3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Belarusian Cyber Partisans

Belarusian Cyber Partisans

ID: 83b6ff72b362eeb77758e1c57bc897fd83163
Hacktivist Group Collective Data Leak Channel Defacement Crew Hacktivism
Threat types: Intrusion, Data Exfiltration, Data Leaks, DDoS Attack
Belarus BLR, RUS
Updated: 2026-01-19
Created: 2025-10-14
Progress: 76% Completeness: 79% Freshness: 70%
Operation zone: Belarus, Russia
Aliases Limited alias preview
BCP Belarusian Cyber-Partisans Cy************* Cy************
Showing 2 of 4 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

Belarusian Cyber Partisans (BCP) — Belarusian hacktivist collective that emerged amid the 2020 protests against Alyaksandr Lukashenko. The group conducts high-visibility intrusions, leaks, and disruptive operations against Belarusian/Russian state entities, and claims selective support to Ukraine. Public artifacts include 2021 multi-database breaches ("Operation Heat"), a 2022 ransomware-for-impact incident on Belarusian Railways, and a 2025 joint operation with Silent Crow disrupting Aeroflot.


Technique Technique name Tactics Evidence
T1486 Data Encrypted for Impact TA0040
  • 2022-01-25 — Ransomware-for-impact against Belarusian Railways to coerce release of political prisoners and hinder Russian troop movement (politically motivated encryption). · ref
  • 2022-01-25 — Claim of control over Belarus rail systems and service disruption tied to anti-war aims. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-07-28 — Joint claim (with Silent Crow) of sustained access inside Aeroflot; public reporting notes months-long prepositioning and systems impact. · ref
  • 2025-07-30 — Follow-up coverage on Aeroflot aftermath referencing sustained access and disruption. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2021-07-26 — Operation Heat: breach of multiple Belarus state databases (passport, traffic police, MIA systems) with subsequent data exposure/investigations. · ref
  • 2022-06-14 — Release of purported wiretapped audio linked to Russian diplomatic facilities in Belarus via Telegram/YouTube. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2024-03-11 — Interview-based recap cites intrusions into Ministry of Internal Affairs classified servers and access to internal comms (public-facing/service exploitation). · ref
T1498 Network Denial of Service TA0040
  • 2025-08-01 — BBC Monitoring notes dozens of attacks across Belarusian/Russian government targets with disruptive effects and messaging. · ref
T1598 Phishing for Information TA0043
  • 2022-12-28 — Development/deployment of Partisan Telegram (P-Telegram) as a secure comms/IO tool; messaging and safety features for activists. · ref
T1587 Develop Capabilities TA0042
  • 2024-04-02 — CEPA notes collection/identification use-cases (tracking spies/movements) consistent with capability development for future ops. · ref
T1589 Gather Victim Identity Information TA0043
  • 2021-07-26 — Passport/identity database access used for deanonymization and vetting; leveraged in investigations and releases. · ref
T1585 Establish Accounts TA0042
  • 2025-07-28 — Prepositioning and operational security described in Aeroflot operation narratives; likely use of valid accounts/infrastructure impersonation to persist. (INFERENCE) · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-16T18:31:05+00:00
Belarusian Cyber Partisans

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Belarusian Cyber Partisans (BCP) is a hacktivist collective that emerged in 2020 during the mass protests against Alyaksandr Lukashenko. The group presents itself as a volunteer network of IT specialists and non-IT contributors pursuing regime change, rule of law, and democratic rights, with operations spanning intrusion, data exfiltration, leaks, and disruptive actions against Belarusian and, increasingly, Russian state targets. Publicly attributed milestones include “Operation Heat” (mid-2021) with multi-database access (passport, police, MIA systems), the January 2022 Belarusian Railways ransomware-for-impact action to hinder Russian troop movements, and the July 2025 Aeroflot disruption claimed jointly with Silent Crow that led to widespread flight cancellations in Russia. BCP couples technical operations with information operations, including a Telegram presence focused on leaks/cyber-investigations and the development of Partisan Telegram (P-Telegram) for activist security. Recruitment runs through an open volunteer intake model and donation rails (crypto, cards, Patreon/Partizan Wave). Overall confidence in the group’s capability and authorship of the listed operations is medium-high, with parts independently corroborated by reputable outlets; some claims remain difficult to verify under wartime censorship and counter-propaganda.


