On 19 May 2026, a Dublin company that builds messaging software for mobile networks appeared on the leak site of a group calling itself CoinbaseCartel. The listing was marked "active," carried a running countdown, and published nothing. Five days later the same company, Openmind Networks, surfaced on a second and unrelated leak site, this one operated by a ransomware crew called The Gentlemen.
Neither claim has been confirmed. Openmind has issued no statement, and no data tied to either listing has been verified. The correct default for a leak-site post is to treat it as an allegation until proof or a disclosure follows, and that is how we treat both here.
The pair of listings is still a useful way in, because the two groups represent the two operating models that now define the extortion economy. The first of them, CoinbaseCartel, is built on a problem we write about constantly: credentials that leaked long ago and were never treated as a live risk.
This is a profile of that group. Where it came from, how it gets in, how it earns without ever encrypting a file, and why one company can be claimed by two crews in a single week.
Origins: A Name, Not a Connection
CoinbaseCartel emerged in September 2025 and claimed fourteen victims in its first month. By December the count was past sixty. By April 2026 researchers were tracking more than 160 claimed organisations, and the group had climbed into the most active tier of extortion operations within two quarters.
The name is a provocation, not a clue. CoinbaseCartel has no connection to the cryptocurrency exchange Coinbase. Borrowing the brand of a well-known company is a recurring habit in this part of the ecosystem, where notoriety is a recruiting tool and a pressure tactic in its own right.
Attribution is partial and should be read carefully. Through late 2025, several security firms assessed that CoinbaseCartel was likely an offshoot of, or staffed by affiliates from, the loose collective around ShinyHunters, Scattered Spider and Lapsus$, and some trackers file it under a "shinysp1d3r" banner. As of those assessments, the exact link beyond shared contacts and infrastructure had not been fully validated. We have profiled the parent of that collective before, in our ShinyHunters threat profile, and the resemblance is in the method as much as the personnel.
How They Operate: Steal, Don't Encrypt
CoinbaseCartel does not deploy an encryptor. There is no locker, no scrambled files, no recovery key to sell back. The group breaks in, takes data, and threatens to publish or sell it. That is the whole of the model.
Skipping encryption is a deliberate choice, and a revealing one. An encryptor is loud. It halts a business, triggers incident response, draws law enforcement, and forces the victim to notice. Exfiltration is quiet. It can be done quickly, leaves systems running, and gives the victim every incentive to keep the matter private while negotiating. The pressure on the victim is the same, the threat to leak, but the cost and noise of getting there are far lower.
The leak site is organised like a business. Listings carry status flags that escalate over time: active, leaking, leaked. Victims are given roughly 48 hours to initiate contact through the group's negotiation portal, then a window of around ten days to pay or renegotiate the terms, with payment demanded in Bitcoin. The site itself runs distinct sections for victims, for auctions, for "partnerships," and for contact, which tells you the group thinks of stolen data as inventory rather than as a one-time hostage.
The partnerships section is not decorative. It is a recruitment channel. The group openly advertises for "new partners and insiders," asks for structured proposals backed by proof, and offers either a fixed rate or a revenue share depending on what is brought to it. Soliciting insiders is the quiet part said out loud: to CoinbaseCartel, an employee willing to sell access is simply another supplier, indistinguishable from a credential bought from a log.
This encryptor-free posture is why "ransomware" is an imprecise label for CoinbaseCartel, even though most reporting uses it. There is no ransom-ware in the literal sense. It is data-theft extortion, and the distinction matters because it changes both how the attack feels to a victim and where the defensive work has to happen. You cannot back up your way out of a leak.
The Front Door: Stolen, Leaked and Exposed Credentials
The most instructive thing about CoinbaseCartel is not its leak site. It is how the group gets in, because it is the part most organisations never measure, and it is the layer our own work is built around.
The group does not break locks. It collects keys. The keys come from three distinct kinds of credential exposure, and they are worth separating because each is defended differently.
The first is stolen credentials: logins harvested directly off an infected device by commodity infostealer malware, the families we walk through in how modern infostealers work, including RedLine, Lumma and Vidar. When one of these runs on a laptop, it lifts saved credentials straight from the browser and password store and records the exact address each one unlocks. The buyer does not get a guess. They get a working username, a working password, and the URL it belongs to. These are the most dangerous, because they are precise and frequently still current.
The second is leaked credentials: usernames and passwords spilled in third-party breaches, compiled into combolists and breach corpora, and circulating for years. A single old password looks harmless on its own. The danger is reuse. A password exposed in an unrelated breach in 2022 is a live risk anywhere the same person used it again, which for most people is several places that matter.
