Panasonic Avionics — CoinbaseCartel extortion claim, unverified
CoinbaseCartel listed in-flight entertainment supplier Panasonic Avionics on its data-leak site claiming corporate data theft; the company has not publicly confirmed an intrusion.
- Target
- Panasonic Avionics — CoinbaseCartel extortion claim, unverified
- Date public
- 22 May 2026
- Sector
- Transport
- Attack type
- Data Breach
- Threat actor
- CoinbaseCartel
- Severity
- Medium
- Region
- Global (US-headquartered, Lake Forest, CA; subsidiary of Panasonic Holdings)
On 22 May 2026 the data-extortion crew CoinbaseCartel added an entry for Panasonic Avionics Corporation to its public leak site, naming the panasonic.aero domain and claiming theft of corporate data. As at the time of writing the listing is the only public source of the claim. Panasonic Avionics has not issued a statement, no Form 8-K or equivalent regulatory filing has been made by parent Panasonic Holdings, and no reputable security outlet — BleepingComputer, The Register, SecurityWeek, The Record, The Hacker News, CyberScoop — has independently reported the intrusion. Aggregator and AI-summariser sites have repeatedly conflated this claim with the December 2023 corporate-network breach Panasonic Avionics confirmed eighteen months ago; the two events are unrelated.
This entry is filed in draft so the catalogue captures the claim without prematurely treating it as a confirmed breach. The stub will be promoted, rewritten or retired depending on what happens next.
CoinbaseCartel emerged in September 2025 and is assessed by Bitdefender and FortiGuard as an offshoot of the ShinyHunters, Scattered Spider and LAPSUS$ ecosystems. The group’s operational signature is distinct from a classic ransomware crew: there is no file-encrypting payload, no operational disruption, and no decryptor negotiation. The model is pure data theft followed by staged extortion — a small sample is released first to demonstrate access, and full publication follows if the victim refuses to pay. Public counts vary by tracker; Bitdefender reports 170 victims to date, FortiGuard and other trackers report between 118 and 130. The cluster’s most recent named victim before Panasonic Avionics was Grafana Labs on 16 May 2026, where Grafana publicly disclosed that an attacker had used a stolen GitHub token to download its codebase, refused to pay, and credited canary tokens for the detection.
The Panasonic Avionics claim is editorially interesting for two reasons even before corroboration lands. First, in-flight entertainment is an unusual target. Panasonic Avionics’ Astrova and eX platforms sit on the seatback of most long-haul wide-body aircraft, and the company’s corporate environment touches passenger-facing systems, airline operational data, supply-chain partner networks and a regulated aviation technology footprint that includes US ITAR controls. Second, the listing follows the Grafana incident closely enough to suggest CoinbaseCartel is now actively cycling named targets at the cadence ShinyHunters established through the Salesforce-CRM campaign earlier in the year.
There is at present no evidence that any data has actually been released, no public sample, no record-count claim from the actor, and no statement from Panasonic Avionics or Panasonic Holdings either confirming or denying the listing. Until one of those changes the responsible position is to record the claim and wait.
A deep-dive will follow if and when Panasonic Avionics confirms an intrusion, a primary outlet independently reports the technical access route, regulatory filings from Panasonic Holdings emerge in Japan or the United States, or CoinbaseCartel publishes a sample dataset that allows independent verification.