Was Israel's National Holocaust Museum hit by ransomware?

Israel's National Holocaust Museum was listed by the NASIR ransomware operation (Israel) as a victim being extorted; data had not been published at the time of listing. Darkfield tracks this disclosure with the original leak post, screenshot and group context.

Who is the NASIR ransomware group?

NASIR is a ransomware operator tracked by Darkfield. See the full operator dossier for its known victims, sectors targeted, IOCs and leak-site infrastructure.

Ransomware victim disclosure

← All victims

Yad Vashem – The World Holocaust Remembrance Center

listed as Israel's National Holocaust Museum · Claimed by NASIR · listed 7 days ago

Age

since listed · listed for ransom

Status timeline

ListedJun 10, 2026

Current state: Listed for ransom

At a glance

Group: NASIR
Status: Listed for ransom
Country: Israel
Sector: Cultural/Memorial
Listed on leak site: Jun 10, 2026

About the victim

AI dossier — public-source company profile

Yad Vashem is Israel's official Holocaust memorial and research institution, located in Jerusalem. It serves as a museum, archive, and educational center dedicated to documenting and preserving the history of the Holocaust and honoring its victims and survivors.

Industry: Cultural Heritage & Memorial Museum
Address: Har Hazikaron (Mount of Remembrance), Jerusalem, Israel
Founded: 1953

Attack summary

Severity: medium — The victim is a high-profile cultural institution, but the post provides no technical proof, data inventory, or evidence of actual exfiltration. The claim is unsubstantiated and appears to be part of a political/ideological messaging campaign rather than a demonstrated breach.

The NASIR group claims to have breached Israel's National Holocaust Museum (Yad Vashem) without specifying the attack method or data exfiltrated. The leak post does not detail what systems were compromised or what data is at stake.

medium

What the group claims

The Biggest Israel's national Holocaust museum described as not safe.

The leak post

captured from the group's site

The Biggest Israel's national Holocaust museum Not safe at all...
### [Kuwait Ministry Of Interior Hacked!](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/kuwait-ministry-interior.html)
No US Allies is Protected Anymore....
### [Dubai Airport - Data Leaked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/dubai-airport.html)
We have succeeded in obtaining the capability .... And from God comes success. 
### [UAE Customs (Federal Customs Authority) - ACCESS GRANTED !](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/uae-customs.html)
Peace be upon the Resistance and its martyrs. .... God is Great.
### [Al-Safi Oil Company (PURE IN) Hacked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/pure-in.html)
We are the sons of the Al-Nasir Resistance .... We are avengers against the wrongdoers.

Screenshot of the leak post

Leak screenshot for Israel's National Holocaust Museum

Sources

Leak posthttp://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion

Source

Indexed 7 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About NASIR

NASIR is an emerging ransomware group first observed in June 2026 with a apparent financial motivation, having claimed responsibility for attacks against at least seven known victims across the Middle East region. The group's targeting pattern strongly suggests a geopolitical or regional focus, with victim organizations concentrated in the United Arab Emirates, Israel, Saudi Arabia, and Kuwait, spanning high-value sectors including government, energy and oil, transportation, aviation, and cultural and memorial institutions. Given the limited open-source intelligence currently available on NASIR, its country of origin, affiliation with known threat actor ecosystems, and whether it operates under a Ransomware-as-a-Service model or as an independent closed group have not been publicly confirmed by authoritative sources such as CISA, the FBI, or Mandiant as of this writing. The group's sector targeting — particularly government, energy infrastructure, and aviation — suggests a deliberate focus on critical national infrastructure across Gulf Cooperation Council states and Israel, which may indicate either a financially motivated actor seeking high-value targets capable of large ransom payments, or an actor with ideological or geopolitical objectives. No specific tools, encryption methods, or extortion tactics employed by NASIR have been publicly documented or attributed by reputable security researchers at this time, and no major law enforcement actions against the group have been publicly reported. NASIR should be considered an emerging and closely monitored threat given its critical infrastructure targeting pattern, with the expectation that additional technical attribution and campaign details will surface as the group's operational tempo develops. The group has been linked to 8 public disclosures across our corpus. First observed on a leak site on June 10, 2026; most recent post June 11, 2026. The operation is currently active.

Timeline of this disclosure

June 10, 2026Israel's National Holocaust Museum listed by NASIRon the group's public leak site

Other recent disclosures by NASIR

NASIR has been linked to 8 public victims on Darkfield. A sample of the most recent:

See the full NASIR dossier →

Sector and geography

This disclosure adds to ransomware activity in the Cultural/Memorial sector. Geographically, Israel's National Holocaust Museum is reported in Israel, a country with 156 ransomware disclosures in our corpus.

If your organisation is affected

A listing by NASIR means Israel's National Holocaust Museum appeared on a ransomware extortion site and is being pressured to pay before any publication. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
Report the incident to your national CERT, CERT-IL (Israel), as required for your jurisdiction.
Monitor for the data appearing on NASIR's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.