The third is exposed credentials: secrets left somewhere reachable without breaking anything at all. An API token hardcoded in a public code repository, a key in a misconfigured cloud bucket, a service-account password in a build pipeline, a login pasted into a support ticket. CoinbaseCartel's intrusion at Grafana, which reporting traces to a compromised GitHub token, sits in this category. Nothing was cracked. Something was found.
All three feed the same machine. The harvested or discovered logins are used to walk into the systems that sit on the edge of an organisation and rarely get the scrutiny the core does: cloud consoles, VPN gateways, FTP and SFTP servers, file-transfer platforms, SaaS admin panels, webmail, remote-desktop endpoints. A valid credential on an externally reachable service that does not enforce multi-factor authentication is not a window to be forced. It is a front door with the key left in it. Service accounts and legacy file-transfer systems are the softest of all, because they are the ones nobody remembers to put behind MFA.
The scale of the pattern is documented. In a correlation against Hudson Rock's infostealer database, roughly 80% of CoinbaseCartel's victims were found to have a prior infostealer infection on record, and in many cases the credentials had been sitting in that database for years before the extortion attack landed. One reported example: an SFTP credential for the engineering firm Aptim, captured in an infostealer log in 2023, was used to reach the company's file-transfer environment in 2026. Three years between the leak and the loss.
That gap is the entire point, and it is the argument we make repeatedly in our work on stealer logs and the credential market. A leaked credential is not a one-time event that expires when the news cycle moves on. It is an asset. It is sold for a few dollars, re-sold, bundled into larger collections, and packaged by initial access brokers who test it and resell the access it opens. It stays usable until two things happen: the password is rotated, and the path it opened is actually closed. Most organisations do neither. When a laptop is found to be infected it is reimaged and forgotten, the credentials it leaked are never rotated, and the door it opened stays open. An infection cleaned up and forgotten in 2023 is, to a group like this, a working key in 2026.
This is the layer we operate in. Our research maps which of a person's or an organisation's credentials are exposed across infostealer logs and breach corpora, how old they are, and, the question that actually matters, whether the access paths they open are still live. For an individual that work runs through the Lockdown; for an organisation and its staff it runs through a Corporate Audit; and whether any of it is worth monitoring for continuously is a question we have weighed in detail. The point is not to be alarmed by a leak. It is to know exactly which leaked credentials still work, and to close them before someone with a budget for logs finds them first.
Infostealer logs, leaked passwords and exposed secrets are not the only doors. Reporting also places social engineering and the direct use of initial access brokers in the group's repertoire, which fits the broader collective it is associated with. But the credential pipeline is the signature, and it is the part that should change how an organisation thinks about its own exposure.
Access is only half of an operation like this. The other half is reconnaissance, and most of it is free. A mid-sized firm of the kind that fills these leak-site boards will typically have its staff roster, job titles and work contact details sitting in leaked business-marketing databases, the aggregated output of data brokers, often several years old and re-appearing across multiple breach corpora. That material hands an attacker an org chart before they begin: who runs finance, who administers IT, who sits as executive assistant to the chief executive. It is the targeting layer for the social engineering and insider solicitation already described, and it is why we treat broker-sourced exposure and credential exposure as one problem rather than two. We have written about how that enrichment is assembled into an identity pack for executive targeting, and how unrelated fragments combine through the mosaic effect.
Most organisations have no inventory of which of their people appear in infostealer logs, or how old those credentials are. That is the exact gap groups like CoinbaseCartel monetise.
Talk to an AnalystThe ShinyHunters Orbit
CoinbaseCartel does not operate as a classic ransomware-as-a-service brand with a fixed affiliate roster. It recruits directly, and it sits inside a wider, fluid collective rather than standing alone.
That collective, organised loosely around ShinyHunters, Scattered Spider and Lapsus$, has spent the last two years blurring the line between data-theft extortion, social engineering and old-fashioned account takeover. Its members move between brands, share infrastructure and contacts, and reappear under new names when a given operation draws too much attention. We traced that pattern in detail in the ShinyHunters profile, where arrests repeatedly failed to stop the activity because the structure is a network, not a company.
CoinbaseCartel's encryptor-free, credential-driven method is consistent with that lineage. So is the speed of its rise. A group that does not need to develop and maintain a locker, and that buys its access rather than exploiting it, has very little to build before it can start earning. The barrier to entry is a budget for logs and the patience to test them.
The caution stands: the link is an assessment, not a confirmed org chart. But for a defender the attribution question matters less than the method, and the method is unambiguous.
The Auction Economy
Because CoinbaseCartel never encrypts, the stolen data has to do all the work. The group has built its monetisation around that constraint.
