A rapidly expanding extortion crew calling itself Coinbase Cartel has officially claimed more than 100 corporate victims, with Hudson Rock cybercrime intelligence confirming that the group's entire access pipeline is built on cheap, recycled infostealer logs rather than the zero-days and advanced social engineering that breached organizations have publicly blamed. The group, which surfaced in September 2025, has already broken into the top 10 most active ransomware brands worldwide and operates as a pure data theft and extortion outfit, skipping file encryption entirely.

What Happened

Coinbase Cartel first appeared in late 2025 as part of a wider shift toward "extortion-only" operations tracked by Bitdefender. Rather than deploying ransomware encryptors, the group quietly exfiltrates large volumes of corporate data and pressures victims with the threat of public release on its Tor leak site, which currently lists 101 confirmed targets under the banner "We have all your data."

The cartel concentrates on high-revenue organizations in healthcare, technology, and transportation, sectors that cannot easily absorb the regulatory and reputational damage of a major leak. Multiple victims have publicly attributed their breaches to sophisticated intrusion techniques, but Hudson Rock's cross-referencing against the Ransomware.live victim list and its own Cavalier infostealer database tells a far simpler story: every confirmed compromise reviewed traces back to credentials previously harvested by commodity stealer malware.

What Was Taken

Because Coinbase Cartel forgoes encryption, the impact on victims is purely confidentiality driven. Targets span global enterprises with revenues ranging from millions to billions of dollars, and the group's victimology page advertises bulk corporate data sets pulled from cloud tenants, FTP servers, and managed file transfer platforms.

While exact volumes vary by victim, the access pattern, valid logins to cloud storage and file transfer infrastructure, suggests theft of internal documents, customer records, source code, financial data, and HR information typical of long-dwell file share access. The leak site warning of "all your data" is consistent with the bulk-collection behavior observed against other targets in the same cohort.

Why It Matters

The Coinbase Cartel campaign is a clean case study in how stale infostealer logs continue to power top-tier extortion operations long after the original infection. Hudson Rock's analysis shows that many of the credentials abused in these intrusions were indexed in its database years before the actual breach, meaning defenders had years of warning sitting in commodity threat intel feeds that went unused.

This matters for two reasons. First, it undercuts the narrative that high-impact breaches require advanced tradecraft; in 2026 a $100M+ enterprise can be compromised by a $10 stealer log purchased on a Telegram channel. Second, the group's encryption-free model lowers operational risk for the attackers and reduces the chance of early detection by EDR tooling tuned for ransomware payloads, making infostealer-driven extortion likely to keep growing.

The Attack Technique

Coinbase Cartel's playbook, as documented by Hudson Rock, follows a consistent pattern:

1. Log aggregation. Operators purchase or scrape logs from infostealer families including RedLine, Lumma, and Vidar across underground markets and Telegram channels.
2. Credential triage. Logs are filtered for corporate identifiers, focusing on SSO portals, cloud consoles (AWS, Azure, GCP), FTP and SFTP services, and managed file transfer platforms such as those used for B2B data exchange.
3. Validation. Stolen sessions and credentials are tested against the targeted infrastructure. Many remain valid because the underlying password was never rotated after the original infection, sometimes years earlier.
4. Bulk exfiltration. Once inside, the group pulls data directly from file shares and cloud buckets, avoiding lateral movement and tooling that would trigger EDR alerts.
5. Extortion. Victims are contacted with proof-of-theft samples and listed on the cartel's Tor site if they refuse to pay.

No encryptors, no custom malware on the endpoint, and no exotic exploits are required at any stage.

What Organizations Should Do

1. Subscribe to infostealer intelligence feeds such as Hudson Rock Cavalier, Flare, or equivalent, and continuously match exposed corporate credentials against your active user and service accounts.
2. Force rotation of any credential ever observed in a stealer log, including service accounts and contractor logins, and treat the infected host as compromised regardless of how old the log is.
3. Mandate phishing-resistant MFA (FIDO2 or hardware tokens) on every cloud console, SSO portal, VPN, FTP, SFTP, and managed file transfer service. SMS and TOTP are insufficient against session-cookie theft.
4. Hunt for stolen session cookies by enforcing short session lifetimes, binding sessions to device posture, and revoking refresh tokens on any anomalous geo or ASN change.
5. Monitor for bulk download patterns in cloud storage, SharePoint/OneDrive, and MFT platforms; tune DLP and CASB rules to alert on first-time large egress to residential or VPS IP ranges.
6. Audit contractor and third-party access on a recurring basis. Many cartel intrusions pivot through third-party identities that the victim organization does not own and cannot patch.

Sources: Inside the Coinbase Cartel: How Infostealer Credentials Fueled a 100+ Company Ransomware Spree | InfoStealers