What happened
A new cybercriminal group known as Coinbase Cartel is targeting high-value organizations across multiple industries using a data-theft-first extortion model, stealing sensitive information without encrypting systems and then threatening to publish it unless a ransom is paid.Â
Who is affected
The group, active since September 2025, has claimed dozens of victims spanning healthcare, technology, transportation, and other sectors, with organizations ranging from mid-sized firms to large enterprises reporting compromises.
Why CISOs should care
Unlike traditional ransomware that locks systems, Coinbase Cartel’s approach allows victims’ operations to continue normally while critical data is quietly exfiltrated, increasing the risk of reputational damage, regulatory penalties, and costly negotiated settlements. Its activity was noted among top ransomware threats by industry analysts in late 2025, underscoring its rapid rise.
3 Practical Actions for Security Leaders
- Enhance access controls and MFA: Enforce strong multi-factor authentication and stringent privilege management to limit unauthorized credential abuse — a common vector for data exfiltration.
- Implement robust monitoring and threat intelligence: Deploy advanced detection tools and integrate threat intelligence feeds to identify stealthy exfiltration behavior earlier.
- Harden data loss prevention and response plans: Prioritize data classification, loss prevention systems, and rehearsed incident response to rapidly contain and remediate breaches before data can be used for extortion.