The first lever is staged disclosure. A victim is named, a sample is released, and the volume of exposure is increased on a timer. Each step raises the reputational and regulatory pressure without the group having to publish everything at once. The second lever is the auction. The leak site runs a section where third parties bid on stolen datasets before the deadline expires, and it has carried live listings, including a real-estate technology platform put up for open bids. A victim there is not only negotiating against a ransom demand but against a market for their own data.
That market changes the calculus. With an encryptor, paying buys a key and, in theory, restores operations. With data-theft extortion, paying buys a promise not to publish or sell, a promise from a criminal group that has already shown it treats data as a tradable commodity. There is nothing to restore and no clean exit. The data exists, copies exist, and the buyer pool is real.
For any organisation weighing the demand, this is the uncomfortable part: the value of the stolen records to a bidder does not depend on whether the victim pays. It is the same logic we examined in our work on ransom-note rhetoric; the pressure is engineered, and the framing is designed to make payment feel like the only door.
Notable Listings
CoinbaseCartel's board spans sectors and revenue tiers, from regional clinics to multinationals. A few listings are worth drawing out, with the standing caveat that a leak-site claim is a claim until the victim confirms or evidence is published.
Canada Goose (March 2026). The outerwear brand was listed after credentials tied to it surfaced in infostealer data earlier in the year. We have written about Canada Goose before, in the context of a supply-chain breach pattern, and its reappearance here, through a different actor and a credential route, underlines how the same organisation can be exposed by more than one path. The listing has since been marked "updated with proof," and Canada Goose is not alone in the fashion sector on the board, which also names Lacoste, Ralph Lauren and Carter's.
Aptim (credentials from 2023). The clearest illustration of the group's thesis. An SFTP login captured in a 2023 infostealer log was, per reporting, the route into the engineering firm's file-transfer environment in 2026. Three years between the leak and the loss.
The high-revenue tier. The roster reaches well beyond mid-market targets, naming organisations in the tens of billions of revenue: JBS, Engie, PACCAR, Cognizant, the postal operator Correios, the chipmaker Renesas, the telecom SK Telecom, the bank Desjardins and the genomics firm Illumina, among others. Several carry markers claiming uploaded data, such as the 80GB attributed to Cognizant, which suggests not every listing is a bluff. Whether each reflects a full compromise or an opportunistic claim is what the staged-disclosure model is built to keep ambiguous.
Grafana (May 2026), the group's featured victim. Reporting in May described a CoinbaseCartel-linked intrusion at the observability software company that began with a compromised GitHub token, led to source code being downloaded, and moved into extortion. On its leak site the group posted a file tree and a configuration-file sample as claimed proof, and paired the listing with a taunt worth reading for what it admits. The company, it wrote, "had no idea they were breached," the operators were "roaming freely in their systems," and, addressed to the victim: "pay your employees more or we will just keep doing this to you." A token, not a zero-day, was the entry point, and the boast points straight back at staff credentials as the way in.
Openmind Networks (19 May 2026). The listing that began this profile. CoinbaseCartel marked Openmind active with nothing published; The Gentlemen claimed the same company five days later. Openmind sits at a sensitive layer of the telecom stack, the application-to-person messaging rail that delivers one-time passcodes and login verification for banks and platforms, and in February 2026 the company publicly positioned itself as a "trust anchor" securing the "purity" of that channel against fraud. The irony is sharp, but it has to be handled precisely: a claim against a corporate entity is not evidence that its carrier-grade messaging platform was touched, and neither listing has produced proof. If substantiated, it would be the kind of trusted-layer exposure the company's own research warns about. As of writing it remains an allegation.
Two Models, One Victim
The Openmind double-listing is the clearest illustration of where extortion has settled in 2026.
On one side is the encrypt-for-ransom model. Groups like Qilin and The Gentlemen break in, exfiltrate data, then detonate an encryptor across the estate and demand payment for both the key and silence. The attack is loud and disruptive by design, and the locker is the headline. On the other side is the steal-and-auction model that CoinbaseCartel represents: no encryptor, no disruption, just quiet exfiltration and a market.
The two models are converging on the same conclusion, which is that the data, not the encryption, is what forces payment. Even the locker crews now lead with exfiltration and treat the encryptor as a second threat. CoinbaseCartel has simply dropped the part that adds cost and noise without adding pressure.
A single victim landing on two boards in one week is what this convergence looks like in practice. It can happen because affiliates overlap, because the same leaked credentials are bought by more than one buyer, or because one group recycles another's claim to borrow its credibility. The lesson for a defender is not which crew is "real." It is that once an organisation's access is on the market, more than one party can act on it, and the appearance of a name on a leak site is the end of a process that started much earlier, often with a single unrotated password.
