Full Report
The Spanish National Police has arrested an individual for leaking sensitive information related to members of various key state organizations, including the National Cybersecurity Institute (INCIBE). [...]
Analysis Summary
# Incident Report: Arrest of "Police-ESP-Doxed" Campaign Lead
## Executive Summary
The Spanish National Police arrested an individual responsible for the mass dissemination and "doxing" of sensitive personal data belonging to government employees across multiple critical state organizations. While no direct breach of current government systems was confirmed, the incident involved the aggregation of sensitive data (DNI, mobile numbers, emails) which posed a significant national security risk. The suspect was apprehended following an urgent operation to mitigate the risk to affected judicial and security personnel.
## Incident Details
- **Discovery Date:** February 2024 (Initial reports by INCIBE)
- **Incident Date:** February 2024 – May 27, 2026 (Ongoing activity culminating in arrest)
- **Affected Organizations:** State Attorney General's Office, INCIBE, National Police, Civil Guard, National Security Council.
- **Sector:** Government / Public Administration
- **Geography:** Spain
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-February 2024
- **Vector:** Aggregation of third-party breaches and Open Source Intelligence (OSINT).
- **Details:** The threat actor did not necessarily breach the government portals directly but gathered data from older leaks, credential dumps, and public records.
### Lateral Movement
- **N/A:** No confirmed lateral movement within government networks; the "movement" involved pivoting between different external datasets to correlate identities.
### Data Exfiltration/Impact
- **February - March 2024:** Publication of curated lists of INCIBE employees and judicial staff.
- **Details:** Sensitive PII (Personally Identifiable Information) including full names, National Identity Document (DNI) numbers, personal mobile phone numbers, and professional email addresses were leaked.
### Detection & Response
- **February 2024:** INCIBE issues a public statement clarifying they were not victims of a direct cyberattack but a doxing campaign.
- **May 27, 2026:** Spanish National Police conduct a targeted raid and arrest the primary suspect.
- **Post-Arrest:** Forensic analysis of seized electronic devices to identify potential co-conspirators.
## Attack Methodology
- **Initial Access:** Use of historical data breaches and OSINT.
- **Persistence:** Not applicable to network access; utilized underground forums (BreachForums) and doxing sites (Doxbin) for persistent data availability.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of encrypted communications and underground forums to host data.
- **Credential Access:** Utilization of previous "credential dumps" from unrelated third-party breaches.
- **Discovery:** Correlation of public employee directories with leaked databases.
- **Lateral Movement:** N/A.
- **Collection:** Automated and manual harvesting of personal records.
- **Exfiltration:** Uploading curated "Dox" lists to public-facing platforms.
- **Impact:** National security risk; potential for harassment, identity theft, or physical targeting of state officials.
## Impact Assessment
- **Financial:** Costs associated with public safety operations and the urgent police investigation.
- **Data Breach:** High volume of PII (Names, DNI, phone numbers) for hundreds of judges, prosecutors, and security officials.
- **Operational:** Diversion of state resources to mitigate doxing risks and update security protocols for affected individuals.
- **Reputational:** Public concern regarding the privacy of state employees and the perceived security of government-linked data.
## Indicators of Compromise
- **URL Indicators:**
- hxxp[://]breachforums[.]st (and various iterations)
- hxxps[://]doxbin[.]com
- **Behavioral Indicators:**
- Unusually high volumes of OSINT queries related to specific Spanish government sub-domains.
- Publication of historical employee data on "leak sites" attributed to the persona "Police-ESP-Doxed."
## Response Actions
- **Containment:** Removal of leaked data where possible and monitoring of underground forums.
- **Eradication:** Arrest of the primary individual responsible and seizure of their infrastructure.
- **Recovery:** Judicial and police officials notified of the breach to implement personal safety measures.
## Lessons Learned
- **The Persistence of Old Data:** Even if current systems are secure, historical data from years-old breaches remains a "ticking time bomb" for doxing.
- **OSINT Vulnerabilities:** Publicly available lists of government employees can be weaponized when correlated with private data from unrelated breaches.
- **Doxing as a National Security Threat:** Attacks on the *individuals* within an organization can be as damaging as attacks on the *infrastructure* itself.
## Recommendations
- **Employee Privacy Hardening:** Advise state employees on how to scrub PII from public records and social media.
- **Credential Monitoring:** Implement monitoring for corporate email addresses appearing in third-party credential dumps.
- **Doxing Simulations:** Conduct awareness training for high-risk personnel (judges, law enforcement) on the risks of digital footprints.
- **Enhanced OSINT Monitoring:** Proactively monitor underground forums for mentions of state institutions to detect "collections" before they are fully disseminated.