Coinbase Cartel is an extortion-only group that has claimed over 100 victims by exfiltrating data rather than encrypting files, allowing systems to remain operational while sensitive corporate information is leaked. Hudson Rock’s intelligence shows the cartel predominantly gains access using old Infostealer‑harvested credentials (e.g., RedLine, Lumma, Vidar) to compromise cloud, FTP, and file‑sharing services, complicating attribution and remediation. #CoinbaseCartel #RedLine
Keypoints
- Coinbase Cartel has claimed over 100 targets and operates as an extortion-only group that steals data instead of deploying file encryptors.
- The group gains initial access mainly through reused credentials harvested by Infostealer families such as RedLine, Lumma, and Vidar.
- Hudson Rock’s Cavalier database correlated with Ransomware.live shows roughly 80% of victims had prior Infostealer infections.
- High-revenue organizations in healthcare, technology, and transportation are primary targets due to regulatory and reputational exposure.
- Widespread historical credential leakage and numerous infected employees make attribution difficult and enable long-term access without exploiting zero-days.