Joint operation of the National Police and the Civil Guard press release:
The suspect, who claimed responsibility for the intrusions into dark web forums, managed to access the computer services of public and private entities, including the Civil Guard, the Ministry of Defense, the National Mint and Stamp Factory, the Ministry of Education, Vocational Training and Sports, the Generalitat Valenciana, various Spanish universities, databases of NATO and the US Army, as well as other international companies and entities.
During the search, the agents have seized cryptocurrencies and various computer material which is being analyzed by specialists, who do not rule out the clarification of other criminal acts.
05/02/25. Watch the video on the National Police’s X.com account.
Agents of the National Police, in a joint operation with the Civil Guard, arrested, last Tuesday in the town of Calpe (Alicante), a person for his alleged participation in the crimes of discovery and disclosure of secrets, illegal access to computer systems, computer damage and money laundering.
The detainee carried out multiple attacks on the IT services of national and international companies and entities, including public services and government agencies. He also claimed responsibility for the attacks on dark web forums under different pseudonyms to avoid being identified and linked to the criminal acts.
During the search of his home, multiple computer equipment was seized, which is being analysed by specialists and other similar events are not ruled out. In addition, the detainee had more than 50 cryptocurrency accounts with different types of cryptoassets, a significant fact of the extensive knowledge that the arrested man has of the blockchain world.
He changed his pseudonym frequently to avoid detection.
Following these events, and during 2024, various cyberattacks against other entities, public bodies and even Spanish universities took place. Subsequently, and using up to three different pseudonyms, he attacked international bodies and government-type organisations by accessing databases with personal information of employees and clients, as well as internal documents that were subsequently sold or freely published on forums.
Cyberattacks carried out against important institutions
The National Police began the investigation in February of last year following a complaint from a Madrid business association after detecting a post on a forum specialising in data leaks, where they claimed to be in possession of information from their website. After carrying out the first steps, the agents found that not only had data been extracted, but the portal had been defaced, displaying a message in which it could be read that the system had been hacked.
Following these events, and throughout 2024, the investigated actor carried out numerous cyberattacks, including the attack on the National Mint and Stamp Factory, the State Public Employment Service, the Ministry of Education, Vocational Training and Sports, various Spanish universities, as well as databases of NATO, the United States Army, the General Directorate of Traffic, the Generalitat Valenciana, the United Nations, the International Civil Aviation Organization, and his latest claimed attack, two databases of the Civil Guard and the Ministry of Defense.
This latest attack, carried out at the end of December 2024, led the Central Operational Unit of the Civil Guard to carry out an investigation and identify the same target as the perpetrator, with the operational exploitation being carried out jointly by both police forces.
Measures to hide navigation trails during attacks
The suspect, who had extensive knowledge of computers, had managed to set up a complex technological network through the use of anonymous messaging and browsing applications, through which he had managed to hide his tracks and thus make his identification difficult.
The operation, which was carried out jointly by agents of the National Police and the Civil Guard, had the decisive collaboration of the National Cryptologic Centre (CCN) of the National Intelligence Centre (CNI).
At the international level, there has been collaboration with EUROPOL and the Homeland Security Investigations (HSI) of the USA.
Update: See also Bleeping Computer’s coverage, as they identify the young hacker as having used the moniker “natohub” on BreachForums. That account has now been banned on BreachForums because “he can be fedded.” A post on BreachForums today called “LOCK4J (NATOHUB) ARRESTED BY THE SPANISH NATIONAL POLICE AND THE CIVIL GUARD” appears to have come under the control of law enforcement and claims:
Hi BF
The threat actor who controlled this profile lock4j (aka natohub / m1000 / dsf / gpt / skibiditoilet69) has been arrested in Alicante (SPAIN) by the Spanish National Police and the Civil Guard. Now, he will have to face justice for the cyberattacks carried out.The acts promoted in this forum are being investigated by law enforcement agencies, and engaging in them carries legal consequences. Law Enforcement Agencies worldwide work together in the pursuit of these activities.