FortiGuard profiles 'Coinbase Cartel' extortion group

FortiGuard Labs has added “Coinbase Cartel” to its threat-actor tracking, putting a name and a basic operating profile on a cyber-extortion group it says was first observed in September 2025. The FortiGuard entry, published last week and surfaced in the company’s threat-actor encyclopedia, describes a crew that relies on stolen data rather than file encryption to pressure victims. (fortiguard.com) The profile matters because it captures a strain of extortion that security firms have been documenting across the ransomware market: attacks built around exfiltration, leak-site pressure and payment deadlines instead of system lockups. (fortiguard.fortinet.com) FortiGuard said Coinbase Cartel threatens to publish or sell stolen information unless a ransom is paid. ### If the group is called “ransomware,” why isn’t encryption central? FortiGuard’s own description says Coinbase Cartel is a “cyber-extortion threat actor” that does not center its operations on encrypting victim systems. Instead, the group steals data and uses the threat of exposure or sale as leverage in negotiations. (fortiguard.com) Bitdefender, in a February 2026 analysis, described the same pattern as part of a broader evolution in ransomware operations, saying Coinbase Cartel focused on data exfiltration and claimed 14 victims in its first month after emerging in September 2025. That account matches FortiGuard’s dating of the group’s appearance, though the victim count comes from Bitdefender rather than FortiGuard. (fortiguard.com) ### What deadlines does FortiGuard say victims face? FortiGuard said victims are given 48 hours to make contact and 10 days to pay or negotiate. The company said the group operates a dark-web leak site and uses staged disclosures to increase pressure on targets. (fortiguard.com) SOCRadar, in a May 22 profile, described the operation as a financially motivated actor using a single-extortion model built around publication threats rather than encryption. That description aligns with FortiGuard’s account of a coercive timetable and leak-site tactics. ### How new is Coinbase Cartel? (bitdefender.com) September 2025 is the key date repeated across multiple security trackers. FortiGuard lists that month as the group’s initial observation date, and other researchers have used the same starting point in public profiles and blog posts. FortiGuard’s ransomware encyclopedia also lists Coinbase Cartel as an “Unknown” ransomware-as-a-service or extortion actor category entry, alongside other named groups. (fortiguard.com) The listing gives the group a place in FortiGuard’s broader threat taxonomy even though the public profile is brief. (socradar.io) ### Why does this matter for crypto firms and exchanges? The FortiGuard entry does not name fresh victims in the public profile, but the group’s branding and the surrounding research have tied attention to exchange and crypto-sector risk. The immediate point in the FortiGuard write-up is narrower: stolen information itself can be the ransom lever. (fortiguard.com) Halcyon, in a separate threat-group tracker published last week, said CoinbaseCartel had targeted more than 100 organizations since September 2025 across sectors including healthcare, technology and manufacturing, and assessed ties to the ShinyHunters and Scattered Spider ecosystem. (fortiguard.fortinet.com) That attribution is Halcyon’s, not FortiGuard’s. ### Where can readers track the group next? FortiGuard’s public threat-actor page and encyclopedia entry are the clearest places to watch for updates to the company’s profile of Coinbase Cartel. As of May 25, 2026, those pages describe the group as active, data-theft-focused and first seen in September 2025. (halcyon.ai) (fortiguard.com)