Skip to main content
Threat IntelligenceEmerging Threats

Spain Seizes Suspect Tied to Russian Hacktivist Group

Law enforcement officials coordinate in a formal office setting.

“Together, we will continue to impose costs on cybercriminals wherever they operate,” the FBI’s cyber division wrote in a LinkedIn post announcing coordination with Spanish authorities, summing up a case that Spanish investigators say culminated in an arrest linked to a pro‑Russian hacktivist campaign.

Arrest in Palencia and the investigation timeline

Spain’s national police announced Monday that they arrested an alleged member of Cyber Army of Russia Reborn, but said the detention actually took place in March at a home in Palencia. The case began after an August 2025 tip from the FBI, and the FBI’s Los Angeles field office coordinated with Spanish officials on the operation, the FBI said. Spanish authorities described the probe as nearly year‑long and said it has recently concluded, though they have not published a full charging document.

Alleged logistics and escape facilitation for a linked hacker

Spanish officials told investigators the arrested man provided logistical support to a Ukrainian hacker linked to Cyber Army of Russia Reborn, facilitating that individual’s escape to Russia via Poland and Belarus. Authorities say the suspect’s role extended beyond logistics: they contend he also “participated in actions attributed to the pro‑Russian hacktivist group NoName057(16), whose operations were later claimed in specialized portals related to geopolitics, with the aim of spreading pro‑Russian and anti‑Western narratives.”

Searches, seizures and cryptocurrency tracing

Police searched the suspect’s home and seized computers and cryptocurrency storage devices, and later froze a cryptocurrency wallet that officials allege the man used to receive payment for his activities. Spanish authorities have publicly accused him of collaborating with a terrorist organization, glorifying terrorism and damaging computers, but they have not announced additional, more specific charges tied to the investigation.

Operation Riptide, sanctions, indictments and joint advisories

The FBI described the arrest as part of Operation Riptide, an ongoing global campaign targeting cybercriminals and the infrastructure and financial networks they use to commit fraud. The Treasury Department sanctioned two individuals identified as the alleged leader and a primary hacker of Cyber Army of Russia Reborn — Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko — in July 2024. In December 2025 the Justice Department indicted Ukrainian national Victoria Eduardovna Dubranova, accusing her of participating in attacks against critical infrastructure and other victims on behalf of Cyber Army of Russia Reborn and NoName057(16); Dubranova was extradited to the United States last year and pleaded guilty in two federal cases. Since late 2025, the State Department has offered rewards of up to $2 million for information on individuals associated with Cyber Army of Russia Reborn and up to $10 million for information on individuals associated with NoName. Multiple federal agencies and international partners issued a joint cybersecurity advisory in December 2025 about threats posed by pro‑Russian hacktivist groups, specifically naming Cyber Army of Russia Reborn and NoName.

What this means for technologists, policymakers, and critical infrastructure providers

  • Technologists and security teams: The seizure of computers and crypto wallets in this case underscores investigators’ focus on disrupting operational support and payment flows, an axis that security teams and incident responders will monitor when assessing threat‑actor tradecraft and resilience.
  • Policymakers and regulators: Existing tools — sanctions (July 2024), indictments (December 2025), reward offers (late 2025) and multinational advisories (December 2025) — have been used against the same networks named in this arrest; policymakers will be watching how those measures intersect with cross‑border investigations such as Operation Riptide.
  • Critical infrastructure providers: Organizations previously identified as targets in alleged campaigns will note that U.S. and international authorities continue to pursue both perpetrators and their enablers, and that law enforcement activity can include freezing of cryptocurrency assets and cross‑border coordination.

The Spanish arrest, publicly announced months after it occurred, is the latest public sign that multiple governments are treating pro‑Russian hacktivist groups as enduring targets for criminal and national‑security enforcement: investigators have tied seizures and sanctions to the same networks, but Spanish authorities have so far released only broad accusations and limited public detail about prosecutorial steps. The concrete next developments to watch are whether Spain files more detailed charges and how any evidence from seized devices and frozen wallets is used in follow‑on cases linked to Operation Riptide.

Original story