{ "id": "cf3d2ad5-e69d-45db-8c3e-06bdbcb66ebf", "created_at": "2026-04-17T02:20:08.936835Z", "updated_at": "2026-04-18T02:21:53.477453Z", "deleted_at": null, "sha1_hash": "3fa13fa0359290a1ac11a0a4671cc5445c989ea2", "title": "No Encryptors, No Problem: The Coinbase Cartel Ransomware Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 423081, "plain_text": "No Encryptors, No Problem: The Coinbase Cartel Ransomware\r\nGroup\r\nBy Jade Brown\r\nPublished: 2026-02-09 · Archived: 2026-04-17 02:00:17 UTC\r\nThe ransomware threat actor Coinbase Cartel first emerged in September 2025 and claimed 14 victims that month.\r\nThe group focuses on data exfiltration, which aligns with a trend Bitdefender is tracking in the ongoing evolution\r\nof ransomware.\r\nCurrently, the most prolific double-extortion groups, and even emerging single-extortion groups, are increasingly\r\nexecuting data exfiltration-focused ransomware campaigns without encrypting data during attacks.\r\nThis approach makes the attacks both quieter and faster to execute while maintaining leverage for a ransom\r\npayment: pay to get your stolen data back, or we’ll publish it for the world to see.\r\nCoinbase Cartel is not only part of this trend but also ranked among Bitdefender’s Top 10 Ransomware Groups in\r\nSeptember and December 2025, claiming more than 60 victims during its first few months of operation.\r\nCoinbase Cartel Operations and Victim Demographics\r\nCoinbase Cartel operations are marked by an insistence on stealing data while leaving systems available rather\r\nthan complementing data theft with the use of encryptors that prohibit system access. Coinbase Cartel’s recent\r\nactivity sparked speculation about their motivations and potential alliances.\r\nCommonalities with other ransomware groups include staging data leaks and targeting organizations in sectors\r\nwith higher profit margins. The group targets organizations with revenue ranging from millions to several hundred\r\nbillion dollars. The healthcare, technology, and transportation industries represent Coinbase Cartel’s greatest\r\nhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nPage 1 of 7\n\nvictim demographic to date. Combined, these industries accounted for more than 50% of the group’s victims in\r\n2025.\r\nInterestingly, the healthcare organizations impacted by Coinbase Cartel breaches were primarily based in the\r\nUnited Arab Emirates. Both the reputational damage to healthcare environments, combined with the sensitive\r\nnature of PII and PHI data (which contain ample information to perpetrate identity fraud), make healthcare\r\norganizations viable targets for extortionist groups.\r\nHowever, breaching 10 healthcare organizations in the United Arab Emirates in a single month is unusual. This\r\nraises questions about motive. Is Coinbase Cartel motivated primarily by financial gain or are other geopolitical\r\nconsiderations in play, such as disrupting the economy of the UAE at large?\r\nEssential Mechanisms for Compromise\r\nCoinbase Cartel leverages several mechanisms to gain initial access to a system, including traditional avenues\r\nsuch as social engineering, support from Initial Access Brokers, and the acquisition of exposed credentials. The\r\nransomware group is then equipped with admin accounts and tools it can use to manipulate systemwide settings,\r\ntamper with log files to reduce the odds of detection, and exfiltrate data of interest.\r\nAfter victim data is exfiltrated, Coinbase Cartel publishes the names of victim organizations on its data leak site\r\nand begins issuing ransom demands. Victims are contacted and have 48 hours to respond via Coinbase Cartel’s\r\ndesignated chat interface. Once contact with the victim is established, the victim has 10 days to submit payment or\r\nrequest changes to the ransom demand. The victim must submit payment via Bitcoin.\r\nhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nPage 2 of 7\n\nThe Data Leak Site\r\nCoinbase Cartel’s data leak site features multiple webpages, including HOME, the newly added AUCTIONS page,\r\nPARTNERSHIPS, and CONTACTS. From the home page, visitors can view featured victim blog posts, including\r\nthe active, leaking, and leaked statuses associated with each victim disclosure. The AUCTIONS webpage appears\r\nto be a pending initiative; no auctions have been added.\r\nFigure 1: Auctions page on Coinbase Cartel Data Leak Site\r\nCoinbase Cartel maintains that they are a ransomware group that is “redefining data extortion.”\r\nFigure 2: Coinbase Cartel branding that claims they are redefining data extortion.\r\nCoinbase Cartel operates without using the RaaS model, which raises many questions about how they collaborate\r\nwith other cybercriminals. The threat actor previously promoted their brand in other dark web communities, going\r\nso far as to market the sale of stolen data. This makes their recent addition of an auction site expected; it is not a\r\nsignificant departure from their initial correspondence and objectives.