  • 2020-09. Emergence of the Cyber Partisans amid Belarus protests; public mission frames anti-dictatorship, pro-rule-of-law objectives. — CyberPartisans
  • 2021-07-26…30. Operation Heat begins: access to multiple Belarus state databases (traffic police, AIS Passport, MIA systems, video services). — CyberPartisans
  • 2021–2022. Leaks and investigations referencing KGB personnel/operatives, police and security services data. — AP News
  • 2022-01-25. Belarusian Railways: ransomware-for-impact to impede Russian troop movements; claims of control/disruption. — WIRED
  • 2022-03–06. Wiretaps & audio releases (Russian embassy/consulate in Belarus) via BCP Telegram and YouTube. — CyberScoop
  • 2022-12-28. P-Telegram (Partisan Telegram) profiled: secure fork/workflow for at-risk activists (auto-wipe/SOS). — The Record from Recorded Future
  • 2024-03–04. Analytical reporting recaps BCP’s operations (MIA classified servers breach; railway hack; COVID mortality exposure). — The Record from Recorded Future
  • 2025-05-08. Assessments highlight ongoing secrecy and deniable access; emphasis on “not disclosing most impactful hacks.” — New Eastern Europe
  • 2025-07-28…30. Aeroflot disruption: BCP + Silent Crow claim large-scale disruption causing dozens to 100+ flight cancellations; Russia confirms incident and recovery steps. — Reuters
  • 2025-08-01. BBC Monitoring synthesis: “dozens of attacks” on Belarusian/Russian government targets; messaging via defacement/leak channels. — monitoring.bbc.co.uk
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/24
Address Verification SOCMINT
x.com/cpa******* Restricted Not integrated
Address Verification SOCMINT
facebook.com/Bel*************************************** Restricted Not integrated
Address Verification SOCMINT
t.me/cpa********** Restricted Not integrated
t.me/cpa******* Restricted Not integrated
t.me/cpa*********** Restricted Not integrated
t.me/cpa********** Restricted Not integrated
t.me/cpa****************** Restricted Not integrated
t.me/cpa**************** Restricted Not integrated
t.me/cpa**************** Restricted Not integrated
t.me/par****************** Restricted Not integrated
t.me/cpa************ Restricted Not integrated
cpartisans_dumps Restricted Not integrated
t.me/cpa************* Restricted Not integrated
t.me/par************ Restricted Not integrated
t.me/ddc************* Restricted Not integrated
t.me/cpa************** Restricted Not integrated
Address Verification SOCMINT
www.youtube.com/c/c********* Restricted Not integrated
www.patreon.com/par********* Restricted Not integrated
Address Verification SOCMINT
cy************@protonmail.com Restricted Not integrated
[email protected] Restricted Not integrated
Address Verification SOCMINT
www.by.cpartisans.org Restricted Not integrated
tribunal.cpartisans.org Restricted Not integrated
dumps.cpartisans.org Restricted Not integrated
Address Verification SOCMINT
github.com/wrw****** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–9 of 9 images
Reference image Free Preview
Reference image
Reference image Free Preview
Reference image
MEGA link with website source code + database as proof of CERT.by Free Preview
MEGA link with website source code + database as proof of CERT.by
Banner used in website Free Preview
Banner used in website
Actor Twitter account evidence Free Preview
Actor Twitter account evidence
Avatar used in social media channels Free Preview
Avatar used in social media channels
Avatar variant used in social media channels Free Preview
Avatar variant used in social media channels
PGP Key Free Preview
PGP Key
Image used in website Free Preview
Image used in website
Showing 4 of 9 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.