Full Report
Spain’s National Police force has arrested a suspected data thief who targeted government and military victims
Analysis Summary
# Threat Actor: Suspected Cybercriminal (Arrested by Spanish Police)
## Attribution & Identity
* **Identification:** A suspected cybercriminal detained by the Spanish National Police (Policia Nacional) and Civil Guard (Guardia Civil) in Calpe, Costa Blanca.
* **Aliases:** Used "various online pseudonyms" across underground forums. This case seems to focus on an individual actor rather than a known, established APT group.
* **Known Associations:** None explicitly named, though activities spanned international government entities.
## Activity Summary
The suspect allegedly carried out over 40 cyber-attacks in the previous year (2024, based on the article date of Feb 2025). These activities involved hacking, data exfiltration, and subsequent leaking or selling of sensitive internal data and employee/citizen information on well-known underground forums, such as BreachForums.
The investigation was initiated following a complaint from a Madrid-based business organization regarding a data leak on a forum.
## Tactics, Techniques & Procedures
- **Data Exfiltration & Disclosure:** Leaked or sold sensitive internal data and citizen information.
- **System Access:** Performed illegal access to computer systems and discovery/disclosure of secrets.
- **Persistence/Evasion:** Constructed a "complex technological network" utilizing anonymous messaging and browsing applications to hide tracks and impede identification.
- **Financial Activity:** Managed over 50 cryptocurrency accounts, suggesting monetization/money laundering.
- **Associated Charges:** Discovery and disclosure of secrets, illegal access to computer systems, damage to computers, and money laundering.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the source text.
## Targeting
- **Sectors:** Government/Defense, Financial, Education, and Governmental Infrastructure.
- **Geography:** Primarily Spain, but targets included international bodies located globally.
- **Victims:**
* NATO
* US Army
* International Civil Aviation Organization (ICAO)
* Spanish Civil Guard (Guardia Civil)
* Spanish Ministry of Defense
* Spanish Royal Mint
* Spanish Ministry of Education
* Valencia provincial government
* Various Spanish universities
* An unnamed Madrid-based business organization (initial complainant)
## Tools & Infrastructure
- **Malware Families Used:** Not specified.
- **Infrastructure (C2, domains, IPs):**
* Utilized **anonymous messaging and browsing applications** to establish a "complex technological network."
* Data was allegedly leaked/sold on underground forums, specifically mentioning **BreachForums** as a possible platform.
* Discovered evidence included **over 50 cryptocurrency accounts**.
## Implications
This case highlights the significant threat posed by technically proficient, likely financially motivated, individual actors capable of breaching high-value, sensitive targets, including international defense organizations (NATO, US Army). The successful attribution required significant international collaboration (Europol, US HSI) and specialized digital forensics from the Spanish National Cryptologic Centre (CCN), demonstrating the complexity required to unmask sophisticated evaders. The use of crypto indicates clear financial motivation tied to the leaked data.
## Mitigations
- **Network Segmentation and Access Control:** Implement strict access controls, especially around sensitive government/defense networks, given the scope of targets (NATO, MoD).
- **Anonymous Traffic Monitoring:** Enhance monitoring capabilities to detect and analyze traffic routed through anonymity networks (VPNs, specialized messaging/browsing apps) that might indicate evasion techniques.
- **Data Leak Monitoring:** Maintain active monitoring of underground forums (like BreachForums) to detect early signs of data compromises originating from internal systems.
- **Cryptocurrency Traceability:** Improve forensic capabilities for tracking digital assets associated with illicit data sales.