\r\nOther groups in the past year, including FunkSec, have implemented a similar strategy for auctioning stolen data\r\nto increase their earnings. By design, it is a practical approach for ransomware groups that claim a steady volume\r\nof victims and have the means to thrive. However, it does not “redefine” the current expectations and trends that\r\nhave been observed across cybercrime forums.\r\nCoinbase Cartel Partnerships\r\nIt is important to note that while Coinbase Cartel may not have in-house offensive security specialists and\r\ndevelopers at the forefront of their operations, they have the business acumen to recruit other cybercriminals,\r\nseeking the personnel (and tools) vital for weaponization.\r\nOne example occurred last fall, when Coinbase Cartel requested exploitation development services in an\r\nunderground community, announcing a business need for zero-day exploits and a flexible budget exceeding $2\r\nmillion.\r\nhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nPage 3 of 7\n\nWhen it comes to Coinbase Cartel’s connection(s) to other ransomware groups, things are still murky. In October\r\n2025, several security firms reported hypotheses suggesting that Coinbase Cartel was a potential offshoot of\r\nShinyHunters. The exact connection beyond contacts or infrastructure has not yet been validated.\r\nCoinbase Cartel is open to cooperation with others if collaborators meet certain requirements. Groups interested in\r\npartnering with the threat actor must submit a proposal with evidence that supports a successful compromise.\r\nAdditional correspondence in the review process is then sent via the Coinbase Cartel chat channel.\r\nFigure 3: Coinbase Cartel partnership submission requirements\r\nPartnership payment terms and conditions are unclear. However, according to Coinbase Cartel, payment\r\narrangements are not as restrictive in nature as those defined by other groups. There are “options…including\r\nfixed-rate agreements or revenue-sharing models based on the nature and value of the collaboration.”\r\nIs Coinbase Cartel a True Cartel?\r\nA “cartel” refers to a criminal group that exerts their perceived influence and power to intimidate or force other\r\ncompeting entities to limit their growth and submit to them. Currently, there is no evidence to support the notion\r\nthat Coinbase Cartel is operating under a framework to reflect that of a cartel.\r\nThis is due to the fact that a cartel model of behavior, applying a level of sustained control and/or intimidation, has\r\nnot yet been identified that matches the tactics that have been observed with other groups such as DragonForce.\r\nDragonForce was unique as they were among the first ransomware groups to diverge from the traditional RaaS\r\nmodel and assume the title of “ransomware cartel”; they were also involved in compromising the infrastructure of\r\ncompeting ransomware groups.\r\nHow Does Coinbase Cartel Compare to Another Group Focused on Data Theft?\r\nOver the past few quarters, many ransomware groups have organized targeted campaigns against organizations\r\nthat do not leverage encryptors and instead only issue a ransom demand for stolen data.\r\nWorld Leaks is one ransomware group that has toed the line between encryption-based attacks and data theft-only\r\nattacks, however PEAR (Pure Extraction and Ransom) is a group that is a more apt comparison with Coinbase\r\nCartel.\r\nHistorically, PEAR has avoided using encryptors and focused on data theft to drive ransom demands, much like\r\nhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nPage 4 of 7\n\nCoinbase Cartel. And PEAR claimed more than 45 victims over the last half of 2025. However, Coinbase Cartel\r\nhas exceeded PEAR’s claimed victims each month since September.\r\nIn addition, when looking at the industries impacted by both Coinbase Cartel and PEAR, Coinbase Cartel’s\r\nbreaches have affected a wider range of industries (17 in total compared to PEAR’s 13). And, Coinbase Cartel has\r\nclaimed more victims in high-impact industries such as Healthcare and Technology.\r\nAs of early 2026, Coinbase Cartel continues to impact victims in the healthcare and technology industries. Since\r\nthe rise in reports of their activity in the last few months of 2025, the group has also maintained great stealth and\r\navoided any significant OPSEC (operational security) failures. As a result, published indicators affiliated with\r\ntheir tools and attack methods remain limited. Here is a side-by-side comparison of these two threat actors:\r\nCoinbase Cartel vs. PEAR ransomware victims by month\r\nhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nPage 5 of 7\n\nCoinbase Cartel and PEAR ransomware target victims listed by industry vertical\r\nRecommendations\r\nThere are several best practices your organization can follow to minimize attack pathways into your environment\r\nand decrease the odds of a successful ransomware attack.