Skip to main content
Threat IntelligenceEmerging Threats

Spain Arrests Alleged Pro-Russia Hacktivist Tied to Cyber Attacks

Police officer stands in doorway of a residential home in a quiet neighborhood.

"We continue to see Russian-aligned hacktivist groups targeting UK organizations, and although denial-of-service attacks may be technically simple, their impact can be significant," said Jonathon Ellison, NCSC director of national resilience. "By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day."

The arrest in Palencia and the FBI tip-off

Spanish police arrested an unnamed man in March at his home in Palencia, central Spain, after receiving a tip from the FBI, Policía Nacional said. Although the detention was made months earlier, authorities first announced it publicly on a Monday. The FBI's involvement dated to August 2025, when federal agents alerted Spanish counterparts that the man was allegedly involved in assisting a Ukrainian hacker — a member of CyberArmy of Russia Reborn (CARR) — to flee to Russia via Poland and Belarus.

Affiliations alleged: CARR, Z‑Pentest and NoName057(16)

Police say the Palencia detainee is believed to have ties to at least two pro-Russia hacktivist groups, CyberArmy of Russia Reborn (CARR) and Z‑Pentest, and may have acted on behalf of NoName057(16). All three groups were named earlier this year in an advisory by the UK's National Cyber Security Centre (NCSC) warning about risks these groups pose to Western critical national infrastructure (CNI).

Allegations of coordination, escape assistance and seized evidence

According to Policía Nacional, officers found evidence suggesting the suspect was in close contact with other members of the pro-Russia hacktivist "terrorist groups" and that he assisted in "coordinating actions and providing support" for their activities, including those of NoName057(16). Spanish police seized computer equipment and cryptocurrency storage devices from his residence, and froze a wallet suspected of containing proceeds of cybercrime.

U.S. and U.K. intelligence warnings and Operation Red Circus

The arrest and FBI tip sit against a backdrop of stepped-up Western warnings. In December, the FBI announced Operation Red Circus, described by the agency's Cyber Division as "our ongoing effort to disrupt Russian state-sponsored cyber threats to the United States and our interests abroad." The FBI and partners released a joint Cybersecurity Advisory on pro-Russia hacktivist groups, noting opportunistic attacks against critical infrastructure sectors including water, agriculture and energy.

Separately, the U.K.'s signals intelligence arm, GCHQ, and the NCSC have urged organizations not to underestimate pro-Russia hacktivist groups, even when their most visible activity has been relatively low-impact distributed denial-of-service (DDoS) attacks. The NCSC quoted Jonathon Ellison on the potentially significant impact of DDoS and other disruptive campaigns against essential services.

CARR's history as described in the record

The record included in police and western public advisories traces CARR's activity back to at least 2022, when it began operations with low-level attacks in Ukraine. The United States named Yuliya Vladimirovna Pankratova as CARR's leader and Denis Olegovich Degtyarenko as its primary hacker in 2024. Those two were sanctioned after CARR was tied to attacks on U.S. and European water facilities in 2024 that specifically targeted human‑machine interfaces (HMI) at water supply, hydroelectric, wastewater and energy facilities.

Authorities said CARR also gained access to the supervisory control and data acquisition (SCADA) system of a U.S. energy company, enabling control of alarms and pumps connected to tanks. Mandiant previously attributed related intrusions to Sandworm, a unit inside Russia's GRU; the 2024 sanctions pointed to a hacktivist element and helped illustrate ties between the Russian military and cybercrime communities, according to the public record.

How Policía Nacional, CNI operators, and the FBI are affected

  • Policía Nacional: The arrest demonstrates use of cross-border intelligence sharing — the August 2025 FBI alert prompted local action months later — and has produced seized devices and a frozen cryptocurrency wallet for further forensic analysis.
  • CNI operators (water, energy, agriculture): The groups named in advisories — CARR, Z‑Pentest and NoName057(16) — have been linked in the public record to attacks on water facilities, energy SCADA systems and other industrial targets. Operators should note authorities' continued concern about disruptive impacts even from relatively simple DDoS campaigns.
  • The FBI and U.S. law enforcement: Operation Red Circus lists arresting individuals who participate in CARR as a mission priority. The agency framed its efforts as intended to mitigate planned malicious cyber-campaigns and pointed to arrests and cross-border cooperation as part of that mission.

The detention in Palencia closes one chapter in a broader campaign of disruption, naming and sanctions that Western agencies have pursued for years. Spanish police say forensic leads tied the man to coordination and support roles across multiple pro‑Russia hacktivist groups; U.S. and U.K. advisories and sanctions have already linked those groups to attacks on water and energy systems and to at least one meat‑processing facility that suffered spoilage and an ammonia leak in November 2024. The coming months will show whether the seized devices, frozen wallet and international cooperation yield prosecutions or further operational disruptions.

Original story: The Register — Spain collars alleged pro-Russia hacktivist after FBI tip-off