Pro-Ukraine Bearlyfy Deploys Custom GenieLocker Ransomware Against Russia, LeakBase Admin Arrested, EU Parliament Kills CSAM Scanning
Pro-Ukraine hacker group Bearlyfy evolves from script-kiddie origins to deploying custom GenieLocker ransomware against major Russian enterprises. Russia arrests the alleged administrator of the LeakBase cybercrime forum weeks after a global takedown. The European Parliament votes down CSAM scanning extension in a landmark privacy decision. The Dutch Finance Ministry investigates unauthorized access to internal systems. Spain's Port of Vigo is forced to manual operations after ransomware strikes cargo systems.
1. Bearlyfy Deploys Custom GenieLocker Ransomware — 70+ Attacks on Russian Companies
⚠ CRITICAL — Escalating Hacktivist Ransomware Campaign
Pro-Ukrainian hacker group Bearlyfy has carried out over 70 cyberattacks on Russian companies in one year, with ransom demands escalating from thousands to hundreds of thousands of dollars. The group now deploys custom-built ransomware called GenieLocker.
A pro-Ukrainian hacking group known as Bearlyfy has transformed from a low-skill operation targeting small Russian businesses into what Russian cybersecurity firm F6 calls "a real nightmare for large Russian businesses." First appearing in January 2025, the group has carried out more than 70 cyberattacks against Russian targets in just over a year.
Custom Malware Development
Since early March 2026, Bearlyfy has deployed GenieLocker, a custom-built Windows ransomware strain believed to be developed entirely by the group itself. This marks a significant evolution from their earlier reliance on leaked tools like LockBit 3 Black (from the 2022 LockBit builder leak) and modified Babuk ransomware for Linux targets.
Unlike typical ransomware operations, GenieLocker doesn't always auto-generate ransom notes. Attackers sometimes craft messages manually — ranging from terse instructions with contact details to mocking taunts directed at victims.
Operational Profile
- 70+ attacks in approximately 14 months of operation
- Ransom demands escalated from a few thousand dollars to hundreds of thousands
- Approximately 1 in 5 victims pay the ransom
- Goals are both financial and political — maximizing damage to Russian enterprises
- Collaboration observed with Head Mare and other pro-Ukrainian groups
- Western researchers have limited visibility due to lack of access to Russian networks
Strategic Context
Bearlyfy represents a growing trend of politically motivated ransomware operations emerging from the Russia-Ukraine conflict. The group's rapid evolution — from amateur script-kiddie operations to custom malware development in just one year — demonstrates how wartime conditions accelerate threat actor maturation.
2. Russia Arrests Alleged LeakBase Cybercrime Forum Administrator
🔶 HIGH — Major Cybercrime Forum Takedown
Russian police have detained a suspected administrator of LeakBase, a major marketplace for stolen data with 147,000+ registered users, weeks after a coordinated FBI-European takedown operation.
Russia's Interior Ministry announced the arrest of a Taganrog resident suspected of running LeakBase, one of the largest online marketplaces for stolen personal data. The forum hosted hundreds of millions of compromised user records including banking information, login credentials, and corporate documents.
Timeline and Coordination
The arrest follows a coordinated international operation earlier this month in which the FBI and European partners conducted more than 100 law enforcement actions against 45 individuals across more than a dozen countries. Several LeakBase domains were seized and redirected to FBI-controlled servers.
Key Details
- 147,000+ registered users on the subscription-based platform
- Active since 2021 as a marketplace for compromised credentials and PII
- Premium access cost hundreds of dollars
- Internal rules prohibited sale of Russian data — despite being hosted by a Russian admin
- Infrastructure seized in the Netherlands and Malaysia during the earlier takedown
- Police seized computer equipment from the suspect's residence and garage
Significance
The arrest is notable because Russia rarely cooperates with Western cybercrime investigations — Europol suspended cooperation after the 2022 invasion of Ukraine. Whether Russian authorities coordinated with Western law enforcement or acted independently remains unclear. The forum's rule banning Russian data sales suggests the admin may have believed this would provide domestic protection — a calculation that proved wrong.
3. EU Parliament Rejects CSAM Scanning Extension — Landmark Privacy Decision
📡 Policy & Regulation — EU Digital Rights
The European Parliament voted 311 against extending rules that have allowed tech companies to scan their platforms for child sexual abuse material (CSAM) for nearly two decades. The current law, which exempts platforms from strict EU privacy rules to enable scanning, expires next week.
