Grafana Refuses Ransom Payment After Source Code Downloaded by Extortion Group

Grafana Refuses Ransom Payment After Source Code Downloaded by Extortion Group

Grafana Labs confirmed on 17 May that an unauthorised third party obtained a token with access to the company's corporate GitHub environment and downloaded part of the source code. Following the exfiltration, the attacker demanded payment under the threat of publishing the repositories, which Grafana declined.

In a statement on X, the company asserted that "no customer data or personal information was accessed during this incident, and we found no evidence of impact on customer systems or operations." To justify its refusal, Grafana cited guidance from the FBI indicating that "there is no guarantee this will help affected companies recover their data" and that paying "encourages criminals to target more victims."

The attribution was claimed by CoinbaseCartel, an extortion group that emerged in September 2025 and has been appearing in records on the Hackmanac and Ransomware.live platforms. Their modus operandi does not involve traditional ransomware-style encryption, but rather data theft followed by blackmail.

What is at Stake When Code Leaks

Private repositories rarely contain crown jewels in themselves: Grafana's market value lies in its ecosystem, integrations, and cloud operations, not in secret algorithms. However, exposed source code becomes a roadmap for hunting vulnerabilities, forgotten secrets (API keys, tokens, service credentials), and CI/CD flows vulnerable to dependency injection. Security teams that rely on Grafana for observability must monitor for the disclosure of any sensitive artefacts and review shared credentials in integrated environments.

The public decision not to pay is part of a progressively visible editorial stance within the sector: five years ago, this would have been discreet; by 2026, it becomes an official statement.