Key findings
- The timeline of geographic and sectorial targeting of victims claimed by Coinbase Cartel indicate that the operation may leverage supply-chain attacks. This was also claimed by one of the online aliases promoting the operation’s activities on the forum Exploit.
- The threat actor “g77” was the main user promoting Coinbase Cartel inside cybercrime forums. He is known to collaborate with other threat actors for various purposes (buying valid accesses, testing malware and tools, sending phishing, …).
- Coinbase Cartel may not directly perform technical intrusions. Potential partnerships highlighted inside cybercrime forums indicate that the operation tried to monetize data stolen by other threat actors and to buy valid accesses in bulk.
- We assess with high confidence that Coinbase Cartel is a rebrand of a short-lived operation named DataVault. This operation claimed a modus operandi of only stealing data using valid accesses acquired through strategic partnerships, which is like what we observed with Coinbase Cartel.
- Few discriminant IOCs related to the operation were identified. Based on various public and closed sources, this is consistent with the fact that the operation does not perform encryption and only steals data in a simple extortion scheme.
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in March 2026, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
- Digital risk monitoring:
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
For more information, go to intrinsec.com/en/cyber-threat-intelligence/.
