The Spanish police have arrested a suspected hacker in Alicante for allegedly conducting 40 cyberattacks targeting critical public and private organizations, including the Guardia Civil, the Ministry of Defense, NATO, the US Army, and various universities.
The investigation into the suspect’s activities was launched in early 2024 following a report about a data leak from a Madrid business association, pointing to leaks on dark web forums where the suspect used various aliases to obfuscate his trace.
“Using up to three different pseudonyms, the suspect attacked international governmental organizations, accessing databases containing personal information of employees and customers, as well as internal documents that were later sold or freely published on forums,” reads the Spanish police’s announcement.
Apart from the Madrid organization, the authorities have confirmed the following victims, all breached by the same individual throughout 2024:
- The National Mint and Stamp Factory
- The State Public Employment Service
- The Ministry of Education, Vocational Training and Sports
- Various Spanish universities
- NATO and US Army databases
- The Directorate-General for Traffic
- The Generalitat Valenciana
- The United Nations
- The International Civil Aviation Organization (ICAO)
- Guardia Civil
- Ministry of Defense
Forums posts related to these attacks appeared on the BreachForums hacking forum, where a threat actor attempted to sell or leak the data. In some cases, the threat actor claimed to have successfully sold the data to other threat actors.
The threat actor commonly used the BreachForums hacking forum to sell and leak data stolen in these attacks, with the leaks for NATO, the US military, and Spain’s Guardia Civil and Ministry of Defence listed as successfully sold.
In some of these attacks, such as the one on the International Civil Aviation Organization, the hacker published the stolen data on BreachForums on January 5, 2025, using the alias ‘natohub.’ The allegations about the data breach were later officially confirmed to be valid.
Although the suspect used anonymization technologies to evade the authorities, the police say they could track him down with the assistance of investigators from the National Cryptologic Center (CCN) of the National Intelligence Center (CNI), Europol, and the US Homeland Security Investigations (HSI).
During the raid in the suspect’s residence, the police found and seized multiple computers, electronic devices, and 50 cryptocurrency accounts containing various digital assets.
The authorities declared that, at this time, linking the suspect to additional offenses or accomplices cannot be ruled out.
As for the potential penalties, the hacker could face charges for discovery and disclosure of secrets, illegal access to IT systems, computer damages, and money laundering, which incur a maximum sentence of 20 years in prison under Spanish law.