Threat Actor Profile
High
Cybercriminal
Description
CoinbaseCartel specializes in data acquisition through system access and strategic partnerships. It focus exclusively on data exfiltration—our operations never involve system encryption or operational disruption.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (18)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': '2025-09-15',
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'CoinbaseCartel specializes in data acquisition through system '
'access and strategic partnerships. It focus exclusively on '
'data exfiltration—our operations never involve system '
'encryption or operational disruption.',
'firstseen': '2023-05-26T01:02:03.456789+00:00',
'group': 'coinbasecartel',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2026-04-23T09:58:11.821254+00:00',
'locations': [{'available': True,
'fqdn': 'fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion',
'slug': 'http://fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion',
'title': 'System Breach • Coinbasecartel',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': True,
'fqdn': 'fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion',
'slug': 'http://fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion',
'title': 'System Breach • Coinbasecartel',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': 'coinbasecartel',
'tools': {},
'url': 'https://www.ransomware.live/group/coinbasecartel',
'victims': 162,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Massive focus on credential '
'theft from SaaS platforms '
'(Salesforce, Microsoft 365).',
'technique_id': 'T1078.004',
'technique_name': 'Valid Accounts: Cloud Accounts'},
{'technique_details': 'Use of voice social '
'engineering to induce '
'employees to authorize '
'malicious OAuth applications.',
'technique_id': 'T1566.003',
'technique_name': 'Phishing: Spearphishing Voice '
'(Vishing)'},
{'technique_details': 'Although less common, there '
'are records of attempts via '
'service providers (corrupted '
'insiders/third parties).',
'technique_id': 'T1091',
'technique_name': 'Replication Through Removable '
'Media'},
{'technique_details': 'Abuse of VPNs and RDP using '
'credentials harvested by '
'infostealers or purchased '
'from IABs (Initial Access '
'Brokers).',
'technique_id': 'T1133',
'technique_name': 'External Remote Services'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Use of custom scripts that '
'mimic legitimate tools (e.g., '
'Salesforce Data Loader) for '
'rapid exfiltration.',
'technique_id': 'T1059.006',
'technique_name': 'Command and Scripting '
'Interpreter: Python'},
{'technique_details': 'The shinysp1d3r loader is '
'executed via shell scripts on '
'ESXi systems.',
'technique_id': 'T1059.004',
'technique_name': 'Command and Scripting '
'Interpreter: Unix Shell'},
{'technique_details': 'Deceiving users into '
'executing fake OAuth '
'connectors.',
'technique_id': 'T1204.002',
'technique_name': 'User Execution: Malicious '
'File'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Creation of "ghost" '
'administrator users on VMware '
'hosts.',
'technique_id': 'T1136.001',
'technique_name': 'Create Account: Local Account'},
{'technique_details': 'Adding new secrets or keys to '
'existing OAuth applications '
'to maintain access even after '
'password changes.',
'technique_id': 'T1098.003',
'technique_name': 'Account Manipulation: Additional '
'Cloud Credentials'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Systematic cleaning of '
'syslogs and audit logs in '
'ESXi environments.',
'technique_id': 'T1070.001',
'technique_name': 'Indicator Removal: Clear Windows '
'Event Logs'},
{'technique_details': 'Disabling virtual machine '
'snapshots before encryption '
'(when they opt for it).',
'technique_id': 'T1562.001',
'technique_name': 'Impair Defenses: Disable or '
'Modify Tools'},
{'technique_details': 'Renaming malicious binaries '
'to names of critical VMware '
'processes or backup tools.',
'technique_id': 'T1036.005',
'technique_name': 'Masquerading: Match Legitimate '
'Name or Location'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Scanning vCenter datastores '
'to identify critical VMs and '
'databases.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'},
{'technique_details': 'Enumeration of Active '
'Directory objects from '
'non-privileged user accounts.',
'technique_id': 'T1018',
'technique_name': 'Remote System Discovery'},
{'technique_details': 'Exploration of AWS/Azure '
'consoles to identify EBS '
'volumes and S3 instances.',
'technique_id': 'T1538',
'technique_name': 'Cloud Service Dashboard'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Use of tools like Rclone to '
'send data to providers such '
'as Mega or Dropbox.',
'technique_id': 'T1567.002',
'technique_name': 'Exfiltration Over Web Service: '
'Exfiltration to Cloud Storage'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Secondary technique, focused '
'on .vmdk files via '
'shinysp1d3r loader.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'Direct extortion based on the '
'threat of leaking data on '
'Onion forums (DLS).',
'technique_id': 'T1657',
'technique_name': 'Financial Theft'}]}],
'url': 'https://www.ransomware.live/group/coinbasecartel',
'victims': 162,
'vulnerabilities': []}