee53263a78
dd766c3b2ca6cbea1905751d5c252c0ee75ac70bafdf24b7ab17e5ff0f92bbfd
6eb0b21b01e6326dc3f062c37d64dfe12181ed7f1b0440b2f472fcaeef10cbd9
8298208653df9787cfe447c0cd3ff2ad50ceab379bb87ca11d529a05ab090be5
49ecbb637a473ec76fefa8c05811a1cc2a3c2dd44a1df0c323b14a916863d1d4
ef561fb520e1db20adc7351e4bc599036dc5cd81ebf8e1323c725ae792abc50e
18b15d943807744f0cf2e94eebbcdcf5379a75535e9d93b501d88df2fd157eec
f0e88953b023ca85247155758c33ab0787f0ce10d6d48216bcef18e476ca4b94
aa59cb2baa7e7d38d8bb4ff6a22afbf2945de4fb555f9b8bb2657b6f89a773ed
be7ce2070d1e5e5dc1e2151b5431667161ccf5689db31566a6b49228da2c95fc
d4f3f8b96ab909e8e4023a8cff4b0a9090c6f1bd01547521312f204777b62480
810f747c78d9e6dc93f7d12e714880b17cecc19a8c4351f33b5af23fc138ece3
ce1438298244aa9085e47871c40dca4944fddf620ffadbb0a6c9158626556376
d8c5600c09b316689c21aba141044efe25d4cadfd7cab61bfe99269f134f45c2
207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
95febad12000e0777970d544616c0b4163424a28ed513e84cdbf1ded6bb1d1f4
d91e8f5aeaca913f4a462a1e9dfee5f57535671671f46815bddc02f2abe6ffae
f4c0e951ac66b09816f04c3e256ef94a78f8d1285448bb7c64d1f396f99e1201
9a0c809142a92be3b4dd43506e7e4613ead2eba40ab3db1aafdc7575deceb7a2
8b68c70276a7086829deee0f9b165b3b4a6d28c0a026153dfe70b812ce27ce6a
17f5ee815db420cd97872e97d05504d5a7dbed7e51cf979daabf22be90abb4cc
5a0746efe225da2d41bd802670ef63d55a598fcdf12275283532144df6b7a1bb
40302e53abdb4a5b22e18809addf103d162ef5b748c50c1272758aeda48f2737
af2de07aabb5cb1dd7523baf324badc99820a30db6a480bbba5c995d473f6bc9
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
e17fe4e556638c9f2edac9939b77b05c47feefdf3064325df472063330791271
e2f5aa9b4b43018dba456eee17ded1ff3232c6438648b3d36808dca6213fb557
9ea698e004e978a587fcd72e8f78bc4edb7c43bf6a069f833ff866759fe394dd
e542c61ac26e366537d89ad2fbd8c5f448d440b4ff2174d10045c02197aa6bce
632c33e686ad1dcb4eed8cd5501425372ac16b43c81f082c4e9986cf5c3daaeb
4ac4e5c122bd5c2e324a6983999fc9be1bdecb95e39ddf5d4a92049af87f74bd
a610ef0e37af408aa49c7296d238796c57ac45aa8b0809ce72bc4d75b23fdf4f
53b1d6cfbf38a0d3e80f58768e773df6462305c7efbed0aa9b6b4ad2d994581e
51312177a9c81ae610e7b73a8d3330c54c130baf901516351d250357d0c3ff6d
bc6c535b32bdb75924d1aedcf4b5aa009387d86323da2007ad3f10eb86cf6ee5
14a268b68c64fb4ffa769f966e9a49648aebf4959c2e3a718bfb44e30f4c935a
7f3b0682e57da055874455302178be52481a5161f3f3f805167b248a39b57c18
10370f821ef2d769bcb287b3f5ab081c4949a97891a25a23688e8c553bd393df
7a9938273e502427d127d1aced6f9fe7fd25c7fdffe5319788f1e0588280734b
a425738835542b948a934b8977da6afbf194f7d30250e100cb81e4bb2c362955
b8af4318595f1c17ba1b72665892d8ec748e90d08a48e69247b2556144d04f1b
85f4cbf9c22200ee71cd3817786db2e436d9d04697c96678922939feecc18ab0
adb08093c6388d304645b2f03e879f69dac9f46d428344220022538ad3af7bd8
458d2009228324bfdfcf0e3574d0bc2a433f3cf9e7c5c042d4eab71d5c31b1ba
687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2
1de182c1911ffdf5f4bec8a29af8c4fb9ef69f30d199b684cb2f8223b64694d2
417bace90f0a45fa96ab2a0e2fdad0fe2b6e6a404fe1e3af63b55135d2c743d7
8b4c1ac41d28523747ce4038de33aa969994fcb4ca1aff7266f0eb8aa0ffc7b9
45b6daf37fbd40c38f6765bb63d07b16324f0c91
57f5f0f6f0bd14cdf36bf7de9462c023bd13d1bfdb93a3e46db6249e2b63dbaa
dfff54d42b60017684805abb5ee34ab2da491dbcdf3a258852cfa439b878d4af
f4272104d21c8cc48a6d277f0ad59afd8950bb7fd14b99a063d441ec44fc91c5
06e46fcadbd0e5fb07aa8d7cccdf0000a25733f20fcf58e30670b460659394a8
95952e224252666f8880a6c7302301739614c48139d7aaa52f5f02cd88de1027
167fff1db7203da539df913e27bbc646f89e580e646040134d50051e52be9fea
f00395da1c2838b95084d18a8da2d6dbe89ae74b00508e4dafcd65198ba0843c
65d1cb1f99df762a71c6f90a56f5b8a0d9d99154a411b273eb3a5061ba7d950f
967e44d475d98dd2fa1627dee80ea0f930f0ef10592225fafc284a2bdbea1bcc
dff1b1f13d3b70e23a506809e509726b2cff89b0586b1866a4aa5ef629468cad
a58aa736bb3f7275238bbebe18bf24769ec6c742e46bc85783b832809163b89b
8ac1e34fc3cc4e30206c3708d0e414c9327f783c5763d6d17bed493e26969a10
cfeec2b8a9d8de2bc635762c6e7146e66e107a68cefa98bb5bbb5eb01a6b3c66
522eac2353580ba8257613ef7223de9d25692584124ca16daa76109f8176b34a
1125c45d285c360542027d7554a5c442288974de
93e1e1f7f4630b866ed9ff0b7109060563470326e4b86d6e4b21ce3393d1bf8f
d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
db057d6796337e05812ca2926b5503442f2201c53afb506e90c279e11bf1a7af
d97c3ae50b6cad342045d900154326d02332496c155d07382b233b110056b23a
21a2ee204af0ae5ce4b23da6ab16a426fc9534e04b8550b3a829154f4497fb35
1a0563f7fb85a678771450b131ed66fd
b58a509bdc350148990318ed765604aaca2c66a5da8969aafe0924bccdffc964

