Was UAE Customs (Federal Customs Authority) hit by ransomware?

UAE Customs (Federal Customs Authority) was listed by the NASIR ransomware operation (United Arab Emirates) as a victim being extorted; data had not been published at the time of listing. Darkfield tracks this disclosure with the original leak post, screenshot and group context.

Who is the NASIR ransomware group?

NASIR is a ransomware operator tracked by Darkfield. See the full operator dossier for its known victims, sectors targeted, IOCs and leak-site infrastructure.

Ransomware victim disclosure

← All victims

UAE Customs (Federal Customs Authority)

Claimed by NASIR · listed 7 days ago

Age

since listed · listed for ransom

Status timeline

ListedJun 10, 2026

Current state: Listed for ransom

At a glance

Group: NASIR
Status: Listed for ransom
Country: United Arab Emirates
Sector: Government
Listed on leak site: Jun 10, 2026

About the victim

AI dossier — public-source company profile

UAE Customs (Federal Customs Authority) is the United Arab Emirates' national customs and border control agency, responsible for regulatory enforcement and trade facilitation at UAE ports and borders.

Industry: Government—Customs & Border Control

Attack summary

Severity: high — Compromise of a national government customs authority represents operational risk to critical infrastructure and potential exposure of sensitive border-control, trade, and traveller data, even though no specific proof or data inventory is published.

The NASIR group claims to have gained access to UAE Customs systems. No specific data exfiltration or encryption is detailed in the post; the claim is limited to 'ACCESS GRANTED'.

high

What the group claims

UAE Federal Customs Authority access granted by the group.

The leak post

captured from the group's site

The Biggest Israel's national Holocaust museum Not safe at all...
### [Kuwait Ministry Of Interior Hacked!](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/kuwait-ministry-interior.html)
No US Allies is Protected Anymore....
### [Dubai Airport - Data Leaked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/dubai-airport.html)
We have succeeded in obtaining the capability .... And from God comes success. 
### [UAE Customs (Federal Customs Authority) - ACCESS GRANTED !](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/uae-customs.html)
Peace be upon the Resistance and its martyrs. .... God is Great.
### [Al-Safi Oil Company (PURE IN) Hacked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/pure-in.html)
We are the sons of the Al-Nasir Resistance .... We are avengers against the wrongdoers.

Screenshot of the leak post

Leak screenshot for UAE Customs (Federal Customs Authority)

Sources

Source

Indexed 7 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About NASIR

NASIR is an emerging ransomware group first observed in June 2026 with a apparent financial motivation, having claimed responsibility for attacks against at least seven known victims across the Middle East region. The group's targeting pattern strongly suggests a geopolitical or regional focus, with victim organizations concentrated in the United Arab Emirates, Israel, Saudi Arabia, and Kuwait, spanning high-value sectors including government, energy and oil, transportation, aviation, and cultural and memorial institutions. Given the limited open-source intelligence currently available on NASIR, its country of origin, affiliation with known threat actor ecosystems, and whether it operates under a Ransomware-as-a-Service model or as an independent closed group have not been publicly confirmed by authoritative sources such as CISA, the FBI, or Mandiant as of this writing. The group's sector targeting — particularly government, energy infrastructure, and aviation — suggests a deliberate focus on critical national infrastructure across Gulf Cooperation Council states and Israel, which may indicate either a financially motivated actor seeking high-value targets capable of large ransom payments, or an actor with ideological or geopolitical objectives. No specific tools, encryption methods, or extortion tactics employed by NASIR have been publicly documented or attributed by reputable security researchers at this time, and no major law enforcement actions against the group have been publicly reported. NASIR should be considered an emerging and closely monitored threat given its critical infrastructure targeting pattern, with the expectation that additional technical attribution and campaign details will surface as the group's operational tempo develops. The group has been linked to 8 public disclosures across our corpus. First observed on a leak site on June 10, 2026; most recent post June 11, 2026. The operation is currently active.

Timeline of this disclosure

June 10, 2026UAE Customs (Federal Customs Authority) listed by NASIRon the group's public leak site

Other recent disclosures by NASIR

NASIR has been linked to 8 public victims on Darkfield. A sample of the most recent:

See the full NASIR dossier →

Sector and geography

This disclosure adds to ransomware activity in the Government sector, which has 685 disclosures indexed across all operators we track. Geographically, UAE Customs (Federal Customs Authority) is reported in United Arab Emirates, a country with 9 ransomware disclosures in our corpus.

If your organisation is affected

A listing by NASIR means UAE Customs (Federal Customs Authority) appeared on a ransomware extortion site and is being pressured to pay before any publication. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
Report the incident to your national CERT, aeCERT (United Arab Emirates), as required for your jurisdiction.
Monitor for the data appearing on NASIR's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.