DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/COINBASE CARTEL
TLP:WHITETHREAT ACTOR DOSSIER // COINBASE-CARTELFIRST SEEN: SEP 2025

COINBASE CARTEL

ALSO KNOWN AS: CoinbaseCartel
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Unknown (Western, linked to Anglophone cybercrime ecosystem)
ATTRIBUTION:ORGANIZED CRIME
STATUS:ACTIVE
FIRST OBSERVED:SEP 2025
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL69/100
RESOURCES69/100
PERSISTENCE72/100
STEALTH64/100
IMPACT78/100

SUBJECT PROFILE

Coinbase Cartel is a data-extortion-only group active since September 2025, assessed by Halcyon and Fortinet FortiGuard Labs as an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ ecosystems. The group does not deploy ransomware encryption; instead it steals sensitive data and extorts victims under threat of public disclosure, amassing 170+ victims. In the last 48 hours (May 15–18, 2026), the group claimed Grafana Labs after exploiting a misconfigured GitHub Actions workflow to exfiltrate Grafana's entire private codebase.

Data theft and pure extortion (encryption-less); intellectual property and source code theft for leverage

OPERATIONAL HISTORY

GitHub Actions 'Pwn Request' misconfiguration abuse (pull_request_target workflow exploit), privileged token theft and exfiltration, credential theft, CI/CD pipeline abuse, social engineering, data-only extortion (no encryption), leak site victim listing pressure

TECHNOLOGY
HEALTHCARE
TRANSPORTATION
MANUFACTURING
BUSINESS SERVICES

KNOWN INFRASTRUCTURE

Dedicated data leak/extortion website (105–170 victims listed); GitHub Actions abuse for code exfiltration; no ransomware binary deployment; operates within broader ShinyHunters/Scattered Spider/LAPSUS$ tooling ecosystem

ATTRIBUTED CAMPAIGNS

FILE DATE: SEP 2025
Extortion Campaign Launch
Emerged conducting data theft and extortion across technology, healthcare, and manufacturing sectors, amassing 105+ victims on public leak site.
FILE DATE: MAY 2026
Grafana Labs GitHub Codebase Breach
Exploited a misconfigured GitHub Actions pull_request_target workflow to inject a malicious █████████████████████ a privileged GitHub token, and exfiltrate Grafana's entire private codebase; Grafana disclosed May 16–17, 2026 and refused to pay ransom.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn