Coinbasecartel
Ransomware group first appearing in leak-site trackers in April 2026; possible rebrand of an existing group.
Last refreshed: 17 April 2026 · Appears in 1 active topic
Is Coinbasecartel a new ransomware group or a rebrand of something already taken down?
- Who is Coinbasecartel ransomware?
- Coinbasecartel is a ransomware group that first appeared in leak-site trackers in April 2026. Its origin is unconfirmed; it may be a rebrand of a dismantled predecessor or a new entrant to the ransomware-as-a-service ecosystem.Source: Lowdown tracker data
Background
Coinbasecartel appeared in ransomware leak-site trackers for the first time in April 2026, alongside LockBit5 and DragonForce as the dominant groups in that month's victim postings. Its origin is unconfirmed: the group may represent a rebrand of a dismantled predecessor, a splinter from an existing ransomware-as-a-service programme, or a genuinely new entrant to the ecosystem.
The ransomware landscape in March and April 2026 recorded 808 victim postings across 65 active groups in March alone, a 19 per cent month-on-month increase and 33 per cent above the 2025 monthly average. New group names appearing in leak-site trackers do not necessarily represent new operators; the ransomware-as-a-service model means that affiliate programmes rebrand frequently after law-enforcement actions, with core infrastructure and operator networks surviving under new names.
For threat intelligence teams, Coinbasecartel's first appearance in the tracker is an attribution-pending data point rather than a confirmed new threat actor. Its naming pattern mirrors several other groups that used financial-brand references in their names; whether this signals a specific targeting theme or is coincidental requires further activity monitoring.