The CoinbaseCartel ransomware group, which claimed to have stolen part of SK Telecom’s internal code, has posted an ultimatum on its website: if the telecom doesn’t start negotiations, they will release “FULL SOURCE DISCLOSURE THIS WEEK.” The attackers claim to have ~**19.6 MB** of files (including `.py`) at their disposal, and provide a link to the archive — but there are still few samples in public evidence.
What happened: CoinbaseCartel reported that they gained access to SK Telecom’s repositories around mid-September and have unique project files, build configurations (Dockerfile), and potentially public keys to access cloud services (AWS). The group is publicly demanding negotiations and hinting at publishing the entire code if the demands are not met.
What is known from the facts: at the time of publication, the group did not show a large amount of visual evidence, but provided a link to a ZIP with several files; Cybernews journalists estimated the volume of materials at ~19.6 MB. Earlier this year, SK Telecom had already suffered from other leaks (in particular, the incident related to the Qilin group, which featured 1 TB of data).Possible vector of compromise: Cybernews’ investigation indicated a possible compromise of an employee’s Bitbucket account — cloud-based repositories often contain secrets or allow access to internal tools.
Company response: SK Telecom did not provide comments to Cybernews’ initial request; previously, under the CEO’s signature, the company had already been forced to replace SIM cards after another incident and spoke about additional security measures.
What is CoinbaseCartel: A new group, spotted in September; on its onion website, it positions itself as “purely commercial” — without political motivation — and focuses on data exfiltration (not file system encryption). The website lists about 17 victims, including large corporations from various sectors.
Risks: Even small pieces of code or configuration can contain hard-coded credentials, open access to internal CI/CD tools or cloud accounts, which increases the risk of further attacks and vendor compromises.
SK Telecom is the largest mobile operator in South Korea with over 23 million subscribers, the company has its own AI initiatives and global investments. Over the past year, the telecom has already experienced several security incidents: for example, attacks related to Qilin led to large-scale consequences, including SIM card replacements and public apologies from management. In general, there is a growing trend in the world when leaks from repositories and vendor services (Bitbucket, GitHub, AWS keys) become the “entrance” for large-scale compromises – therefore, many experts advise stricter segmentation, secret rotation and thorough access auditing.
The CoinbaseCartel incident is another reminder that protecting code and secrets in repositories is a critical part of modern companies’ cybersecurity. Even if there is currently little public evidence of the extent of the material, the risks from open or hard-coded secrets are high: companies are advised to urgently review access, rotate keys, enable two-factor authentication for repositories, and implement secret verification processes in CI/CD, and users are advised to monitor official operator announcements and subscribe to incident alerts.
