2 Remove Virus

Spain arrests suspected member of pro-Russian hacktivist groups after FBI-assisted investigation

Spanish authorities have arrested a man suspected of supporting several pro-Russian hacktivist groups linked to cyberattacks against critical infrastructure in Europe and the United States. The arrest follows a months-long investigation launched with assistance from the U.S. Federal Bureau of Investigation (FBI).

 

 

According to Spain’s National Police, the suspect is believed to have been an active member of the CyberArmy of Russia Reborn (CARR) and Z-Pentest. Investigators also allege he participated in activities associated with the pro-Russian hacktivist collective NoName057(16), which has claimed responsibility for numerous politically motivated cyberattacks since Russia’s invasion of Ukraine.

Police said the suspect lived in the city of Palencia and provided logistical and operational support to a Ukrainian hacker linked to CARR. Investigators allege he helped facilitate the hacker’s planned escape to Russia through Poland and Belarus while maintaining contact with other group members through encrypted messaging platforms.

Authorities claim the suspect also coordinated activities connected to cyber operations later promoted on websites focused on geopolitical conflicts. According to investigators, those attacks were intended to amplify pro-Russian messaging while targeting organizations viewed as supporting Ukraine or Western governments.

The investigation began in August 2025 after Spanish authorities received intelligence from the FBI. Officers searched the suspect’s home in March 2026, seizing computers, digital storage devices, and cryptocurrency wallets that investigators believe were connected to cybercrime proceeds, including the sale of stolen data. The cryptocurrency assets have since been frozen as the investigation continues.

The suspect has not been formally charged. However, Spanish police said he is under investigation for suspected membership in and collaboration with a terrorist organization, glorification of terrorism, and computer-related damage offenses. Authorities have not disclosed his identity or indicated when a court will determine whether formal charges will be filed.

CyberArmy of Russia Reborn has previously been linked to attacks targeting water utilities, food processing facilities, and energy infrastructure in the United States. U.S. authorities have accused other alleged members of the group of attempting to compromise industrial control and SCADA systems used to operate critical services.

Security researchers have also reported links between CARR and the Russian state-backed threat group APT44, also known as Sandworm. However, public reporting describes those connections as indirect, and no official attribution has established that CARR operates under the direct control of the Russian government.