Coinbase Cartel hit Grafana with a stolen GitHub token
Inhaltsübersicht
Coinbase Cartel, the group that listed Grafana Labs on its leak site on May 16, is not a new gang. It is the latest brand worn by members of the Scattered LAPSUS$ Hunters ecosystem: the same ShinyHunters, Gesträuter Spinnenweberund LAPSUS$ operators behind the 2025 Salesforce campaign that hit Google, Workday, LVMH, Allianz, and Qantas. The Grafana intrusion used a stolen GitHub token to pull source code.
The interesting part for defenders is not the token but rather it’s the operator continuity behind it.
What happened to Grafana?
Coinbase Cartel claimed the intrusion on its leak site two days before Grafana’s public confirmation and demanded payment to suppress the codebase. Grafana refused. The token has since been invalidated and a forensic investigation is in progress.
Two facts make this more than another source code leak:
- The same private repositories also contained internal operational information the company uses to run the business. That widens the blast radius beyond code.
- The threat actor behind it has 170+ confirmed victims since September 2025, including names you know: Vimeo, Vercel, Medtronic, Instructure, Wynn Resort.
Who is Coinbase Cartel?
Coinbase Cartel is a data-theft-only extortion crew that emerged in September 2025. It debuted with roughly ten victim listings posted simultaneously to a fresh Tor leak site on September 15, and has added victims steadily since. Halcyon and Fortinet FortiGuard Labs assess it as an offshoot of the Scattered LAPSUS$ Hunters (SLSH) ecosystem — the same federated cluster that absorbed members of Scattered Spider, ShinyHunters, and LAPSUS$ in mid-2025.
The group does not encrypt files. The operating model is steal, threaten, leak — and in several confirmed cases, return for a second payment after the first ransom is paid. Repeat extortion is now a documented part of the playbook.
What does Coinbase Cartel share with ShinyHunters, Scattered Spider, and LAPSUS$?
- Shared infrastructure. Researchers have observed overlapping domains and TTPs across the four brand names.
- Shared personnel. The Scattered LAPSUS$ Hunters Telegram channels announced membership overlap publicly in August 2025 before being banned.
- Shared playbook. Initial access via voice phishing or stolen developer credentials, then OAuth abuse, source code repositories, and cloud admin consoles for data exfiltration.
Die shinysp1d3r alias formally links Coinbase Cartel to this cluster, even though the ransomware encryptor of that name has not been seen in real attacks.
We covered the operational continuity in this earlier piece on the Scattered LAPSUS$ Hunters Salesforce campaign and tracked the group’s September “farewell” Telegram messages in this Flash Report. Coinbase Cartel is what the ecosystem looks like after the “going dark” theatre: the same people, a new logo, the same Tor site format.
Why does threat actor lineage matter for SOC teams?
Well it matters a good deal.
Brand churn is the defense problem. Members rotate names — Scattered Spider, ShinyHunters, sp1d3rhunters, scattered lapsus$ hunters, Coinbase Cartel — but operators, infrastructure, and tradecraft persist. A SOC tuned only to the latest IOC feed for “Coinbase Cartel” will miss the same operators when they list victims under the next name.
Tradecraft is shared, not branded. Vishing scripts, OAuth abuse patterns, GitHub token theft, and helpdesk impersonation circulate across the cluster. Detections built around behaviors hold; detections built around group names go stale within weeks.
Repeat extortion is now standard. Coinbase Cartel and its affiliates have been observed collecting a first ransom and returning to demand a second payment to delete copies from secondary storage the victim failed to clear. Incident response runbooks built around a single payment decision are out of date.
Arrests do not end the operation. Tyler Buchanan pleaded guilty in April 2026 for $8M in Scattered Spider-linked crypto theft. Noah Urban was sentenced to 10 years in August 2025. Peter Stokes (“Bouquet”) was apprehended in Helsinki in April 2026. The brand kept operating through each arrest. Loose collectives backfill faster than hierarchical groups.
How do these actors typically get in?
Across documented SLSH-cluster intrusions, these three initial access patterns repeat. Here is what to underline and share with your team,
- Voice phishing the helpdesk. Native English-speaking operators impersonate employees to reset MFA or push out new device enrollments. Used in MGM, Caesars, and the 2025 Salesforce wave.
- OAuth-connected app abuse. Operators trick employees into authorizing a malicious app, then exfiltrate via API. This is the Salesforce playbook that hit Google, LVMH, and Workday.
- Stolen developer credentials and tokens. Infostealer logs, leaked tokens in public repos, and credentials traded on Telegram and underground markets. The Grafana intrusion sits in this category.
Die Verizon 2026 DBIR puts stolen credentials at 22% of all initial access vectors and notes infostealers compromised 30% of corporate devices and 46% of unmanaged ones in the past year. The Grafana token did not have to be cracked. It had to be found.
What can SOC teams do this week?
This is the part that matters operationally. Five specific actions, sized for a single sprint:
- Inventory GitHub tokens and rotate anything older than 90 days. Personal access tokens, fine-grained tokens, and OAuth tokens used by CI/CD. Treat any token without a clear owner as compromised.
- Hunt for your own developer credentials in external sources. Infostealer logs, paste sites, public repos, and Telegram channels are where this ecosystem sources tokens. We do this continuously through Credential Intelligence and Dark Web Monitoring, and our REACT analysts verify findings before they reach your queue.
- Audit OAuth-connected applications in Salesforce, Google Workspace, and Microsoft 365. Remove apps with no business owner. Document approval workflow for new connected apps.
- Pressure-test the helpdesk against vishing. Specifically: MFA reset requests, device enrollment requests, and password resets initiated by phone. Scattered Spider’s tradecraft has not changed in three years because it still works.
- Update incident response runbooks for repeat extortion. Assume any stolen data set will be monetized twice. Decision trees written for single-payment ransomware events need a second branch.
What’s the practical takeaway?
Coinbase Cartel is a useful name to put on a victim listing. It is not a useful name to build a detection program around. The operators behind this intrusion will list their next 50 victims under whatever the next brand is, and the indicators that catch them will be behavioral, not nominal.
Grafana’s intrusion is a clean illustration of the pattern: a developer credential, sourced externally, used to reach a code repository, monetized via extortion. The defenders who catch the next one will be the ones watching where their credentials surface — before the operators do.
Related reading on the CybelAngel blog:
- British Scattered Spider Hacker Pleads Guilty in $8M Crypto Theft — April 2026
- OAuth & Social Engineering: Scattered LAPSUS$ Hunters Salesforce Attack Lessons — November 2025
Über den Autor
