Attack alert: coinbase cartel targets Harbor Real Estate - US

Introduction

On December 9, 2025, Harbor Real Estate, a small American real estate agency (1 to 10 employees), was the victim of a cyberattack orchestrated by the Coinbase Cartel, a ransomware group also known as ShinyHunters. The incident, classified as SIGNAL level under the XC classification, reveals the persistent vulnerability of the real estate sector to digital threats. This compromise potentially exposes sensitive customer data, financial transaction information, and strategic proprietary intelligence. The attack illustrates the malicious group's strategy of targeting large corporations and small businesses alike, often exploiting security vulnerabilities in organizations with limited resources. According to our data certified on the Polygon blockchain, this incident is part of a wave of attacks targeting the real estate sector in the United States at the end of 2025.

The compromise of Harbor Real Estate raises crucial questions about data protection in real estate, a sector that handles highly sensitive information daily. Real estate agencies, even small ones, centralize comprehensive financial records, identity documents, credit histories, and details on valuable properties. This concentration of digital assets makes them prime targets for cybercriminals. The incident also highlights the specific challenges faced by small businesses: limited cybersecurity budgets, a lack of dedicated IT staff, and insufficient awareness of digital risks. Discover other attacks targeting the Real Estate sector helps contextualize this growing threat.

Analyse détaillée

The very nature of the Ransomware-as-a-Service (RaaS) model operated by the Coinbase cartel facilitates the proliferation of these attacks against victims of all sizes. Affiliates of the group can deploy targeted campaigns without in-depth technical expertise, in exchange for a commission on the ransoms collected. This democratization of cybercrime transforms every small business into a potential target, regardless of its reputation or apparent attack surface.

The Coinbase Cartel, a malicious actor also known as ShinyHunters, operates using a Ransomware-as-a-Service (RaaS) model that has revolutionized the cybercrime ecosystem for several years. This cybercriminal collective is distinguished by its ability to orchestrate large-scale campaigns while maintaining a decentralized structure. The group provides its affiliates with a complete technical infrastructure: encryption malware, administration panels, data leak sites, and operational support. In exchange, the operators pay a substantial commission on each ransom obtained, thus creating a lucrative and resilient criminal ecosystem.

The Coinbase Cartel's history reveals sustained activity targeting various economic sectors worldwide. The group has notably gained notoriety by compromising massive databases and publicly exposing sensitive information to maximize pressure on its victims. This double extortion strategy combines system encryption with the threat of publishing exfiltrated data, forcing organizations to negotiate even if they have functional backups. The group's TTPs (Tactics, Techniques, and Procedures) include exploiting known vulnerabilities, targeted phishing to gain initial access, and using legitimate remote administration tools to maintain persistence.

Previous victims of the Coinbase Cartel cover a broad spectrum: technology companies, financial institutions, government agencies, and, increasingly, smaller entities like Harbor Real Estate. This diversification of targets reflects the evolving threat landscape in 2025, where no organization is considered too small to be attacked. → View the full Coinbase Cartel profile provides an in-depth look at this group's capabilities and evolution.

The RaaS model offers several advantages for cybercriminals: reduced barriers to entry, pooled development costs, and dispersion of legal risks. For defenders, this structure makes attribution difficult and complicates dismantling efforts, as each affiliate operates semi-autonomously with varying infrastructures.

Harbor Real Estate represents a typical profile of a small American real estate agency, with between 1 and 10 employees according to our data. Despite its modest size, this organization handles critical information daily: purchase and rental files, clients' financial documents, bank details, identity documents, and information on valuable properties. This concentration of sensitive data makes even the smallest real estate agencies attractive targets for malicious actors.

Located in the United States, Harbor Real Estate operates in a complex regulatory environment where data protection obligations vary from state to state. The US real estate sector faces increasing cybersecurity demands, particularly with the gradual adoption of legislation inspired by the European GDPR in several states, such as California (CCPA) and Virginia (VCDPA). Agencies must now demonstrate appropriate security measures to protect their clients' personal information, or face substantial financial penalties.

Paradoxically, Harbor Real Estate's small size presents both a vulnerability and a challenge for attackers. On the one hand, limited cybersecurity resources facilitate the initial compromise: the absence of a Security Operations Center (SOC), basic detection solutions, and insufficient staff training. On the other hand, the ransomware potential remains modest compared to large companies, which explains why Coinbase Cartel favors an automated and scalable model.

The impact of this breach extends beyond Harbor Real Estate itself. Clients whose personal and financial data may have been exfiltrated risk identity theft, bank fraud, and the exploitation of their proprietary information. Property owners listed in the agency's systems could also see sensitive details about their assets publicly exposed, creating risks of burglary or targeted scams.

The technical analysis of the incident reveals a SIGNAL level of exposure according to the XC methodology, indicating a confirmed compromise, but the exact extent of the exfiltrated data is still being assessed. This level suggests that information was accessible to the attackers, without absolute certainty about the total volume compromised. Metadata extracted from our certified analysis shows that the intrusion was discovered on December 9, 2025, although the initial compromise date may have been several days or weeks earlier, consistent with the average ransomware detection time in 2025.

The nature of the data potentially exposed at a real estate agency like Harbor Real Estate typically includes several categories of sensitive information. Client files contain complete identification documents (driver's licenses, passports, social security numbers), detailed financial documents (bank statements, proof of income, credit history), and contractual information (leases, deeds of sale, financing terms). Proprietary databases include property listings with precise addresses, estimated values, floor plans, and sometimes access codes or security system information.

The NIST score associated with this incident is still being determined, as the forensic analysis is ongoing. However, the SIGNAL classification indicates a significant estimated impact, justifying a rapid response. → Understanding XC Criticality Levels helps to understand the nuances between SIGNAL, PARTIAL, FULL, and MINIMAL.

The attack method used by the Coinbase cartel likely follows a classic pattern for this type of group: initial attack vector via phishing email or exploitation of a public vulnerability, privilege escalation, reconnaissance of the internal network, exfiltration of sensitive data to servers controlled by the attackers, and then deployment of ransomware to encrypt critical systems. The precise timeline of these steps requires a thorough forensic investigation, which our teams are continuing to conduct.

The risks to the exposed data include its resale on underground forums, its use for targeted fraud, or its public release if no ransom is paid. Financial and identity information are particularly valuable assets on the black market, with prices varying according to the recency and completeness of the records.

Conclusion