Policia Nacional vehicle
Image: Policia Nacional via X

Spain arrests alleged supporter of pro-Russian hacktivist groups after FBI tip

Spanish police have arrested a man suspected of supporting some of Russia's most prominent hacktivist groups and helping a Ukraine-based member of one flee to Russia.

The suspect was arrested in March in the northern city of Palencia after an investigation, launched with information provided by the FBI, linked him to the pro-Russian groups CyberArmy of Russia Reborn (CARR), Z-Pentest and NoName057(16).

In a statement released earlier this week, police alleged that the man, whose identity has not been disclosed, provided logistical support to a Ukrainian hacker linked to CARR in an effort to help him escape to Russia through Poland and Belarus.

Authorities also accused the suspect of communicating with members of Russian hacktivist groups through encrypted messaging apps, coordinating activities and supporting operations attributed to NoName057(16), a group best known for disruptive distributed denial-of-service attacks against governments and organizations supporting Ukraine.

During a search of the suspect's home, officers seized computers and cryptocurrency storage devices and froze a cryptocurrency wallet that investigators believe received proceeds from the sale of information obtained through criminal activity.

Spanish police said the suspect is being investigated for alleged membership in and collaboration with a terrorist organization, glorification of terrorism and computer-related damage, although formal charges have not yet been announced.

In comments to the Russian technology outlet SecPost, a person claiming to represent Z-Pentest said the group did not know who had been detained and suggested police may have made a mistake. The representative said the group had asked "its people in Europe and Spain" to gather information about the suspect.

International targets

The arrest is the latest international law enforcement action against individuals allegedly linked to Russian government-aligned hacktivist groups.

In 2024, the U.S. sanctioned two alleged members of CARR, including its purported leader and primary hacker, accusing them of targeting U.S. critical infrastructure. According to the U.S. government, the group has claimed attacks on industrial control systems at water, hydroelectric, wastewater and energy facilities, although many of its operations have consisted of relatively unsophisticated DDoS attacks.

European authorities also have intensified pressure on NoName057(16). Last year, an international law enforcement operation disrupted much of the group's infrastructure, targeting more than 100 servers and issuing seven international arrest warrants. Despite the operation, the group has continued to claim cyberattacks against countries backing Ukraine.

Security researchers have long argued that many Russian hacktivist groups operate much more closely with the Kremlin than they publicly acknowledge. Earlier this year, Mandiant reported that CARR maintains a close operational relationship with Sandworm, the notorious hacking unit linked to Russia's military intelligence.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Recorded Future
No previous article
No new articles
Daryna Antoniuk

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.