Aptim: Coinbase Cartel Ransomware Attack

On April 23, 2026, the ransomware group known as Coinbase Cartel publicly claimed responsibility for a cyberattack against Aptim, a major United States-based engineering and infrastructure services firm operating at aptim.com. The group announced its intention to leak confidential corporate data unless ransom demands are met, and posted what appears to be a Kerberos pre-authentication hash tied to the APTIM.COM domain as proof of intrusion. The claim was publicized through threat intelligence tracker DeXpose on April 24, 2026.

What Happened

Coinbase Cartel added Aptim to its public leak site on April 23, 2026, joining a growing list of engineering, industrial, and critical infrastructure sector victims targeted by the group in recent months. The threat actors issued a direct extortion threat, warning that confidential files exfiltrated from Aptim's environment will be released publicly if the company does not engage with their ransom demands within the stated deadline. As evidence of compromise, the attackers published a Kerberos AS-REP style pre-authentication artifact referencing the internal Active Directory realm APTIM.COM, indicating direct access to domain authentication infrastructure rather than a superficial web-tier breach.

What Was Taken

The full scope and volume of exfiltrated data has not yet been disclosed by either Aptim or the threat group. Based on Coinbase Cartel's historical operating pattern and the nature of the leaked authentication artifact, likely exposure categories include:

Active Directory credential material, including Kerberos hashes suitable for offline cracking
Internal engineering project documentation, drawings, and client deliverables
Employee personally identifiable information (PII) and payroll data
Contract, financial, and procurement records
Email archives and internal communications

Given Aptim's work across government, energy, environmental, and industrial clients, any leaked material carries elevated downstream risk to partner organizations and federal programs.

Why It Matters

Aptim is a significant provider of engineering, program management, and environmental services to U.S. federal agencies and critical infrastructure operators. A confirmed compromise reaching domain authentication level carries implications well beyond Aptim itself: stolen project data and credentials can enable follow-on supply chain intrusions against government and industrial clients. The incident also reinforces the ongoing pattern of ransomware groups prioritizing the engineering and industrial sector, where operational urgency and sensitive client data create high leverage for extortion.

The Attack Technique

While Coinbase Cartel has not disclosed its initial access vector for this specific intrusion, the published Kerberos pre-authentication hash strongly suggests the group achieved a foothold inside the Aptim Windows domain and performed credential harvesting against the APTIM.COM realm. Hashes of this form are typically obtained through AS-REP roasting against accounts with Kerberos pre-authentication disabled, or through traffic capture and memory extraction following privileged access. Coinbase Cartel's broader tradecraft has historically involved phishing for initial access, abuse of exposed remote access services, living-off-the-land reconnaissance, and staged exfiltration prior to encryption or pure extortion. Once inside, the group commonly escalates via harvested credentials and stages data on attacker-controlled infrastructure before issuing public extortion notices.

What Organizations Should Do

Audit Active Directory for accounts with Kerberos pre-authentication disabled, rotate service account passwords, and enforce long, random credentials resistant to offline cracking.
Hunt for indicators of AS-REP roasting, Kerberoasting, and anomalous domain controller queries across SIEM and EDR telemetry covering the last 90 days.
Enforce phishing-resistant multi-factor authentication on all remote access, VPN, and privileged administrative pathways.
Validate that backups are immutable, segmented from production identity infrastructure, and tested for restoration under ransomware scenarios.
Integrate Coinbase Cartel leak site monitoring and related indicators of compromise into threat intelligence feeds, and watch for secondary exposure of client, partner, or supplier data.
Engage qualified incident response and legal counsel before any communication with the threat actor, and coordinate with CISA and sector ISACs where critical infrastructure clients are implicated.

Sources: Coinbase Cartel Infiltrates Engineering Leader Aptim - DeXpose