Dark Web Profile: CoinbaseCartel

CoinbaseCartel is a financially motivated data-extortion group that emerged in September 2025, claiming over 160 victims across 17 industries; it uses stale infostealer-derived credentials (e.g., RedLine, Lumma, Vidar), OAuth abuse, and living-off-the-land techniques to access cloud and file-transfer environments, exfiltrate tens of gigabytes to terabytes of data, and publish or auction stolen datasets on a Tor leak site. The profile maps the group's TTPs to MITRE ATT&CK, highlights sector and geographic targeting patterns, and provides defensive guidance focused on credential hygiene, OAuth governance, cloud monitoring, and immutable logging.