Coinbase Cartel
Coinbase Cartel is a cyber-extortion and data-extortion group active since at least September 2025.
Profile source: Mallory opens in a new tabCoinbase Cartel
Family profile
Coinbase Cartel is a cyber-extortion and data-extortion group active since at least September 2025. Known aliases in the provided content are Coinbase Cartel and Storm-2981. Multiple sources describe it as a nascent ransomware or extortion group, but its distinguishing characteristic is exfiltration-first operations focused on data theft and coercion rather than encrypting victim systems; the group has explicitly presented itself as a data-exfiltration-only extortion operation and in some reporting rejects the ransomware label. Reported leak-site workflow includes staged victim statuses such as "Active," "Leaking," and "Leaked." The group has claimed more than 60 victims in one report and more than 100 victims in another. Reported victim geography includes South Korea, the United States, and Slovenia, and the content states it has a history of targeting technology companies and publishing stolen code on leak sites. A confirmed example in the provided content is the May 2026 extortion claim against Grafana Labs, where Coinbase Cartel claimed access to Grafana’s GitHub environment via a compromised token and threatened to leak downloaded source code; Grafana stated no customer data, personal data, customer systems, or operations were affected and refused to pay. The group is also listed among active ransomware/extortion operations in 2026 reporting. One source links Coinbase Cartel to the broader English-speaking cybercriminal ecosystem associated with ShinyHunters, Scattered Spider, and Lapsus$, and another places it alongside UNC3753/Silent Ransom Group as an emerging data-extortion model, but the provided content does not establish Coinbase Cartel as a nation-state actor.
Ransomware.live
Operational record
Ransomware.live
Recent claims
MITRE ATT&CK