Grafana refuses to pay ransom after source code stolen via GitHub token

An attacker managed to compromise Grafana Labs by gaining access to the GitHub environment, where the company’s source code, among other things, was available. Grafana refused to pay to keep the source code secret. No customer data is believed to have been stolen.

There are also no indications that the customer systems were accessible from the compromised environment. Grafana recently discovered the activity and immediately launched a forensic investigation. The stolen login credentials have since been invalidated, and additional security measures have been implemented.

Extortion attempt and FBI advice

In addition to the data theft, the attacker attempted to blackmail Grafana. Payment would prevent the stolen source code from being made public. Grafana refused to pay the ransom, citing advice from the FBI, which warns organizations that paying does not guarantee the return of data. Paying attackers also encourages copycats, or cyber collectives that are more motivated than ever to demand ransom.

It is unknown when the attack took place and how long the attacker had access. Grafana has not linked the incident to a known group, but security firms Hackmanac and Ransomware.live point to CoinbaseCartel as the responsible party.

CoinbaseCartel: offshoot of known groups

CoinbaseCartel emerged in September 2025 as a group focused exclusively on data theft and extortion. It does this without encrypting systems, unlike traditional ransomware groups. According to Analyst1, the group explicitly positions itself as a party that only exfiltrates sensitive data. Security firms Halcyon and Fortinet FortiGuard Labs describe CoinbaseCartel as an offshoot of the ShinyHunters, Scattered Spider, and LAPSUS$ groups. According to Ransomware.live, the group now has 170 victims across sectors such as healthcare, technology, transportation, manufacturing, and business services.

That number grew rapidly. Cryptika reported that the group claimed fourteen victims in its first month alone. ShinyHunters, one of the groups from which CoinbaseCartel emerged, previously demanded a ransom from the American edtech company Instructure, the creator of Canvas. That company decided to pay to prevent the leak of terabytes of school data. It is a decision that sparked much controversy.

Grafana refuses to pay ransom after source code stolen via GitHub token

Extortion attempt and FBI advice

CoinbaseCartel: offshoot of known groups

Stay tuned, subscribe!

Post-Mythos security is still very much pre-Mythos security

Neurometric AI & LumaDock aim to slash OpenClaw inference costs

Claude’s creator Anthropic overtakes OpenAI at the IPO game

Why only 25% of teams are ready for the Cyber Resilience Act

Inside AIDA Cruises' massive floating data centers

How OpenObserve cuts observability costs by 140x

SAP executive addresses API policy and openness concerns

Taking the right lessons from AI success stories

Why traditional security can’t protect your enterprise against AI threats

Power critical workloads with all-NVMe active-active storage for non-stop enterprise operations

Five tips for embracing continuous deployment as a DevOps mindset

GITEX AI EUROPE 2026

GOTO Copenhagen 2026

Experience Synology’s latest enterprise backup solution

How to choose the right Enterprise Linux platform?

Enhance your data protection strategy for 2025

Strengthen your cybersecurity with DNS best practices