Grafana Refuses to Pay Ransom for Stolen Code
Attackers leaked GitHub repositories, but customer data remains unaffected. The company decided not to give in to blackmailers and is preparing to publish details of the breach.
'We Don't Need You': How Grafana Snubbed Hackers and Turned a Breach into a Lesson for the Entire Industry
On May 15, the cyber group Coinbase Cartel posted Grafana Labs on its leak site with a taunting note: 'We can cause you more harm than you can imagine.' On May 17, Grafana responded. Not with money. With a short thread on X that ended with the phrase: 'We determined that the right path is not to pay the ransom.'
No negotiations. No crisis consultants with Bitcoin briefcases. The company, whose data visualization software runs in data centers of half the Fortune 500, simply refused to play by the extortionists' rules. And, based on the first details of the investigation, they had rock-solid reasons for doing so.
How a Token Worth Zero Dollars Opened the Gates to the Kingdom
The attack was neither sophisticated nor elegant. The attackers didn't breach the perimeter with multi-step phishing or exploit zero-days. They obtained an access token to Grafana Labs' GitHub environment—and that was enough to download the entire codebase.
The root of the problem lies in a specific technical error. One of the repositories had a GitHub Action enabled with a 'Pwn Request' type vulnerability—a classic misconfiguration on the pull_request_target event. This trigger allowed external contributors submitting pull requests to access production secrets during CI/CD runs. The attacker forked the repository, injected malicious code via curl, exfiltrated environment variables into an encrypted file, and instantly deleted the fork to cover their tracks. They then repeated the attack on four more private repositories.
The intrusion was detected thanks to canary tokens—Grafana had placed thousands of such traps across its infrastructure, and one of them triggered, immediately alerting the global security team. From that moment, a race began: the company simultaneously conducted forensic analysis, revoked compromised credentials, and disabled vulnerable workflows.
Investigation result: customer data untouched, personal information unaffected, impact on user systems and operations zero. The attackers only got to the code.
Why Coinbase Cartel Is Not Just Hackers, But an Alliance of Legends
The name Coinbase Cartel sounds almost comical. But behind it stands a group that analysts link to three names that strike fear into CISOs worldwide: ShinyHunters, Scattered Spider, and Lapsus$. These teams have been coordinating actions since at least mid-2025, and according to some data, have been cooperating since 2024.
Coinbase Cartel's tactics differ from classic ransomware gangs. They don't encrypt files or paralyze infrastructure. They steal sensitive data, demand a ransom for non-disclosure, and methodically destroy the reputation of those who refuse to pay. At the time of the Grafana attack, their leak site listed 105 victims. Among them: Instructure (creator of Canvas LMS), Vimeo, Wynn Resorts, Vercel, and Medtronic.
The contrast between victim behavior is a drama in itself. Instructure, whose educational software serves 275 million students and teachers, paid the extortionists last week. Grafana did not. The difference is that Instructure had user data leaked, while Grafana had 'only' source code. When the privacy of a quarter of a billion people is at stake, the arithmetic of reputational risk changes dramatically.
Open Source, Closed Source, and Code for Which Bitcoin Is Demanded
This raises a question that The Register posed with characteristic sarcasm: 'If the attackers downloaded code that is mostly open source anyway, why pay for it?' Grafana is an open-source product. A huge part of its codebase is publicly available on GitHub.
But the devil is in the details. Grafana Labs confirmed that the attackers gained access to private repositories. Those could contain anything: internal tools, undocumented endpoints, authentication logic, configuration scripts for enterprise clients. Security researchers have already pointed out that such a code leak shifts the risk from the 'privacy' plane to the 'roadmap for future attacks' plane—attackers can study the source code for months, looking for patterns to enable deeper penetration.
Grafana understands this. But the calculation is simple: pay, and you fund the extortion ecosystem without any guarantee that the data won't leak in a week. Don't pay, and the code is already in the attackers' hands, but further leaks won't bring them a cent. The company quoted the FBI's position almost verbatim: paying only creates an incentive for further crimes.
The Security Industry Gets a Free Masterclass
This incident reshapes several layers of the industry simultaneously. The open-source community wins: Grafana has promised to publish a detailed post-incident review after the investigation concludes. DevOps and DevSecOps engineers worldwide will get a real case study with attack vector, timeline, and response measures—not a synthetic training scenario, but real combat experience.
Companies that haven't yet checked their GitHub Actions for the pull_request_target vulnerability lose. Researchers call this attack surface 'massively underestimated' across the open-source ecosystem. Every public repository that merges PRs from external contributors without thorough workflow auditing now looks like a potential target.
Ransom negotiators also lose. The more companies publicly refuse to pay—and survive without catastrophic consequences—the weaker the extortionists' position at the bargaining table. Grafana set a precedent: you can lose code and continue operations without disruption if your security architecture initially separates user data from development tools.
What Will Change After May 17
Grafana has already revoked compromised tokens, disabled the vulnerable GitHub Action, and shut down all workflows in public repositories during the audit. In the coming weeks, the company will publish a final report. It will become one of the most read documents in the DevSecOps world—the level of interest is comparable to the SolarWinds breach analysis.
I expect three specific consequences. First: GitHub will tighten the default settings for pull_request_target or at least add more aggressive warnings in the interface. Too many companies are stepping on the same rake. Second: Coinbase Cartel will increase pressure. They have 105 victims in their portfolio, and Grafana's public refusal is a blow to their business model. Retaliation may follow, possibly in the form of leaking the stolen code on shadow forums. Third: CISOs worldwide are right now writing requests to their teams: 'Check if we have pull_request_target with access to secrets.' And that, perhaps, is the best possible outcome of the entire incident.
Grafana showed what a mature stance looks like: no panic, no denial, no suitcases of crypto. Just a cold technical analysis, token revocation, and real-time error correction. The hackers stole the code—but not control. And in a world where ransomware has become a multi-billion dollar industry, such a response is worth more than any ransom.
— Editorial Team