The Coinbase Cartel Hit Four Major Verticals In Eight Days. Carnival Cruise Is The Fourth. Six Million Records. The Confederation Pace Is Now One Vertical Every Forty-Eight Hours.

ShinyHunters posted Carnival Cruise to the Trinity of Chaos leak site this afternoon with a claim of approximately six million customer records. Carnival is the fourth major-vertical victim the Coinbase Cartel confederation has posted in an eight-day window. The four are Canvas Instructure on May 22 with three-and-a-half terabytes of education-sector data, DentaQuest on May 23 with a small initial-claim of seven-hundred-forty-four user records that is almost certainly understated, Charter Communications this morning with four-point-nine million telecom customer records, and now Carnival this afternoon. Four verticals, eight days, approximately two-hundred-eighty-six million claimed records across the four major incidents.

This is not a campaign in the traditional sense. It is a productized leak operation operating at a measurable weekly tempo. The confederation is processing one major-vertical victim every forty-eight hours on average. Education then dental insurance then telecom then hospitality. The verticals are structurally independent — no shared vendor, no shared SaaS dependency, no shared regulatory framework. The connecting tissue is the operator's targeting methodology, which selects across verticals for the same structural property.

We named the property on May 28 in the DentaQuest blog. The property is consent-leak reputational lethality — data that, when leaked, carries class-action and regulatory exposure disproportionate to the dataset's raw market value. The actor's optimization function is not record-count maximization. It is record-class-times-leak-pressure maximization. Carnival's six-million-person cruise customer dataset includes passport numbers, payment card data, travel itineraries, family-grouping data, dietary and medical accommodations on file with the cruise line, and frequent-cruiser loyalty profiles. Each record is high-density compared to the average e-commerce customer record. The cruise industry has a documented class-action infrastructure — the same plaintiffs' bar that has been suing cruise lines since the 2020 COVID outbreaks knows the playbook for consumer-protection cases against this industry. Class-action filings will start within fourteen days of any public sample-tranche drop.

The brand-protection cost calculation is what makes this vertical structurally attractive to the actor. Carnival, Royal Caribbean, Norwegian Cruise Line, and Disney Cruise Line all spend enormous brand-protection budgets to manage the consumer perception of cruise safety. A six-million-record leak with passport numbers and payment data attached creates immediate brand damage that the affected company will spend significant operational resources to contain. The leak-pressure-to-ransom-payment conversion ratio for cruise industry victims is historically strong, which is exactly why a sophisticated leak-site operator picks the vertical.

The pace claim is now the load-bearing receipt for the entire frame. We have been writing about the Coinbase Cartel confederation since May 21, when the IOC coinbase-cartel-confederation-2026 was indexed in our threat-intelligence corpus naming the alliance of ShinyHunters, Scattered Spider, and LAPSUS$ acting in overlapping cells with specialized tradecraft. We shipped the ShinyHunters adversary profile on May 23. We shipped the Instructure ransom-payment receipt on May 28 with the ten-million-dollar settlement and the cryptographic shred-logs proof. We shipped the DentaQuest vertical-pivot piece on May 28 with the consent-leak verticals framework. We shipped the Trinity of Chaos naming-convergence piece this morning at six AM observing that three independent naming streams — ours, the actor's self-branding on the Tor leak site, and Resecurity's third-party tracking — all converge on the same operator constellation. The Charter morning posting and the Carnival afternoon posting on the same day are the operational confirmation that the pace claim is correct.

The forward prediction the framework now requires is two corrections to the prediction model we shipped yesterday.

The first correction is that the candidate set for the next vertical pivot was too narrow. The DentaQuest piece predicted mental-health teletherapy, K-12 student-data SaaS below the higher-education tier, or HIV-STI-reproductive-health platforms. Carnival landed in a fourth vertical — consumer hospitality — within twenty-four hours of the prediction post. The structural property is correct but the named candidate buckets were insufficient. The corrected candidate set adds consumer hospitality at major scale (cruise lines, hotel chains, theme parks), consumer fitness platforms with biometric data attached (gym chains, mental-fitness apps), and consumer transit at platform scale (rideshare, ferry operators, large-fleet bus operators).

The second correction is that the tempo prediction was too slow. We said four-to-six weeks for the next pivot, which implied roughly weekly pivots. The actual observed tempo is twice-weekly major-vertical pivots — Charter in the morning, Carnival in the afternoon, within a single day. The corrected forward prediction is two new verticals per week for the next ninety days unless the alliance burns its tradecraft on a target that produces a serious-enough IR response to surface infrastructure correlations, or unless a coordinated law-enforcement disruption lands. Neither of those is the base case at this writing. The base case is sustained twice-weekly tempo through August.

The verticals the alliance has not yet hit are the gap worth tracking. Financial services — banks, securities firms, payments processors at major scale — are notably absent. Asopagos in Colombia was hit today but by Everest, not by the Coinbase Cartel cells. Government — federal-civilian agency data, state-AG-administered programs — is absent. The closest today is the World Trade Center Health Program, which was hit by TridentLocker, not by the alliance. Defense industrial base — DIB contractors, ITAR-regulated data — is absent. Either the alliance is deliberately avoiding these verticals because the law-enforcement response calculus is different, or they will land in the next thirty days. If they land, the IR response will be different in character because the regulatory and federal-incident-response machinery for those targets is structurally different from the consumer-PII machinery the alliance has been exercising.

For the consumer hospitality vertical's defender community, the operational implications are concrete. Every cruise line, hotel chain at the major brand level, theme park operator with large customer databases, and travel-services platform with passport-bearing customer records should be auditing the contractor-access matrix this week. The DentaQuest-style third-party-credential vector is consistent across multiple of the alliance's previous victims. The Scattered Spider cell within the confederation specializes in social-engineering English-native callers against US help-desk teams, and the help-desk teams are typically the most-outsourced layer in an enterprise's identity stack. Cruise-line customer-service operations are large, English-language, US-targeted, and heavily outsourced. The structural shape matches the alliance's preferred entry point exactly.

We have been calling the alliance the Coinbase Cartel internally because the payment-routing-derived name still reflects the most distinctive OPSEC signal. Externally the actor brand is Trinity of Chaos. Resecurity tracks the same alliance. The taxonomy is now triangulated across three independent naming streams. The defender community should treat the alliance as the unit of analysis, audit the help-desk outsourcer matrix, audit the Salesloft Drift Salesforce integration if installed, and prepare for the next major-vertical posting within the next forty-eight hours.

Canvas. DentaQuest. Charter. Carnival. The factory line is running on shift. The fifth vertical is coming this weekend.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com