COINBASECARTEL ransomware group lists Tab Service as victim on dark web leak site

An OSINT investigation flagged a notable development in the ransomware ecosystem: the COINBASECARTEL threat actor listed Tab Service as a victim on their dark web leak site, according to monitoring reports shared via open source intelligence channels. The posting, flagged in the #osint community on Mastodon and tracked by threat intelligence sources such as redpacketsecurity.com, signals that the group has exfiltrated data from the target and is now applying pressure for ransom payment. The timing and specifics of the breach remain under investigation, but the listing marks Tab Service as the latest organization caught in the crosshairs of this relatively emerging ransomware operation.

COINBASECARTEL operates as a ransomware-as-a-service (RaaS) group that targets organizations across multiple sectors, leveraging double-extortion tactics—encrypting systems while stealing sensitive data to maximize leverage over victims. The group's naming convention, referencing a major cryptocurrency exchange, has drawn attention within the threat intelligence community, though the nature of any direct connection to that exchange remains unclear and unconfirmed. Ransomware groups frequently adopt high-profile brand names for intimidation value rather than indicating actual affiliation. Tab Service's industry vertical and the volume of data potentially exposed have not yet been fully disclosed by OSINT researchers monitoring the leak site.

The incident highlights the continued proliferation of ransomware groups using dark web platforms to name-and-shame victims into compliance. Organizations operating in sectors attractive to financially motivated cybercriminals are advised to review incident response capabilities and monitor for potential data exposure. Threat intelligence sources continue to track COINBASECARTEL's victim postings, and further details about the scope of the Tab Service breach are expected as the situation develops.