“The suspect also used various encrypted messaging applications to maintain contact with other members of these terrorist groups, coordinating activities and providing support for their operations,” the police announcement states.
Arrest and investigative timeline by Spain's National Police
Spain's National Police announced the arrest of a man they suspect of active membership in the CyberArmy of Russia Reborn (CARR) and Z-Pentest, two pro‑Russian hacktivist groups. According to the announcement, the investigation began in August 2025 after the police acted on information provided by the FBI. Authorities raided the suspect’s home in Palencia in March 2026, seizing computers and cryptocurrency storage devices. The police report that they also froze cryptocurrency wallets that were used to receive proceeds from criminal activity, specifically sales of stolen data.
Alleged role: logistical and operational support, and an attempted escape route
Spanish investigators say the arrested individual, who lived in Palencia, provided logistical and operational support to a Ukrainian hacker who operated for CARR. The police further allege the man attempted to facilitate that hacker’s escape to Russia through Poland and Belarus. The arrest was followed by seizures intended for use in ongoing investigations; as of the announcement, the suspect is under investigation but no formal charges have been filed.
Accusations and the charges referenced in the police announcement
While prosecutors had not yet filed formal charges at the time of the announcement, the police listed specific suspicions. The arrested man is described as suspected of membership in and collaboration with a terrorist organization, glorification of terrorism, and computer damage. The announcement additionally states that the suspect communicated via encrypted messaging applications to coordinate activities and provide operational support for those groups.
Links among CARR, Z‑Pentest, NoName057(16), and APT44 (aka “Sandworm”)
The police statement connects the suspect not only to CARR and Z‑Pentest but also says investigators believe he participated in actions attributed to the pro‑Russian hacktivist group NoName057(16). The announcement adds that operations attributed to these groups were later claimed on specialized geopolitics‑related websites with the aim of promoting pro‑Russian and anti‑Western narratives. The source material also reports that CARR has been linked to multiple attacks targeting critical infrastructure in the U.S. and Europe and has been loosely tied to the Russian state‑backed threat group APT44, also known as “Sandworm.”
Context from prior public actions tied to these groups
The police announcement and associated reporting reference earlier public actions that provide context for the investigation. A recent indictment of an alleged CARR member, Victoria Eduardovna Dubranova, revealed that the hacking group carried out cyberattacks against water and food‑processing facilities, which prosecutors said created real safety risks for people in the U.S. Separately, the U.S. government has sanctioned two alleged members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, who were linked to attacks against the SCADA systems of an American energy firm.
What this means for technologists and policymakers, and for affected enterprises
- Technologists and security teams: incidents involving alleged members of CARR, Z‑Pentest, and NoName057(16) underscore the persistence of groups that claim political aims while targeting operational technology and critical infrastructure; investigators seized endpoints and crypto storage that will be analyzed as part of evidence‑gathering.
- Policymakers and regulators: the cross‑border nature of the probe — from FBI intelligence to Spanish police action and alleged escape routes through Poland and Belarus — highlights transnational investigative coordination already cited in the announcement.
- Affected enterprises and procurement leaders: the authorities’ reference to frozen cryptocurrency wallets used to receive proceeds from sales of stolen data reinforces the role financial traces can play in investigations that target the monetization of breaches.
The Spanish National Police have moved from intelligence to detention, seizure, and freezing of financial instruments, but as the announcement makes clear, the case remains in the investigatory stage: no indictment has been filed in the matter announced. The next visible steps in the public record are the forensic analysis of seized computers and crypto devices and any prosecutorial decisions that may follow from that work.
Original reporting: https://www.bleepingcomputer.com/news/security/spain-arrests-suspected-member-of-pro-russian-hacktivist-groups/




