Spanish police arrest suspected helper of pro-Russian hacking crews

The man in Palencia allegedly helped a Ukrainian hacker flee toward Russia and supported groups linked to attacks on U.S. water and energy sites.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial image, 16:9, full frame edge to edge
Share

Key points

  • Spain's National Police arrested a man in Palencia in March 2026 on suspicion of aiding pro-Russian hacking groups, acting on a tip from the FBI.
  • The suspect is accused of helping a Ukrainian hacker working for the CyberArmy of Russia Reborn (CARR) escape toward Russia via Poland and Belarus.
  • Investigators seized computers and cryptocurrency storage devices, and froze wallets said to hold money from sales of stolen data.
  • CARR has been tied to cyberattacks on water and food plants in the United States, and loosely linked to the Russian military hacking unit known as Sandworm.
  • Prosecutors are looking at charges including collaboration with a terrorist organisation, glorification of terrorism, and computer damage.

Spanish police have arrested a man they say worked as a fixer for pro-Russian hacking groups, including one crew accused of meddling with American water and energy systems.

The man lived in Palencia, a quiet city in northern Spain. Officers raided his home in March 2026, seizing laptops and hardware wallets used to store cryptocurrency. They also froze digital wallets that, according to investigators, held proceeds from selling stolen data.

The arrest was first reported by BleepingComputer.

Who are these hacking groups?

The suspect is accused of supporting the CyberArmy of Russia Reborn, known as CARR, and a related crew called Z-Pentest. Both call themselves hacktivists, meaning hackers who claim to act for a political cause rather than for money.

In practice, CARR has done real damage. A recent U.S. indictment of another alleged member, Victoria Eduardovna Dubranova, said the group attacked water utilities and food-processing plants inside the United States. That is the kind of intrusion that can put tap water or food safety at risk, not just deface a website.

The U.S. government has already sanctioned two other suspected CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko. They were linked to attacks on the control systems of an American energy company. Those control systems, called SCADA, are the computers that open valves, run pumps and keep the lights on.

Security researchers have also loosely tied CARR to APT44, better known as Sandworm. That is a hacking unit inside Russian military intelligence with a long track record of destructive attacks. Sandworm has a habit of hiding behind hacktivist front groups, which makes the CARR connection notable rather than surprising.

What did the arrested man actually do?

According to the Spanish police, the suspect gave logistical and operational help to a Ukrainian hacker who was working for CARR. He allegedly tried to arrange that hacker's escape route to Russia, running through Poland and Belarus.

Police say he used several encrypted messaging apps to stay in touch with other members and coordinate their work. Investigators also say he took part in actions credited to another pro-Russian group, NoName057(16), which is best known for knocking European government websites offline with floods of junk traffic.

Those operations, the police statement says, were later bragged about on pro-Russian websites to push anti-Western talking points.

Should ordinary people be worried?

Not directly, but the case is a reminder that "hacktivism" is not always harmless graffiti. When a group is poking at the software that runs a water plant, the risk is physical, not just digital.

The FBI passed information to Spanish police in August 2025, and the investigation ran for around seven months before the raid. No formal charges have been filed yet. Prosecutors are weighing accusations of membership in a terrorist organisation, glorification of terrorism, and computer damage under Spanish law.

For now, the suspect is under investigation while officers pick through his seized devices. Expect more names to surface. Groups like CARR rarely run on one person, and arrests of the support crew tend to shake loose the operators.

© 2026 Threat Vectr