Was Dubai Airport hit by ransomware?

Dubai Airport was listed by the NASIR ransomware operation (United Arab Emirates), and stolen data was published on the group's leak site. Darkfield tracks this disclosure with the original leak post, screenshot and group context.

Who is the NASIR ransomware group?

NASIR is a ransomware operator tracked by Darkfield. See the full operator dossier for its known victims, sectors targeted, IOCs and leak-site infrastructure.

What data was leaked in the Dubai Airport breach?

NASIR published data attributed to Dubai Airport. Darkfield captured the leak post and a screenshot of the listing.

Ransomware victim disclosure

← All victims

Dubai Airport

Claimed by NASIR · listed 3 days ago

Age

since listed · data leaked

Status timeline

ListedJun 10, 2026
Data leakeddate unknown

At a glance

Group: NASIR
Status: Data leaked
Country: United Arab Emirates
Sector: Transportation
Listed on leak site: Jun 10, 2026

About the victim

AI dossier — public-source company profile

Dubai Airport is the primary international airport serving Dubai, United Arab Emirates. It is one of the world's busiest airports by international passenger traffic and a major hub for regional and global aviation operations.

Industry: Transportation & Aviation

Attack summary

Severity: medium — Critical infrastructure (major international airport) targeted with claimed access, but no proof files, no specific data inventory, no confirmed exfiltration or operational impact stated. The vague claim and lack of evidence prevents higher classification, but targeting airport systems warrants medium severity.

The NASIR group claims to have obtained unspecified capability or access to Dubai Airport systems. No specific data exfiltration, encryption, or operational disruption is detailed in the leak post.

medium

What the group claims

Dubai Airport data leaked. Group claims to have obtained capability.

The leak post

captured from the group's site

The Biggest Israel's national Holocaust museum Not safe at all...
### [Kuwait Ministry Of Interior Hacked!](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/kuwait-ministry-interior.html)
No US Allies is Protected Anymore....
### [Dubai Airport - Data Leaked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/dubai-airport.html)
We have succeeded in obtaining the capability .... And from God comes success. 
### [UAE Customs (Federal Customs Authority) - ACCESS GRANTED !](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/uae-customs.html)
Peace be upon the Resistance and its martyrs. .... God is Great.
### [Al-Safi Oil Company (PURE IN) Hacked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/pure-in.html)
We are the sons of the Al-Nasir Resistance .... We are avengers against the wrongdoers.

Screenshot of the leak post

Sources

Source

Indexed 3 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About NASIR

NASIR is an emerging ransomware group first observed in June 2026 with a apparent financial motivation, having claimed responsibility for attacks against at least seven known victims across the Middle East region. The group's targeting pattern strongly suggests a geopolitical or regional focus, with victim organizations concentrated in the United Arab Emirates, Israel, Saudi Arabia, and Kuwait, spanning high-value sectors including government, energy and oil, transportation, aviation, and cultural and memorial institutions. Given the limited open-source intelligence currently available on NASIR, its country of origin, affiliation with known threat actor ecosystems, and whether it operates under a Ransomware-as-a-Service model or as an independent closed group have not been publicly confirmed by authoritative sources such as CISA, the FBI, or Mandiant as of this writing. The group's sector targeting — particularly government, energy infrastructure, and aviation — suggests a deliberate focus on critical national infrastructure across Gulf Cooperation Council states and Israel, which may indicate either a financially motivated actor seeking high-value targets capable of large ransom payments, or an actor with ideological or geopolitical objectives. No specific tools, encryption methods, or extortion tactics employed by NASIR have been publicly documented or attributed by reputable security researchers at this time, and no major law enforcement actions against the group have been publicly reported. NASIR should be considered an emerging and closely monitored threat given its critical infrastructure targeting pattern, with the expectation that additional technical attribution and campaign details will surface as the group's operational tempo develops. The group has been linked to 8 public disclosures across our corpus. First observed on a leak site on June 10, 2026; most recent post June 11, 2026. The operation is currently active.

Timeline of this disclosure

June 10, 2026Dubai Airport listed by NASIRon the group's public leak site

Other recent disclosures by NASIR

NASIR has been linked to 8 public victims on Darkfield. A sample of the most recent:

See the full NASIR dossier →

Sector and geography

This disclosure adds to ransomware activity in the Transportation sector, which has 17 disclosures indexed across all operators we track. Geographically, Dubai Airport is reported in United Arab Emirates.

If your organisation is affected

A listing by NASIR means Dubai Airport appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
Monitor for the data appearing on NASIR's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.