Brinztech Alert: “Coinbase Cartel” Claims Breach of 10 Major UAE Real Estate Firms

Dark Web News Analysis

The hacking group identifying itself as the “Coinbase Cartel” has claimed a massive, coordinated cyberattack targeting the United Arab Emirates real estate sector. Following their alleged breach of Property Finder in November 2025, the group listed 10 additional major real estate brokerages as victims on December 9, 2025:

1. Betterhomes
2. One Broker Group
3. Savills Middle East
4. Hunt and Harris Real Estate
5. Harbor Real Estate
6. Dubai Sotheby’s International Realty
7. Coldwell Banker UAE
8. Elysian Real Estate
9. Homes 4 Life Real Estate Broker LLC
10. Arabian Escapes

Brinztech Analysis:

• Sector-Wide Campaign: This is not an isolated incident; it is a campaign. Striking 10 competitors simultaneously suggests the attackers may have exploited a shared vulnerability (e.g., a common CRM software used by UAE brokers, a shared third-party vendor, or a centralized listing portal integration).
• The Threat Actor: The name “Coinbase Cartel” likely alludes to their preferred method of monetization (crypto extortion) or the targeting of crypto-wealthy investors moving assets into Dubai property. Their persistence (Nov to Dec) indicates deep access or a successful, repeatable exploit chain.
• The Data: Real estate firms hold some of the most sensitive data in the region: Passport/Visa copies of investors, Tenancy Contracts (Ejari), Title Deeds, Bank Account details, and transaction logs worth millions of dirhams.

Key Cybersecurity Insights

This alleged campaign represents a critical threat to Dubai’s economic core and its residents:

• Payment Diversion Fraud (BEC): The most immediate danger is Business Email Compromise. Attackers with access to broker emails can intercept communications regarding property purchases.
  • Scenario: A buyer is about to transfer a 10% deposit (e.g., AED 500k) for a villa. They receive an email from their “agent” (hacked account) with “updated” bank details. The funds are stolen instantly.
• HNWI Exposure: Dubai is a hub for High-Net-Worth Individuals. A breach of Sotheby’s or Savills exposes the private financial dealings, home addresses, and asset portfolios of global elites, politicians, and celebrities, creating risks of physical security and extortion.
• Supply Chain / CRM Risk: The fact that 10 distinct companies were listed on the same day strongly implies a Supply Chain Attack. It is possible a widely used PropTech platform or lead management tool in the UAE was compromised, granting the “Coinbase Cartel” downstream access to all these agencies.
• Identity Theft: The regulatory requirement to store passport and Emirates ID copies for every tenant and buyer means these databases are goldmines for identity thieves.

Mitigation Strategies

In response to this sector-wide alert, real estate firms and their clients in the UAE must act immediately:

• Payment Verification (The “Voice Rule”): Clients buying or renting property must never wire funds based solely on email instructions. Always verify the bank account details via a phone call to the agency’s landline or a physical visit to the office.
• Vendor Audit: The IT teams of the affected companies must urgently collaborate to identify common software vendors (e.g., PropSpace, Masterkey, Salesforce integrations). If a common link is found, that connection must be severed immediately.
• Client Notification: Agencies must proactively warn clients: “We are aware of cyber threats targeting our sector. Please be vigilant against phishing emails pretending to be our agents.”
• Credential Rotation: Force a mandatory password reset for all staff email and CRM accounts. Enable MFA immediately if it is not already active.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com