Contact us
Contact us

News

About

Home Crypto News Stolen GitHub token downloaded Grafana code, extorted company

Stolen GitHub token downloaded Grafana code, extorted company

Author Whitewallet Research
Posted: 17 May 2026, 08:03 CET 2 min read

Grafana disclosed an unauthorized party used a stolen GitHub token to access and download parts of its codebase and demanded payment; no customer data was accessed.

Grafana disclosed an unauthorized party used a stolen GitHub token to access its GitHub environment, download parts of the company’s codebase and demand payment. The company reported its investigation found no access to customer data, personal information or customer systems.

Upon discovery, Grafana launched a forensic investigation, revoked the compromised token and implemented additional security controls in its development environment. The company declined the extortion demand and cited guidance from the U.S. Federal Bureau of Investigation when choosing not to pay.

The FBI warns on its website that negotiating with extortionists “encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

Grafana did not disclose when the activity occurred, how long the token had been valid, or which repositories and products were accessed. The company noted it learned of the incident “recently” and has not attributed the theft to a known threat actor.

Security reporting indicates a cybercrime group calling itself CoinbaseCartel has claimed responsibility. Researchers tracking the group trace its activity to September 2025 and describe it as a data-extortion crew focused on stealing information and demanding payment rather than deploying traditional ransomware.

Analyses link CoinbaseCartel to actors associated with earlier data-theft groups and attribute roughly 170 victims to the group across healthcare, technology, transportation, manufacturing and business services.

Grafana provides observability tools and cloud-hosted services, including Grafana Cloud. The company did not confirm whether code for specific products or services was among the materials downloaded and said it will continue forensics and remediation to secure its development environment.

Days earlier, education-technology company Instructure settled with an extortion group after threats to publish terabytes of data from thousands of schools and universities. Security observers note that access via exposed or stolen developer credentials remains a common method for obtaining source code and other intellectual property.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE