A joint operation between the National Police and the Civil Guard concluded in the arrest of a suspected cybercriminal in Calpe, Alicante. The individual, whose name has not been released but goes by the handle of Natohub on Breach Forums, is allegedly responsible for over 40 cyberattacks targeting public and private entities in Spain and internationally and compromising personal data and sensitive documents.
Among the Spanish government entities reportedly affected are the Civil Guard, the Ministries of Defence and Education, the National Currency and Timbre Factory, several Spanish universities and the Generalitat Valenciana, the governing body of the Valencian Community.
Internationally, databases belonging to NATO, the US Army, the United Nations, and the International Civil Aviation Organization (ICAO) were targeted.
ICAO publicly acknowledged the incident last month, after an account known as “Natohub” leaked information from the breach on the cybercriminal forum BreachForums, also claiming to possess the personal data of 14,000 UN delegates.
“The reported information security incident involves approximately 42,000 recruitment application data records from April 2016 to July 2024 claimed to be released by the threat actor known as Natohub,” ICAO confirmed.
According to the Spanish police’s official press release, the arrest took place after an extensive investigation into crimes involving the unauthorized access and disclosure of sensitive information, damage to computer systems, and money laundering.
The investigation began in February 2024 after a complaint from a Madrid business association that discovered their data published on a “specialized data leak forum.” Research revealed their website was compromised, data extracted, and the site defaced with a message claiming the hack. Eventually, investigators uncovered a pattern of cyberattacks occurring throughout 2024, culminating in late December, prompting the arrest.
“He attacked international agencies and governmental organizations by accessing databases with personal information from employees and clients, as well as internal documents that were subsequently sold or freely published in forums,” authorities noted.
Moreover, the individual used anonymous messaging apps and specialized navigation tools to create a complex technical network that made tracking a challenge for investigators.
Authorities seized computer equipment, an iPhone, and around 50 cryptocurrency accounts containing “different types of cryptoactive” from the suspect’s residence. Spanish news outlet Larazon reports that the suspect is 18 years old and was released after a court appearance on the condition of passport confiscation.
The National Cryptological Centre (CCN) of the National Intelligence Centre (CNI), the EUROPOL and the US Homeland Security Investigations (HSI) also assisted in this operation. This arrest is part of a larger effort by Spanish law enforcement to crack down on cybercrime, working with international agencies to dismantle cybercriminal operations originating within the country.
