Trinity Of Chaos Is What The Operators Call The Coinbase Cartel. Three Naming Streams Converge On One Constellation. ShinyHunters Added Charter Today For Four Point Nine Million Records.

We named the Coinbase Cartel on May 21. On that date we indexed an IOC in our threat-intelligence corpus naming the operator constellation as the confederation of ShinyHunters, Scattered Spider, and LAPSUS$ acting in overlapping cells with specialized tradecraft. The framing was derived from observation of the alliance's payment-routing infrastructure across mixers and exchanges, which is where the Coinbase reference in the name comes from. Independently, Resecurity has been tracking the same alliance under the name the operators themselves use on their public data leak site — Trinity of Chaos, launched on Tor in October 2025 with thirty-nine victim companies including Aeromexico, AirFrance, Google, Cisco, Stellantis, and Qantas Airlines. The DugganUSA name, the Resecurity name, and the actor's self-branding all converge on the same constellation.

That convergence is the load-bearing observation in this post. It is unusual for an independent threat-intelligence team's frame to converge with the actor's self-branding. When it does, it is evidence that the frame is at the correct altitude. The Coinbase Cartel framing was derived from observation of payment-routing patterns. The Trinity of Chaos framing was the actor's own brand identity for the alliance. The Resecurity framing is a third-party-research-firm assessment of the same alliance composition. Three independent observations agree that the operator constellation is composed of these three cells, that the cells specialize as described, and that the alliance is the right unit of analysis.

The three cells are functionally distinct but collaborate on the same target sets. LAPSUS$ runs the talent pipeline — recruiting English-native callers via Telegram and providing social-engineering capacity to the confederation. Scattered Spider executes the social engineering — help-desk attacks, English-language US-targeted vishing, SIM-swap operations. ShinyHunters runs the leak-site and brokerage layer — Tor-hosted leak listings, payment routing through the mixers and exchanges that gave us the Coinbase Cartel name. ShinyHunters does not do its own social engineering. Scattered Spider does not run its own leak-site infrastructure. LAPSUS$ does not directly extort the victim. The alliance is the unit that owns all three functions, and the three cells are the unit's specialized organs.

The defender implication is concrete. Any alert tied to one of the three cell names should be cross-correlated against the other two. The next breach Scattered Spider executes will likely surface on the ShinyHunters leak site with LAPSUS$-pipeline social-engineering DNA in the help-desk transcript. A defender who treats the three names as separate adversaries undercounts the actor capacity by a factor of three. The detection rules and the IR playbooks and the threat-intel feeds all need to be updated to reflect that the unit of analysis is the alliance, not the cell.

The cumulative claim worth taking with some salt is the actor's self-reported scale. The Trinity of Chaos leak site claims approximately one-and-a-half billion records across seven-hundred-sixty companies, with detailed breakdowns including two-hundred-fifty-four million account records, five-hundred-seventy-nine million contact entries, and four-hundred-fifty-eight million case files. Resecurity treats the figures as actor self-claim, not as independently verified. The Salesforce-via-Salesloft-Drift vector is plausible at the order of magnitude — Salesforce instances do carry the account, contact, and case data that the breakdown describes. The precise figure is operator self-marketing. The defensible read is that the operator constellation has industrialized Salesforce-platform-pivot exfiltration at a scale that produces hundred-million-record breaches as routine output, not as exceptional events.

Today's headline is the receipt for that read. ShinyHunters added Charter to the Trinity of Chaos leak site this morning with a claim of four-point-nine million customer records. Charter is the second-largest US cable and internet provider. The claimed exfil scope and the methodology pattern are consistent with the prior Trinity of Chaos victim profile. The follow-on prediction is that telecom-vertical victims will continue surfacing on the leak site over the next ninety days, because the LAPSUS$ pipeline has historically been productive against telecom help-desks. Watch for Verizon, T-Mobile, AT&T, and Comcast-subsidiary postings on the same cadence. The defender posture is to audit help-desk-outsourcer permission scope, especially for vendors with US-located English-native callers but managed-services-style administrative reach into core systems.

The Salesloft Drift AI chat integration is the primary access methodology worth flagging by name. Every Salesforce customer who has installed the Salesloft Drift connector should treat the integration as a watch surface. Audit the integration's permission scope. Audit the recency of its token rotation. Audit any out-of-band integration tokens issued to Salesloft Drift contractors. The Trinity of Chaos pivots into Salesforce-via-Salesloft are reproducible enough that the connector is the dominant primary-access primitive in the alliance's 2026 work.

Adjacent to Trinity of Chaos in our corpus is the Crimson Collective adversary profile we shipped yesterday — an aggressive cyber-extortion crew that emerged in Q1 2026 and claimed a Brightspeed breach with over a million customer records. Crimson Collective's tradecraft hypothesis is that its SaaS-platform-pivot work overlaps with ShinyHunters' but the operator infrastructure has not yet been directly correlated. The vertical preference differs — Canvas was education, DentaQuest was dental insurance, Brightspeed is telecom, Charter is telecom. The Trinity of Chaos confirmation today raises the question of whether Crimson Collective is a fourth cell inside the alliance or a separate but adjacent crew. We do not have the cross-correlation receipt to answer the question yet. We are watching for it.

The Coinbase Cartel and Trinity of Chaos and Resecurity-named-alliance are three names for one thing. The three-name-convergence is the receipt that says the frame is at the correct altitude. The defender takeaway is to treat the alliance as the unit of analysis, audit the help-desk-outsourcer matrix, audit the Salesloft Drift Salesforce integration if installed, and prepare for the next telecom-vertical post on the leak site. Charter today, somebody else this week, somebody else the week after. The alliance is industrialized at the rate it produces output, and the output rate is currently one major-vertical leak per several days.

We are going to keep calling it the Coinbase Cartel internally because the payment-routing-derived name still reflects the alliance's dominant OPSEC signal. Externally the actor brand is Trinity of Chaos. Both names refer to the same crew. Adjust your threat-intel taxonomy accordingly.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com