Wed 08 Jul 2026 / 13:59 ET
Kernel
Security 3 min read

Spain arrests man accused of aiding pro-Russia hacktivists

Spanish police say an FBI tip helped identify a suspect linked to CARR, Z-Pentest and NoName057(16), three pro-Russian hacktivist groups.

Dana Voss

By Dana Voss / Security Correspondent

Spain arrests man accused of aiding pro-Russia hacktivists
img: The Record

Spanish police arrested a man in Palencia in March after investigators tied him to several pro-Russian hacktivist groups, including CyberArmy of Russia Reborn, Z-Pentest and NoName057(16). The case began with information from the FBI, according to Spanish police.

The suspect has not been publicly named. In a statement released this week, Spain’s National Police said he is accused of giving logistical help to a Ukrainian hacker connected to CyberArmy of Russia Reborn, or CARR, as that person tried to reach Russia through Poland and Belarus.

Police also said the man used encrypted messaging apps to communicate with members of Russian hacktivist groups, coordinate activity and support operations attributed to NoName057(16). That group is known for distributed denial-of-service attacks, the low-glamour but still annoying tactic of flooding websites or online services with traffic until they degrade or fall over. Its targets have included governments and organizations that support Ukraine, according to authorities.

During a search of the suspect’s home, officers seized computers and cryptocurrency storage devices. Investigators also froze a crypto wallet they believe received money from the sale of information obtained through criminal activity, according to police.

Spanish police said the suspect is being investigated for alleged membership in and collaboration with a terrorist organization, glorification of terrorism and computer-related damage. Formal charges have not been announced.

Z-Pentest pushes back

A person claiming to speak for Z-Pentest told the Russian technology outlet SecPost that the group did not know who had been detained and suggested Spanish police may have arrested the wrong person. The representative said the group had asked “its people in Europe and Spain” to collect information about the suspect.

That denial does not resolve much. The public record, for now, is a police account of the arrest, a claimed response from a group representative and no named defendant. Spanish authorities have not released the suspect’s identity or detailed evidence linking him to specific intrusions.

Pressure on Russia-aligned hacktivists

The arrest fits a broader pattern of law enforcement action against people accused of supporting Russian government-aligned hacktivist operations since Russia’s full-scale invasion of Ukraine.

In 2024, the U.S. government sanctioned two alleged members of CARR, including people it described as the group’s leader and primary hacker. U.S. officials accused the group of targeting critical infrastructure in the United States. According to the U.S. government, CARR has claimed attacks on industrial control systems at water, hydroelectric, wastewater and energy facilities, although many of its known operations have been less sophisticated DDoS activity.

NoName057(16) has also drawn more attention from European authorities. Last year, an international law enforcement operation disrupted much of the group’s infrastructure, according to authorities, targeting more than 100 servers and issuing seven international arrest warrants. The group has continued to claim cyberattacks against countries that support Ukraine despite that operation.

Security researchers have argued that some Russian hacktivist brands are closer to the Kremlin than their public messaging suggests. Earlier this year, Mandiant reported that CARR maintains a close operational relationship with Sandworm, the Russian military intelligence-linked hacking unit that has been connected to destructive cyber operations.

The Spanish case does not prove that relationship on its own. It does show that Western investigators are still treating the support networks around pro-Russian hacktivist groups as targets, including alleged fixers who may not be the people pressing the button during an attack.

This story draws on original reporting from The Record.

More Security/

view all ↗