Privacy vs. Child Protection
The vote came despite intense lobbying from law enforcement (Europol), children's rights organizations, German Chancellor Friedrich Merz, several European commissioners, and major tech companies including Google, Snapchat, Microsoft, TikTok, and Meta.
Digital rights group eDRI's Ella Jakubowska defended the vote: "This is actually just enabling big tech companies to scan all of our private messages, our most intimate details. It's not targeted against people suspected of child abuse — it's just targeting everyone, potentially all of the time."
Operational Impact
- Europol processed ~1.1 million CyberTips last year from CSAM scanning
- Europol's Catherine De Bolle warned of a "serious reduction" in investigative leads
- Tech companies will lose legal clarity for voluntary CSAM detection in EU services
- Jakubowska cited false accusation cases from imperfect scanning tools
- Parliament has been negotiating a permanent framework since November 2023 without agreement
What Happens Next
When the current rules lapse next Friday, tech platforms will no longer have legal cover to scan for CSAM in interpersonal communications within the EU. This creates a significant gap in child protection capabilities while Parliament continues negotiating a permanent framework that balances privacy with safety.
4. Dutch Finance Ministry Investigates Breach of Internal Systems
🔶 HIGH — Government Infrastructure Compromised
The Dutch Ministry of Finance has confirmed unauthorized access to internal systems, part of a wave of cyberattacks hitting Dutch organizations in 2026.
The Netherlands Ministry of Finance is investigating a cyberattack that compromised internal systems, discovered after a third-party alert flagged suspicious activity. Affected systems were identified and taken offline, but the scope of potential data exposure remains under investigation.
Context: Dutch Cyber Siege
The breach is the latest in a troubling pattern targeting Dutch institutions in 2026:
- Dutch Finance Ministry — unauthorized access to internal departmental systems (this incident)
- Dutch Custodial Institutions Agency — prison/detention staff data exposed in February
- Odido telecom breach — 6.2 million customer records stolen including names, bank accounts, passport and driver's license numbers
- Dutch police breach — officer data compromised (covered in earlier briefing)
Response Status
- Compromised systems isolated and access blocked
- Taxation and customs services remain operational
- Citizen-facing services unaffected
- No attribution or responsibility claims yet
- Investigation ongoing into entry vector and data exposure
5. Ransomware Forces Spain's Port of Vigo to Manual Operations
⚠ CRITICAL — Maritime Critical Infrastructure Attack
A ransomware attack has knocked digital cargo management systems offline at Spain's Port of Vigo, forcing manual operations at one of Europe's largest fishing ports.
A ransomware attack detected early Tuesday has disrupted digital systems at Spain's Port of Vigo, one of Europe's major fishing and cargo ports in the Galicia region. The attack targeted servers managing cargo traffic and digital services, locking equipment and demanding a ransom payment.
Operational Impact
While physical operations — ship movements and cargo handling — continue, all logistics coordination normally managed through digital platforms has been disrupted. Operators have been instructed to fall back on manual procedures and paper documentation.
Port president Carlos Botana took a firm stance: "We will not restore connections until there are absolute guarantees that there is no possibility of another attack." No timeline for restoration has been provided.
Maritime Sector Under Siege
The attack continues a pattern of ransomware targeting maritime critical infrastructure:
- Port of Nagoya, Japan (2023) — LockBit attack suspended operations
- Ports in Belgium, Netherlands, Germany — targeted in oil/chemical sector attacks
- Port of Lisbon, Portugal — LockBit claimed responsibility
- Port of Houston, USA — state-sponsored attack via Zoho zero-day
- Multiple shipping technology companies disrupted in recent years
Defensive Guidance for Maritime Organizations
- Ensure offline backup and manual fallback procedures for cargo management
- Segment OT/IT networks at port facilities
- Implement robust monitoring at network perimeters
- Maintain incident response plans with offline communication channels
Threat Landscape Summary
| Threat | Severity | Action Required |
|---|---|---|
| Bearlyfy GenieLocker ransomware | CRITICAL | Russian-facing orgs: heighten ransomware defenses |
| LeakBase admin arrested | POSITIVE | Check credential exposure via LeakBase datasets |
| EU CSAM scanning vote | POLICY | Tech platforms: review CSAM detection legal posture |
| Dutch Finance Ministry breach | HIGH | Dutch partners: verify no shared infrastructure exposure |
| Port of Vigo ransomware | CRITICAL | Maritime orgs: review OT/IT segmentation and fallbacks |
Stay Ahead of the Threat Curve
Daily intelligence briefings, real-world attack analysis, and actionable defensive guidance.
Explore KENSAI— KENSAI Security Intelligence · Published March 30, 2026