The new hacking group claiming to have stolen confidential source code and sensitive project files from SK Telecom last month, is now threatening to leak that data if the telecommunications giant doesn’t start negotiating with the fledgling gang.

The unheard-of ransomware group, CoinbaseCartel, apparently hoping to garner attention for itself and get a ransom payout from the South Korean telecom, posted a new “Critical Announcement” on its dark victim blog site sometime on Tuesday.

“FULL SOURCE DISCLOSURE THIS WEEK,” the cybercriminal group – in no way connected to the Coinbase cryptocurrency exchange – wrote in the message to SK Telecom.

CoinbaseCartel leak site. Image by Cybernews.

The ransomware group allegedly infiltrated the telecom’s networks in mid-September, claiming SK Telecom on its victim blog and the notorious hacker marketplace BreachForums on September 16th (or at least one of its many BF reboots.)

The hackers claim to have gotten their hands on source code exposing multiple internal company projects, build configurations, Dockerfiles, and even exposed AWS access keys.

Although it has not posted any visual samples to prove its claim, CoinbaseCartel reportedly has 19.6 MiB of SK Telecom data in its possession and has provided a download link to a zip file containing multiple files with PY (Python) extensions, among others.

“This is part of SK Telecom's source code, they haven't reported it to the South Korean government and refuse to engage,” the hackers write.

CoinbaseCartel leak site. Image by Cybernews.

The purported attackers say that its victims may request "a sample package via private access for verification" before entering into "discussions."

SK Telecom hacker woes

Cybernews researchers, who investigated the claim at the time, said it looked as if the attackers gained access to the system by compromising an employee's Bitbucket account.

Owned by Atlassian, Bitbucket is a Git repository management service allowing teams to build, test, and deploy code utilizing one centralized cloud-based location, its website states.

Cybernews reached out to SK Telecom when news of the hack first broke, but never heard back.

Based in Seoul, SK Telecom is South Korea’s largest mobile carrier and broadband provider, and one of the many subsidiaries of the global energy and multi-manufacturing behemoth SK Group.

With over 23 million customers representing about 50% of the Asian nation’s market share, SK Telecom (SKT) boasts its own music platform, operates several professional sports teams, recently launched Korea’s largest AI semiconductor manufacturing company, and has its own strategic investment division, SKT Americas, operating out of Silicon Valley, California.

Earlier this spring in a separate attack, SK Telecom was claimed by the Qilin ransomware group, along with an alleged 1TB cache of stolen files.

With a public apology from SK Telecom CEO Yoo Young-sang, the company was forced to offer free SIM card replacements to all its customers in the aftermath, and said it would “continue to implement ‘double and triple’ safety measures until the concerns and worries of customers were resolved.”

It's was never revealed if a ransom demand was ever paid to the Qilin attackers.

Who is CoinbaseCartel?

CoinbaseCartel appears to have first hit the ransomware scene this September, posting about 17 victims on its onion site since.

On its leak site, the group says it does not encrypt victims’ files; instead, its focus is “exclusively on data exfiltration—our operations never involve system encryption or operational disruption.”

CoinbaseCartel also states that it has no political, personal, or activist agenda, operating solely as a “purely commercial operation, limited to data acquisition.”



Classified as a data broker on one ransomware watch site, we will ignore the fact that the untethered criminal gang claims it is not a ransomware group, although it is clearly holding its victims' data for financial extortion.

CoinbaseCartel leak site. Image by Cybernews.

Several other larger corporations are posted alongside SK Telecom, including Desjardins Group, a Canadian financial services coop, and North America’s largest federation of credit unions.

Besides the telecommunications and banking sectors, other targeted companies hail from the transportation, legal services, and media industries located in the US, Japan, and Europe.

According to a profile by iZoologic, known attack vectors include exposed or hardcoded credentials in source code, leaked repository access keys (e.g., AWS, Bitbucket, GitHub), insider-assisted access verification, and poor segmentation exposing internal tools and repositories.

Many of the victim names listed on the CoinbaseCartel site have also been previously claimed by other ransomware groups, leading Cybernews to question if the claimed breaches are just recycled, already stolen data.

