Thought Leadership
Following extortion attempts by the Coinbase Cartel, Grafana Labs has confirmed a cyberattack on its GitHub environment and the theft of source code.
US software provider Grafana Labs has officially confirmed a security incident affecting its development infrastructure. According to the company, an as yet not fully identified threat group managed to infiltrate its protected GitHub environment. Access was enabled by a compromised API token that granted the attackers broad read-only permissions. The provider of open-source visualization and analytics software stated that the attackers deliberately used this access to download the entire codebase of the software project. The incident became public after the company appeared on a darknet extortion website.
Cyberattack: Ransom Demand Issued
Immediately after discovering the unauthorized activity, Grafana Labs launched a forensic investigation to determine the full scope of the data exfiltration. In an initial incident statement, the company emphasized that, based on current findings, no personal data or confidential customer information was affected by the theft. Since the compromised environment was strictly separated from operational production systems, there is also no indication that customer systems or the ongoing operation of Grafana services were impacted or altered by the incident. As an immediate response, all affected credentials and tokens were revoked, and additional security barriers were implemented to protect the GitHub repositories from further unauthorized access.
Following the data theft, the attackers attempted to extort the company financially. They demanded a ransom payment and threatened to publish the stolen source code online if their demands were not met. However, in a public statement on LinkedIn, Grafana Labs management clarified that the company had decided to refuse all ransom payments. The company justified this decision by referring to official guidance from the Federal Bureau of Investigation (FBI). The federal agency regularly warns organizations against paying ransoms to cybercriminals, as such payments provide no guarantee that stolen data will remain secure or unpublished while simultaneously creating financial incentives for future attacks.
Links to Established Cybercriminal Networks
Responsibility for the cyberattack has been attributed to a group operating under the name Coinbase Cartel. The gang listed Grafana Labs on its darknet leak website and threatened to cause the company “more damage than imaginable.” Coinbase Cartel differs from traditional ransomware groups in its operational methods. Active since September 2025, the group completely avoids the use of file-encrypting malware. Instead, its business model focuses entirely on the theft of sensitive corporate data followed by pure data extortion. According to the group’s darknet platform, 105 organizations are currently listed as victims of successful breaches and subsequent extortion attempts. IT security experts stress that the group has no connection to the well-known cryptocurrency exchange Coinbase.
Analyses by cybersecurity firms indicate that Coinbase Cartel maintains close personnel and technological ties to more established cybercriminal actors. Experts view the group as either a direct offshoot or a close affiliate of networks such as ShinyHunters, Scattered Spider and Lapsus$. These criminal collectives have reportedly cooperated closely since mid-2025, with some indicators even suggesting collaboration dating back to 2024. The alliance has been conducting a large-scale campaign focused on the theft of intellectual property for months. Breaches and extortion attempts targeting well-known technology and service companies such as Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic have previously been claimed under the established ShinyHunters brand.
The theft of Grafana Labs’ codebase is considered particularly serious because the company’s visualization tools play a central role in modern IT infrastructure monitoring. Around 25 million users worldwide rely on the company’s open-source web applications. Among its more than 7,000 commercial customers are global technology companies such as Microsoft, Nvidia, Salesforce, Bloomberg and AI startup Anthropic. The stolen source code contains the core logic for monitoring dashboards and data analytics processes. Grafana Labs announced that, once the ongoing forensic investigation has been completed, it will publish a detailed post-incident review in order to transparently share the lessons learned with the security community.
