New Threat Actor: Coinbase Cartel

Leak Site: fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd.onion
C2/Infrastructure: affiliateshinysp1d3r[.]com
Email: shinycorp@tuta[.]com, shinygroup@tuta[.]com

October 5, 2025

Coinbase Cartel is a cyber extortion group which emerged on the dark web in September 2025. Let’s take a closer look at this new threat actor.

This group, a blend of affiliates from well-known entities like ShinyHunters and Lapsus$, is redefining data extortion with a focus on stealthy data theft rather than traditional ransomware.

Tactics, Techniques, and Procedures (TTPs)

Their initial access strategy combines social engineering with credential abuse. They are known to bribe insiders and use vishing to trick employees into authorizing malicious OAuth applications. In cloud environments, they leverage custom Python scripts that mimic legitimate tools, such as the Salesforce Data Loader, to carry out mass data exfiltration without raising alarms.

For on-premise targets, the group deploys an in-memory loader called shinysp1d3r on ESXi hosts. This tool is engineered to encrypt virtual machine disks while disabling snapshots, effectively hampering recovery efforts. To maintain their foothold, they use long-lived OAuth tokens or create hidden accounts and add SSH keys to compromised servers.

Indicators of Compromise (IOCs) & Detections

Security teams should be vigilant for anomalous activity such as sudden administrative logins from Tor or VPN IP addresses and unusual OAuth application approvals. Other key indicators include the execution of unknown shell scripts on ESXi hosts and any rapid, high-entropy file writes to datastores.

On the network side, monitor for abnormal, high-volume API exports, the creation of large compressed archives, and any encrypted outbound data transfers to Tor nodes. Be aware of their defense evasion tactics, which include disabling syslog forwarding and mass log truncation—both are strong indicators of their presence.