Medical device manufacturer Integer Holdings has reportedly been hit by the ransomware group coinbasecartel in a double-extortion attack that allegedly went undetected for nearly six months. According to HookPhish reporting, the intrusion occurred on November 10, 2025, but was not discovered until April 23, 2026 at 09:56:29 UTC. The dwell-time gap of roughly 165 days is the kind of window that lets attackers map networks, harvest credentials, and quietly stage terabytes of data before anyone hits the alarm.
What Happened
The threat actor coinbasecartel has self-attributed the attack, claiming responsibility for compromising Integer Holdings (integer.net), a U.S.-based manufacturer with a significant medical device portfolio. The incident follows the now-standard double-extortion model: encryption of victim systems paired with exfiltration of sensitive data and threats to leak it publicly if a ransom is not paid. As of initial reporting, Integer Holdings has not issued a formal public statement, and key details such as the volume of stolen data and the size of the ransom demand remain unconfirmed. Despite the name, there is no indication coinbasecartel has any affiliation with the Coinbase exchange; underground naming conventions frequently borrow recognizable brands to sow confusion.
What Was Taken
Specific data volumes have not been publicly disclosed, but the risk themes flagged in early reporting align with what is typically harvested in manufacturing-sector intrusions. Likely categories of exposure include proprietary engineering and design files tied to Integer's medical device portfolio, employee records and HR data, customer and supplier information, and internal operational and financial documents. Given Integer's role as a component supplier to medical device OEMs, any leaked design specifications, manufacturing tolerances, or regulatory submission materials could carry implications well beyond the company itself, touching downstream device makers and the patients who depend on those products.
Why It Matters
Manufacturing remains one of the most-targeted sectors for ransomware in 2026, and medical device makers sit at a particularly painful intersection of operational fragility and regulatory exposure. Production downtime translates directly into missed shipments to hospitals and OEMs, while leaked intellectual property can erode years of R&D investment. Integer Holdings supplies components used across cardiac, neuromodulation, vascular, and orthopedic devices, meaning a sustained operational disruption could ripple through the broader healthcare supply chain. The six-month dwell time is also a warning to defenders: detection capabilities focused only on the encryption stage are catching attackers far too late, after data theft is complete and leverage has already shifted to the adversary.
The Attack Technique
Public reporting has not confirmed the initial access vector used against Integer Holdings, but coinbasecartel's playbook as described aligns with common double-extortion tradecraft. Typical entry points for groups operating in this mold include phishing for credentials, exploitation of internet-exposed remote access services such as VPNs and RDP, abuse of valid accounts purchased from initial access brokers, and exploitation of unpatched perimeter systems. Post-compromise activity generally follows a predictable arc: lateral movement using stolen credentials, privilege escalation, identification of high-value file shares and backups, staging and bulk exfiltration to attacker-controlled cloud storage, and finally deployment of the ransomware payload. The long dwell time in this case suggests stealthy living-off-the-land techniques rather than noisy tooling.
What Organizations Should Do
- Hunt for dwell-time indicators. Don't wait for an encryption event. Proactively review six to twelve months of logs for anomalous authentication, unusual data egress, and rare process execution on high-value systems.
- Harden remote access. Enforce phishing-resistant MFA on every external-facing service, retire legacy VPN appliances on outdated firmware, and disable internet-exposed RDP entirely.
- Segment OT and engineering networks. Isolate manufacturing systems, design environments, and regulated data stores from general corporate IT to limit blast radius from a single compromised endpoint.
- Protect backups as a primary target. Use immutable, offline, or logically air-gapped backups, test restoration regularly, and monitor backup infrastructure for the same threats as production systems.
- Deploy egress monitoring and DLP. Bulk exfiltration to cloud storage providers and uncommon hosting infrastructure should trigger high-fidelity alerts, especially outside business hours.
- Pre-stage incident response. Have legal, regulatory, communications, and forensic retainers in place before an incident, and rehearse ransomware tabletop scenarios that explicitly include data theft and extortion.