VYPR
breachPublished Jul 7, 2026· 1 source

Spanish Police Arrest Alleged Pro-Russia Hacktivist Linked to CARR and NoName057(16)

Spanish police, acting on an FBI tip, have arrested a man suspected of coordinating cyberattacks for pro-Russia hacktivist groups like CARR and NoName057(16), which target critical national infrastructure.

Spanish authorities have apprehended an individual in Palencia, central Spain, who is believed to be closely associated with pro-Russia hacktivist collectives Cyber Army of Russia Reborn (CARR) and Z-Pentest. The arrest, which occurred in March but was only recently announced, is part of a broader effort to disrupt cyber threats targeting critical national infrastructure (CNI). The suspect is alleged to have provided support and coordinated activities for these groups, potentially acting on behalf of NoName057(16), another entity previously flagged by the UK's National Cyber Security Centre (NCSC) for its disruptive campaigns.

The NCSC had earlier this year warned about the escalating threat posed by these Russian-aligned hacktivist groups. While often characterized by relatively low-impact distributed denial-of-service (DDoS) attacks, the NCSC emphasized that such actions can still significantly disrupt essential services by overwhelming public-facing websites and online systems. This underscores the potential for even seemingly unsophisticated cyber operations to have tangible real-world consequences for citizens relying on these services.

Further complicating the landscape, US officials indicated in the months preceding this arrest that CARR was operating in coordination with, or receiving directives from, Russia's military intelligence agency, the GRU. This alleged link suggests a deeper integration between hacktivist elements and state-sponsored cyber operations, moving beyond mere ideological alignment to direct operational support.

The investigation gained momentum following an FBI tip-off to Spanish police in August 2025. The US federal agency alerted their Spanish counterparts to the suspect's alleged involvement in assisting a Ukrainian hacker, identified as a CARR member, in their escape from Ukraine to Russia via Poland and Belarus. The suspect reportedly provided crucial "logistical and support cover" to facilitate this movement.

Following the arrest, Spanish police seized computer equipment and cryptocurrency storage devices from the suspect's residence. A cryptocurrency wallet, believed to contain proceeds from cybercrime activities, was also frozen. Evidence gathered reportedly indicates close communication between the suspect and other members of these pro-Russia hacktivist organizations, suggesting a coordinated network of individuals involved in cyber operations.

The FBI's Cyber Division confirmed the arrest as part of its ongoing "Operation Red Circus," an initiative aimed at dismantling Russian state-sponsored cyber threats. The operation has previously seen joint advisories issued with international partners detailing the activities of pro-Russia hacktivist groups targeting sectors such as water, agriculture, and energy. The arrest of individuals involved in groups like CARR is a stated priority for Operation Red Circus, seeking to preempt and mitigate malicious cyber campaigns.

This development is part of a longer-term effort to track and apprehend individuals associated with pro-Russia hacktivist activities. CARR, in particular, has been active since 2022, initially focusing on low-level attacks in Ukraine following the Russian invasion. The US has previously identified key figures within CARR, including Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, and sanctioned them in connection with attacks on US and European water facilities. These attacks, which targeted SCADA systems and human-machine interfaces, were attributed by Mandiant to Russia's GRU, highlighting the blurred lines between state-sponsored espionage and hacktivist operations.

This case follows other recent international actions against individuals linked to similar hacktivist groups. Notably, Victoria Eduardovna Dubranova, a Ukrainian national accused of involvement with CARR and NoName057(16), was extradited to the US late last year. She faces charges related to attacks on water facilities and a meat processing plant in November 2024, which resulted in significant spoilage and an industrial ammonia leak.

Synthesized by Vypr AI