Scale and Victimology
The trajectory is steep. Fourteen claimed victims in September 2025, more than sixty by December, more than 160 by April 2026, and a place in the most active tier of extortion groups inside two quarters. Its live board carries on the order of a hundred active listings at any one time, with older entries rotated off as they are paid, sold or abandoned. Healthcare, technology and transportation account for more than half of the victims, with manufacturing and business services close behind.
Two features stand out. The first is indifference to sector sensitivity: healthcare features heavily, including a reported cluster of ten healthcare breaches in the United Arab Emirates within a single month, which raised questions about whether some activity was opportunistic or directed. The second is the revenue spread. The same group that lists a regional clinic also lists multinationals, because the access method does not scale with the target's size. A leaked credential at a hundred-billion-dollar company costs the same to use as one at a small firm.
That is the quiet danger of a credential-driven operation. It is not selective in the way a targeted intrusion is. It is selective in the way a search of a marketplace is, filtered by what access happens to be for sale.
What This Means for Organisations
CoinbaseCartel is not a sophistication problem. It is a hygiene problem that has been industrialised. The defensive work sits almost entirely upstream of the attack, in the exposure an organisation has already accumulated and never measured.
The uncomfortable questions a board or security lead should be able to answer:
- Which of our employees, current and former, appear in infostealer logs, and how old are those credentials? Most organisations have never looked.
- Do any of those leaked credentials still work anywhere, in particular on cloud consoles, VPNs, FTP and file-transfer services, and SaaS admin panels?
- Is multi-factor authentication enforced on every externally reachable service, including the legacy file-transfer and engineering systems that rarely get the attention the main estate does?
- When an employee's device is found to have been infected with an infostealer, do we treat it as a credential-exposure event and rotate everything that device touched, or do we just reimage and move on?
- How would we know if our data were being auctioned, rather than ransomed, given there may be no encryptor and no operational disruption to alert us?
This is the layer we map. A Corporate Audit inventories the human and records exposure that sits in front of an organisation, including which of its people and systems are findable in credential and infostealer data, and where an old leak has quietly become a live access path. It is the same exposure surface we examine for individuals through the Lockdown, scaled to an organisation and its staff. The work is not glamorous. It is counting what you have already lost and closing the doors it opens, before someone with a budget for logs does the counting for you.
The Pattern Continues
CoinbaseCartel will be renamed, splintered or absorbed eventually, the way its predecessors have been. The method will not change, because the method works and the supply that feeds it keeps growing. Every infostealer infection that is cleaned up but not treated as a credential leak adds another usable key to a marketplace that groups like this one shop in daily.
The Openmind listings may be confirmed in the coming days, or they may dissolve as unverified claims. Either way, the more durable story is the one underneath them: extortion has moved from breaking locks to collecting keys, and most of the keys were handed over years ago.
Sources
Threat-intelligence research:
- Bitdefender Business Insights, "No Encryptors, No Problem: The Coinbase Cartel Ransomware Group". Data-theft-only model, staged disclosure and auction pages, victim statistics, ShinyHunters-offshoot assessment. businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics
- Hudson Rock / Infostealers.com, "Inside the Coinbase Cartel: How Infostealer Credentials Fueled a 100+ Company Ransomware Spree". The ~80% prior-infection correlation, RedLine/Lumma/Vidar logs, the Aptim 2023-to-2026 example, named high-revenue victims. infostealers.com/article/inside-the-coinbase-cartel
- Halcyon, "CoinbaseCartel" threat-group profile. Operating model, leak-site mechanics, ransom timeline. halcyon.ai/threat-group/coinbasecartel
- FortiGuard Labs, "Coinbase Cartel Ransomware" threat-actor entry. Sector and geographic spread. fortiguard.com/threat-actor/6386/coinbase-cartel-ransomware
Named incidents:
- The Hacker News, "Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt". The GitHub-token entry point and source-code download. thehackernews.com/2026/05/grafana-github-token-breach-led-to.html
Leak-site tracking and the Openmind claim:
- ransomware.live, group pages for coinbasecartel and thegentlemen. Listing dates and victim rosters. ransomware.live/group/coinbasecartel
- breachsense, Openmind Networks data-breach tracking. breachsense.com/breaches/openmind-networks-data-breach
- CoinbaseCartel data-leak site, current victim board and operator announcements (reviewed 24 May 2026).
Openmind context:
- Openmind Networks, "Future of Messaging Report 2026" press release. The company's own "trust anchor" and A2P-channel positioning. openmindnetworks.com/future-of-messaging-report-2026