\r\nEnforce MFA: MFA should be implemented across all accounts, especially those with administrative\r\nprivileges. The Principle of Least Privilege (PoLP) should also be strictly enforced, ensuring that no user\r\nhas more permissions than necessary to fulfill essential job functions.\r\nContinuously assess patch management practices: Unpatched vulnerabilities can leave services and\r\nspecific software open to attack. Adopting a process to regularly check for and apply patches in a timely\r\nmanner can be the difference between a successful compromise and an attempted compromise that fails.\r\nRegularly schedule backups: While Coinbase Cartel does not encrypt systems and, therefore, allows\r\nbusiness operations to remain intact, it is common for ransomware groups to tamper with or modify critical\r\ndata. To ensure that data is preserved in its original state, schedule and test backups and store them in a\r\nsecure location, e.g., a cloud repository and/or external media external to a primary server.\r\nMaintain an inventory of critical data: Listing and charting out an inventory, identifying the types of\r\nsensitive data that are handled, in addition to where it is stored and transmitted, is helpful in recognizing\r\nareas to secure and potential weaknesses. Enforcing controls to restrict and audit access to data beyond\r\nsecured locations is highly recommended.\r\nImplement a threat intelligence solution: Context and security awareness both play significant parts in\r\nthreat intelligence, which informs incident response. Staying up to date on threat actor TTPs and\r\nhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nPage 6 of 7\n\nunderstanding the patterns associated with ransomware and other attacks allows organizations to save time\r\nin building a defensive strategy and responding to future incidents.\r\nImplement an MDR plus an attack surface reduction solution: Time is of the essence when it comes to\r\nincident detection, analysis, and response. An MDR service will help you detect and respond to threats\r\nbased on current indicators. It relieves your internal team of burdens and helps you rapidly implement best\r\npractices within your environment. Understanding and dynamically reducing your attack surface is also\r\ncrucial. This can be accomplished by deploying a solution such as GravityZone PHASR. PHASR monitors\r\nyour organization’s environment and leverages machine learning to establish a baseline of normal activity\r\nwhile assessing and blocking use cases for LOTL (living off the land) attacks, and other ransomware\r\nplaybook tactics that are now used in a majority of high-severity attacks and may go undetected by\r\ntraditional tools.\r\nTracking Ransomware Developments\r\nCoinbase Cartel is part of a growing number of ransomware groups focused on data exfiltration without\r\nencryption, and Bitdefender will continue to track developments with this threat actor. We also track and report on\r\nchanges throughout the ransomware threat landscape in our monthly Bitdefender Threat Debrief.\r\nSource: https://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics" ], "report_names": [ "coinbase-cartel-ransomware-group-extortion-tactics" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-18T02:00:03.724887Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-18T02:00:04.746791Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7abb7941-4d80-48b3-b5e3-4cab1d23d312", "created_at": "2026-04-17T02:00:03.78592Z", "updated_at": "2026-04-18T02:00:04.267275Z", "deleted_at": null, "main_name": "Coinbase Cartel", "aliases": [], "source_name": "MISPGALAXY:Coinbase Cartel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-18T02:00:03.814446Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-18T02:00:04.61761Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "eb01bdec-5c18-4479-b343-cf58076dacf1", "created_at": "2024-08-10T02:02:56.273673Z", "updated_at": "2026-04-18T02:00:04.747887Z", "deleted_at": null, "main_name": "GOLD CRESCENT", "aliases": [ "Hunters International", "World Leaks" ], "source_name": "Secureworks:GOLD CRESCENT", "tools": [ "Hunters International", "SharpRhino" ], "source_id": "Secureworks", "reports": null }, { "id": "13623ffb-4701-4f3d-bf32-8826346433ac", "created_at": "2024-12-21T02:00:02.850766Z", "updated_at": "2026-04-18T02:00:04.077313Z", "deleted_at": null, "main_name": "FunkSec", "aliases": [], "source_name": "MISPGALAXY:FunkSec", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-18T02:00:05.400312Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1776392408, "ts_updated_at": 1776478913, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fa13fa0359290a1ac11a0a4671cc5445c989ea2.pdf", "text": "https://archive.orkl.eu/3fa13fa0359290a1ac11a0a4671cc5445c989ea2.txt", "img": "https://archive.orkl.eu/3fa13fa0359290a1ac11a0a4671cc5445c989ea2.jpg" } }