Back to Home
Security

Spain collars alleged pro-Russia hacktivist after FBI tip-off

Palencia man suspected of links to CARR, Z-Pentest, and NoName057(16), plus helping a Ukrainian hacker flee to Russia

t
tech4you AI
July 7, 20263 min read
Share

SECURITY

Spain collars alleged pro-Russia hacktivist after FBI tip-off

Palencia man suspected of links to CARR, Z-Pentest, and NoName057(16), plus helping a Ukrainian hacker flee to Russia

Spanish police have arrested a man they believe is affiliated with at least two pro-Russia hacktivist groups linked to attacks on critical national infrastructure (CNI).

Arrested in March at his home in Palencia, central Spain, the man is suspected of having close ties to CyberArmy of Russia Reborn (CARR) and Z-Pentest, and may have carried out attacks on behalf of NoName057(16).

All three hacktivist groups were named by the UK's NCSC earlier this year as part of an advisory warning about the dangers these groups pose to Western CNI.

The cyber arm of GCHQ, the UK's signals intelligence agency, said organizations should not underestimate pro-Russia hacktivist groups, despite them being known largely for relatively low-impact DDoS attacks.

Jonathon Ellison, NCSC director of national resilience, said at the time: "We continue to see Russian-aligned hacktivist groups targeting UK organizations, and although denial-of-service attacks may be technically simple, their impact can be significant.

"By overwhelming important websites and online systems, these attacks can prevent people from accessing the essential services they depend on every day."

A month earlier, US officials said CARR was working with, or receiving instructions from, Russian military intelligence (GRU).

Policía Nacional first announced the detention of the unidentified man on Monday, although the arrest was made months ago following an FBI tip-off.

In August 2025, the feds alerted Spanish police to the man's alleged involvement in trying helping a Ukrainian hacker, a member of CARR, flee to Russia via Poland and Belarus

He was said to have provided "logistical and support cover" to facilitate the Ukrainian's escape.

After the Palencia man's arrest, officers found evidence suggesting he was in close contact with other members of these pro-Russia hacktivist "terrorist groups." Police said he assisted in "coordinating actions and providing support" for the different outfits' activities, including those of NoName057(16).

NoName057(16) has been active since at least 2022, and is known for targeting public and private organizations, NATO countries, and those whose interests do not align with Russia's.

Police also seized computer equipment from the man's residence and cryptocurrency storage devices, freezing a wallet suspected of containing proceeds of cybercrime.

The FBI's Cyber Division said in a statement: "Last December, the FBI announced Operation Red Circus, our ongoing effort to disrupt Russian state-sponsored cyber threats to the United States and our interests abroad. As part of that announcement, the FBI and partners released a joint Cybersecurity Advisory on pro-Russia hacktivist groups conducting opportunistic attacks against critical infrastructure, including the water, agriculture, and energy sectors. 

"A mission priority of Operation Red Circus is targeting and arresting individuals for their roles in hacktivist groups such as Cyber Army of Russia Reborn to mitigate planned, malicious cyber-campaigns.

Years of pursuit

Authorities have been hunting pro-Russia hacktivists, particularly CARR members, for years. CARR has been active since at least 2022, when it began with low-level attacks in Ukraine shortly after Russia's invasion.

The US named Yuliya Vladimirovna Pankratova as CARR's leader and Denis Olegovich Degtyarenko as its primary hacker in 2024. The pair were sanctioned after CARR was tied to attacks on US and European water facilities earlier that year that specifically targeted human-machine interfaces at water supply, hydroelectric, wastewater, and energy facilities.

CARR also gained access to the SCADA system of a US energy company, which allowed them to control alarms and pumps connected to tanks.

Mandiant previously attributed these attacks to Sandworm, a cyber unit inside Russia's GRU. However, the sanctions pointed to a hacktivist element and added further color to the relationship between Russia's military and cybercrime community.

Separately, pro-Russia Ukrainian hacktivist Victoria Eduardovna Dubranova, 33, was extradited to the US late last year after being charged with offenses related to attacks carried out by CARR and NoName057(16).

Dubranova was linked to attacks on water facilities and a Los Angeles meat processing facility in November 2024, which spoiled thousands of pounds of meat and triggered an on-site ammonia leak. ®


Originally published on The Register

Spain collars alleged pro-Russia hacktivist after FBI tip-off | tech4you