Skip to content
RansomwareUnknown

Engie: a cyberattack claimed by a ransomware group

In April 2026, the Coinbase Cartel extortion group listed French energy giant Engie on its dark web leak site, claiming to have stolen sensitive data and threatening to publish a full dump unless a ransom was paid; Engie did not publicly confirm the breach.

Victim
Engie

On 21 April 2026, Engie — the French multinational energy company active in electricity, natural gas and renewables — was named as a victim on the dark web leak site of the Coinbase Cartel extortion group. The actors claimed to have exfiltrated sensitive corporate data and warned that "the full dump of Engie will be leaked if no negotiations are initiated."

Coinbase Cartel is a financially motivated threat actor that emerged in September 2025. Unlike traditional ransomware operators, it does not encrypt victim systems: it relies purely on data theft, typically gaining access through stolen credentials, infostealer logs, social engineering and initial access brokers, then pressuring victims by threatening to publish stolen files on its leak site. By April 2026 the group had claimed more than 150 victims across multiple industries and regions, including energy and critical-infrastructure organisations.

The group provided no public proof of the intrusion and disclosed no specifics, so key details remain unconfirmed:

  • Records / scale: not disclosed
  • Data categories exposed: not specified ("sensitive data" only)
  • Attack vector: not detailed publicly

At the time of reporting, Engie had not publicly confirmed the breach, and no leaked sample had been published to substantiate the claim. As is common with this group, the listing functions primarily as extortion leverage ahead of any possible data publication. The status of the incident remains unknown pending official confirmation or the appearance of leaked data.

Sources

  1. cyberattaque.orghttps://www.cyberattaque.org/engie-une-cyberattaque-revendiquee-par-un-groupe-ransomware/
  2. dexpose.iohttps://www.dexpose.io/coinbasecartel-strikes-french-energy-giant-engie/
  3. businessinsights.bitdefender.comhttps://businessinsights.bitdefender.com/coinbase-cartel-ransomware-group-extortion-tactics

Related incidents

RansomwareContained

Schneider Electric Sustainability Business Cactus ransomware (2024)

Cactus ransomware operators hit Schneider Electric's Sustainability Business division, taking the Resource Advisor consulting platform offline and exfiltrating approximately 1.5 TB of data — including passport scans and signed NDAs from customers like Hilton, PepsiCo, and Walmart.

Victim
Schneider Electric — Sustainability Business division