Attack alert: coinbase cartel targets Twinsoft - FR

Introduction

On December 12, 2025, Twinsoft, a French publisher of ERP and CRM software for SMEs, was the victim of a cyberattack claimed by the Coinbase Cartel group (also known as ShinyHunters). This compromise, certified on the Polygon blockchain with an XC SIGNAL level, exposes a company with 10 to 50 employees and an estimated turnover of €5 million. The incident illustrates the growing vulnerability of French SMEs in the software sector to malicious actors operating according to a Ransomware-as-a-Service (RaaS) model. Founded in 1987, Twinsoft manages sensitive customer data and critical business processes, making this intrusion particularly concerning for the small and medium-sized enterprise ecosystem.

The attack comes in a context where ransomware is increasingly targeting mid-sized companies, which are often less equipped than large corporations to deal with these sophisticated threats. The XC SIGNAL classification indicates early detection of the incident, a crucial element in limiting the extent of potential damage. This breach raises urgent questions about the protection of customer data hosted by management solution providers, particularly in the information technology sector.

Analyse détaillée

The Coinbase Cartel group, a recognized malicious actor in the cybercrime ecosystem, operates according to a RaaS model that democratizes access to ransomware tools. This approach allows less technically skilled affiliates to conduct sophisticated attacks against a variety of targets. Also known as ShinyHunters, this collective specializes in the exfiltration and monetization of sensitive data, often combining system encryption with the threat of public disclosure of the stolen information.

Coinbase Cartel's modus operandi relies on a double extortion strategy: attackers encrypt the victim's systems while simultaneously exfiltrating critical data, which they threaten to publish or sell if the ransom is not paid. This tactic significantly increases the pressure on compromised organizations, particularly those handling customer information or trade secrets. The RaaS model allows the group to launch multiple simultaneous attacks through a network of commission-based affiliates.

Historically, Coinbase Cartel has demonstrated an ability to target companies of all sizes, with a marked preference for organizations in the technology and services sectors. The group's previous victims include European and North American companies, often selected for their critical reliance on IT systems and their financial capacity to pay ransoms. The group's technical infrastructure suggests a high level of sophistication, with varied initial attack vectors including the exploitation of unpatched vulnerabilities and targeted phishing.

Coinbase cartel affiliates benefit from a comprehensive platform including encryption tools, command and control infrastructure, and technical support to maximize the effectiveness of intrusions. This industrialization of ransomware transforms cybercrime into a viable business model, attracting actors motivated by profit rather than exceptional technical skills. → Understanding the Ransomware-as-a-Service model

Twinsoft, founded in 1987, has established itself as a key player in the French market for management software for small and medium-sized enterprises (SMEs). With an estimated workforce of 10 to 50 employees and annual revenue of approximately €5 million, the company represents the typical profile of a French tech SME: structured enough to manage large clients, but potentially limited in cybersecurity resources compared to major software vendors.

Twinsoft's core business focuses on developing and distributing ERP (Enterprise Resource Planning) and CRM (Customer Relationship Management) solutions tailored to the needs of SMEs. This software manages critical functions such as accounting, sales management, human resources, and customer relationship management. The very nature of these tools involves the processing and storage of highly sensitive data: customer financial information, employee personal data, business strategies, and sometimes banking information.

Twinsoft's location in France subjects it to the strict requirements of the General Data Protection Regulation (GDPR), which are particularly relevant in the context of a potential data breach. As a software publisher processing data on behalf of its clients, Twinsoft assumes the responsibilities of a data processor under the GDPR, with enhanced obligations regarding security and breach notification. The company's long history (nearly 40 years in business) suggests an established customer base, increasing the potential impact of any data leak.

The size of the organization, while allowing for a certain operational agility, can be a disadvantage against sophisticated cyber threats. Software SMEs rarely have dedicated Security Operations Centers (SOCs) or incident response teams, making them particularly vulnerable to ransomware attacks that target organizational as well as technical vulnerabilities. → Analysis of attacks against the Software sector in France

The XC SIGNAL classification assigned to this attack indicates early detection, suggesting that the incident was identified before a mass exfiltration or full encryption of systems. This criticality level, although the lowest on the XC scale (SIGNAL, MINIMAL, PARTIAL, FULL), should not be underestimated: it signals a confirmed compromise requiring an immediate response to prevent escalation to higher criticality levels.

The lack of detailed public data on the exact volume of information exposed is typical of SIGNAL-classified incidents, where the attacker's claim of responsibility often precedes the full disclosure of the exfiltrated data. This phase represents a critical window of opportunity for the compromised organization: it can still negotiate, strengthen its defenses, or prepare a crisis communication strategy before the potential publication of the data on the Coinbase Cartel group's leak sites.

For a vendor like Twinsoft, the potentially exposed data likely includes proprietary source code, customer databases containing information about client companies, system configurations, and potentially access keys or certificates. Exposing source code poses a particular risk: it can reveal exploitable vulnerabilities in products deployed at customer sites, creating a domino effect of potential compromises throughout the entire user ecosystem.

The incident timeline, with a discovery dated December 12, 2025, suggests relatively rapid detection, possibly through monitoring systems or a third-party alert. Rapid detection is a critical factor in limiting damage: every hour of undetected persistence allows attackers to deepen their access, exfiltrate more data, and establish persistence mechanisms that are more difficult to eradicate.

The initial attack vector remains undocumented in publicly available information, but intrusions targeting SMBs in the software sector generally follow predictable patterns: exploitation of vulnerabilities in unpatched network appliances, compromise of privileged accounts via phishing, or exploitation of poorly secured cloud configurations. The post-incident investigation methodology must precisely identify the point of entry to prevent similar compromises in the future. → XC-Classify Analysis Methodology

Conclusion

The French software sector is facing an intensification of ransomware cyberattacks, with a significant increase in incidents targeting tech SMEs projected for 2025. Software publishers represent particularly attractive targets for cybercriminals: they hold data from multiple clients, often possess valuable intellectual property, and their compromise can serve as a vector for chain attacks against their customer base (supply chain attacks).