View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for coinbasecartel

Defense Evasion

T1036.005

Match Legitimate Resource Name or Location

T1070.001

Clear Windows Event Logs

T1562.001

Disable or Modify Tools

Discovery

T1018

Remote System Discovery

T1083

File and Directory Discovery

T1538

Cloud Service Dashboard

Execution

T1059.004

Unix Shell

T1059.006

Python

T1204.002

Malicious File

Impact

T1486

Data Encrypted for Impact

T1657

Financial Theft

Persistence

T1098.003

Additional Cloud Roles

T1136.001

Local Account

Victims(167)

Company	Domain	Country	Industry	Status	Discovered
Demand.io	demand.io	US United States	Technology	Claimed	9 days ago
Demand.ioNEW	demand.ionew	US United States	Technology	Claimed	16 days ago
Cambridge Mobile TelematicsNEW	—	US United States	Technology	Claimed	19 days ago
Openmind networks	openmindnetworks.com	GB United Kingdom	Technology	Claimed	22 days ago
Pragmatic Solutions	pragmatic.solutions	US United States	Professional Services	Claimed	22 days ago
Zywave	zywave.com	US United States	Professional Services	Claimed	about 1 month ago
Grafana	—	US United States	Technology	Claimed	about 1 month ago
Buenos Aires Software	bas.com.ar	AR Argentina	Technology	Claimed	about 1 month ago
Jozef Stefan Institute (IJS)	ijs.si	SI Slovenia	Education	Claimed	about 1 month ago
Alpinion	alpinion.com	KR South Korea	Healthcare	Claimed	about 1 month ago
Tab Service	tabservice.com	DE Germany	Professional Services	Claimed	about 1 month ago
Cass information Systems	cassinfo.com	US United States	Professional Services	Claimed	about 1 month ago
Kementerian Pertanian	pertanian.go.id	ID Indonesia	Government & Defense	Claimed	about 2 months ago
Sea Telecom Br	seatelecom.com.br	BR Brazil	Technology	Claimed	about 2 months ago
Precision Coating	precisioncoating.com	US United States	Manufacturing	Claimed	about 2 months ago
Integer Holdings	integer.net	US United States	Manufacturing	Claimed	about 2 months ago
Sanna Web	sanna.pe	PE Peru	Technology	Claimed	about 2 months ago
Peru LNG (Hunt LNG Operating Company)	perulng.com	PE Peru	Energy & Utilities	Claimed	about 2 months ago
Aptim	—	US United States	Professional Services	Claimed	about 2 months ago
SIG.biz	sig.biz	CH Switzerland	Manufacturing	Claimed	2 months ago

Page 1 of 9

Affected countries(49)

Countries where this group has been reported to target or leak victims.