Spain Police Arrests Suspect in Massive Doxing Campaign Against State Officials
Published
Key Takeaways
- Targeted Doxing Operation: The Spanish National Police arrested an individual for leaking sensitive data from critical government organizations.
- National Security Risk: The compromised information exposed personnel from entities, including the Civil Guard and the National Security Council.
- Forensic Investigation Ongoing: Authorities seized electronic devices to identify additional participants linked to the threat group.
The Spanish National Police arrested an individual for leaking sensitive information related to members of key state organizations, including the National Cybersecurity Institute (INCIBE). Authorities stated the massive leak posed national security risks because of the specific people exposed.
The published data included information from the State Attorney General's Office, INCIBE, the National Police, the Civil Guard, and the National Security Council.
Forensic Seizures and Legal Action
After identifying and locating the suspect, police raided the residence and seized computers and other electronic devices to extract technical forensic evidence. The investigation, overseen by Madrid Investigative Court No. 22, began after authorities detected the mass dissemination of the sensitive data.
The operation culminated on Wednesday, May 27, with the arrest and the home search. It is yet unknown whether the doxxing suspect is the same person behind the intrusion.
Law enforcement officials are actively examining the seized devices for evidence of additional participants and note that more arrests may follow. “The operation remains open with the aim of clarifying the possible involvement of other individuals and completely dismantling the network of profiles implicated in this campaign of targeting and threats,” the Spanish police press release said.
Data Aggregation and Threat Actors
In February, INCIBE stated that there was no direct compromise of its systems. The institute described the incident as a targeted collection and publication of data affecting key entities and employees.
Potential sources for this information included older breaches, credential dumps, and OSINT tools. Because the data was aggregated from various sources, some records reportedly contained outdated information and the names of former employees.
In March, hackers using the PoliceEspDoxedBF alias posted the data on BreachForums iteration. In the same month, the personal data of hundreds of Spanish judges and prosecutors was published on Doxbin, and another account leaked the alleged personal data of three senior officials from Spain’s Ministry of Transport after the Adamuz train crash.
In October 2025, the Qilin hacking group claimed to have breached the Agencia Tributaria.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular