Altpro, a US-operating company tied to the domain altpro.hr, has been named as a victim on the coinbasecartel ransomware leak site. The incident was disclosed on 2026-04-18 and is the latest in a growing list of postings from this relatively young but increasingly active extortion crew.
What Happened
According to threat intelligence reporting, coinbasecartel added Altpro to its data leak blog on 2026-04-18 at approximately 17:15 UTC. The listing, mirroring the group's typical pattern, signals that Altpro's environment was accessed, data was likely exfiltrated, and negotiations either failed, were ignored, or have entered a public-pressure phase. The victim's identified domain, altpro.hr, suggests Croatian corporate infrastructure tied to US-facing operations, though the business sector was not specified in the leak post. No ransom figure has been publicly disclosed.
What Was Taken
Coinbasecartel has not yet published a sample pack or full data dump at the time of writing, so the exact scope of exfiltrated information remains unconfirmed. Based on the group's prior victim postings, affected organizations typically see a mix of internal business documents, financial records, HR and employee personal data, client contracts, and operational files. Until Altpro or coinbasecartel releases further detail, defenders should assume a worst-case scenario of full file-server and shared-drive compromise.
Why It Matters
Coinbasecartel has been steadily accumulating victims across multiple sectors, with recent postings including ASTM Group and McCuaig and Associates Engineering. The group's cadence indicates either a capable in-house intrusion team or active use of initial access brokers feeding a ransomware-as-a-service style pipeline. Altpro's appearance on the leak site extends the crew's international reach and reinforces that mid-market organizations with cross-border footprints remain prime targets, particularly when their external attack surface includes legacy VPN, RDP, or unpatched edge appliances.
The Attack Technique
Specific initial access vectors used against Altpro have not been disclosed. Coinbasecartel has historically been observed leveraging phishing for credential theft, exploitation of exposed remote access services, and abuse of valid accounts to move laterally. Post-compromise tradecraft typically includes credential dumping, disabling endpoint defenses, staging data for exfiltration via cloud storage or file transfer utilities, and deploying ransomware binaries across domain-joined systems during off-hours windows to maximize impact before detection.
What Organizations Should Do
- Audit all external-facing remote access: enforce MFA on VPN, RDP, and admin portals, and decommission unused exposures.
- Hunt for indicators of coinbasecartel activity: unusual outbound transfers to rclone, MEGA, or anonymous file hosts, and newly created local admin accounts.
- Verify immutable, offline backups exist for critical data and that restoration has been tested within the last 90 days.
- Deploy and tune EDR with tamper protection enabled, and alert on mass file modifications and shadow copy deletion.
- Run a tabletop exercise assuming full domain compromise, including legal, PR, and regulator notification workflows.
- Enroll high-risk staff in phishing-resistant MFA such as FIDO2 hardware keys and review privileged account usage for anomalies.