coinbasecartel
Group profile
CoinbaseCartel specializes in data acquisition through system access and strategic partnerships. It focus exclusively on data exfiltration—our operations never involve system encryption or operational disruption.
MITRE ATT&CK TTPs
Initial Access
T1078.004Valid Accounts: Cloud Accounts
Massive focus on credential theft from SaaS platforms (Salesforce, Microsoft 365).
T1091Replication Through Removable Media
Although less common, there are records of attempts via service providers (corrupted insiders/third parties).
T1133External Remote Services
Abuse of VPNs and RDP using credentials harvested by infostealers or purchased from IABs (Initial Access Brokers).
T1566.003Phishing: Spearphishing Voice (Vishing)
Use of voice social engineering to induce employees to authorize malicious OAuth applications.
Execution
T1059.004Command and Scripting Interpreter: Unix Shell
The shinysp1d3r loader is executed via shell scripts on ESXi systems.
T1059.006Command and Scripting Interpreter: Python
Use of custom scripts that mimic legitimate tools (e.g., Salesforce Data Loader) for rapid exfiltration.
T1204.002User Execution: Malicious File
Deceiving users into executing fake OAuth connectors.
Persistence
Defense Evasion
T1036.005Masquerading: Match Legitimate Name or Location
Renaming malicious binaries to names of critical VMware processes or backup tools.
T1070.001Indicator Removal: Clear Windows Event Logs
Systematic cleaning of syslogs and audit logs in ESXi environments.
T1562.001Impair Defenses: Disable or Modify Tools
Disabling virtual machine snapshots before encryption (when they opt for it).
Discovery
T1018Remote System Discovery
Enumeration of Active Directory objects from non-privileged user accounts.
T1083File and Directory Discovery
Scanning vCenter datastores to identify critical VMs and databases.
T1538Cloud Service Dashboard
Exploration of AWS/Azure consoles to identify EBS volumes and S3 instances.
Exfiltration
T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage
Use of tools like Rclone to send data to providers such as Mega or Dropbox.
Recent victims
showing 50 of 177| Date | Website / victim | Sector | Country |
|---|---|---|---|
| 2026-06-12 |  Demand.ioDemand.io | Technology | US |
| 2026-06-12 | C Cambridge Mobile Telematics | Technology | US |
| 2026-06-05 | Demand.ioNEWDemand.io | Technology | |
| 2026-06-05 |  Cambridge Mobile TelematicNEWcmtelematics.com | Technology | US |
| 2026-06-02 | C Cambridge Mobile TelematicsNEW | Technology | US |
| 2026-05-30 |  Siveco -siveco.com | Technology | FR |
| 2026-05-30 |  Openmind networksopenmindnetworks.com | Technology | GB |
| 2026-05-30 |  Pragmatic Solutionspragmatic.solutions | Business Services | |
| 2026-05-15 |  Zywavezywave.com | Business Services | US |
| 2026-05-15 |  Grafanagrafana.com | Technology | US |
| 2026-05-13 |  Buenos Aires Softwarebas.com.ar | Technology | AR |
| 2026-05-11 |  Jozef Stefan Institute (IJS)ijs.si | Education | SI |
| 2026-05-11 |  Alpinionalpinion.com | Healthcare | KR |
| 2026-05-11 |  Tab Servicetabservice.com | Business Services | DE |
| 2026-05-11 |  Cass information Systemscassinfo.com | Business Services | US |
| 2023-11-20 |  Dreyfuss Williams & Associates CO LPAdreyfuss.com | Business Services | US |
| 2025-08-25 |  Marlborough Partnerswww.marlboroughpartners.com | Financial Services | GB |
| 2026-04-23 |  Kementerian Pertanianpertanian.go.id | Agriculture and Food Production | ID |
| 2026-04-23 |  Sea Telecom Brseatelecom.com.br | Telecommunication | BR |
| 2026-04-23 |  Precision Coatingprecisioncoating.com | Manufacturing | US |
| 2025-11-10 |  Integer Holdingsinteger.net | Manufacturing | US |
| 2026-04-23 |  Peru LNG (Hunt LNG Operating Company)perulng.com | Energy | PE |
| 2026-04-23 |  Aptimaptim.com | Business Services | US |
| 2026-04-20 |  SIG.bizsig.biz | Business Services | CH |
| 2026-04-20 |  CommscopeCommscope.com | Telecommunication | US |
| 2026-04-20 |  Playmates Toysplaymatestoys.com | Consumer Services | HK |
| 2026-04-20 |  Engieengie.com | Energy | FR |
| 2026-04-18 |  ASTM Groupastim.it | Business Services | US |
| 2026-04-18 |  Securitevolfeuwww.securitevolfeu.fr | Technology | FR |
| 2026-04-18 |  Altproaltpro.hr | Not Found | HR |
| 2026-04-18 |  McCuaig and associates Engineeringmccuaig.net | Business Services | CA |
| 2026-04-18 |  Evict them for meevictthemforme.com | Business Services | US |
| 2026-04-15 |  The Epoch Timestheepochtimes.com | Consumer Services | US |
| 2026-04-15 |  UOM Universitywww.uom.gr | Education | MT |
| 2026-04-15 |  Vluznetvluznet.com | Not Found | US |
| 2026-04-15 |  Epoch Timesepochtimes.com | Consumer Services | US |
| 2026-04-15 |  Superintendency of territorial planningsot.gob.ec | Public Sector | EC |
| 2026-04-15 |  GL Steelglsteel.pl | Manufacturing | PL |
| 2026-04-15 |  Wayne Brothers Constructionwaynebrothers.com | Construction | US |
| 2026-04-15 |  Questivityquestivity.com | Business Services | US |
| 2026-04-15 |  Millenium Packagingmil-pkg.com | Manufacturing | US |
| 2026-04-15 |  Kemenpppakeemenpppa.go.id | Public Sector | ID |
| 2026-04-15 |  Rogiken / institute of Science Tokyorogiken.org | Education | JP |
| 2026-04-15 |  La Maison Bleue Francela-maison-bleue.fr | Hospitality and Tourism | FR |
| 2026-04-15 |  Sampolsampol.com | Energy | ES |
| 2026-04-15 |  Astreyaastreya.com | Technology | US |
| 2026-04-15 |  Cognizantcognizant.com | Business Services | US |
| 2026-04-14 |  Flash Charm INC - (IDERA)idera.com | Technology | US |
| 2026-04-12 |  Helzberghelzberg.com | Consumer Services | US |
| 2026-04-12 |  Ralph Laurenwww.ralphlauren.com | Consumer Services | US |