Spanish Authorities Arrest Alleged Associate of Pro-Russia Hacktivist Groups Following FBI Tip
In a significant development concerning cybersecurity, Spanish police have arrested a man in Palencia, Spain, under allegations of involvement in pro-Russia hacktivist organizations. Spanish authorities identified the suspect as a close affiliate of several notorious cyber groups, including the Cyber Army of Russia Reborn (CARR), Z-Pentest, and NoName057(16), which are known for their malicious cyber activities geared towards advancing Russian interests.
The arrest, which took place in March 2026, came as a direct result of actionable intelligence received from the Federal Bureau of Investigation (FBI). The U.S. agency had been monitoring the suspect’s activities, particularly noting his logistical connection to CARR. This intelligence suggested that the individual provided support to a planned escape of one of CARR’s associates from Ukraine to Russia, traversing through Poland and Belarus.
According to reports from the Spanish Interior Ministry, the man now faces several grave charges, including membership in a terrorist organization, glorification of terrorism, and a range of computer-related offenses. These allegations underscore the serious nature of the activities conducted by individuals affiliated with such hacktivist groups, which are reportedly funded and supported by the Russian government.
CARR, along with its offshoot Z-Pentest, has been implicated in various cyberattacks on critical infrastructure in the United States. These attacks typically take the form of Distributed Denial of Service (DDoS) assaults aimed at U.S. government agencies and essential facilities. Experts believe that these hacktivist factions pose a significant threat to national security, particularly when they operate with the backing of foreign intelligence services.
Federal prosecutor Bill Essayli articulated the concern over politically motivated hacktivism, stating that both state-sponsored groups like CARR and state-sanctioned organizations like NoName057(16) play dangerous roles in the contemporary cyber threat landscape. He remarked that when foreign entities employ civilians to mask their espionage and cyber attacks, it creates additional challenges for national security efforts aimed at protecting vital infrastructure.
The investigation into the arrested suspect gained traction in August 2025, as the FBI developed evidence linking him to CARR’s operational planning. His role involved not just logistics but also coordination and support for operations that would later be claimed by these hacktivist groups on their various online platforms. Such operations weave narratives that promote pro-Russian and anti-Western sentiments, further complicating the geopolitical landscape.
In a concerted effort to disrupt Russian state-sponsored cyber activities, the FBI initiated Operation Red Circus, targeting groups like CARR that have orchestrated opportunistic attacks on critical infrastructures, including the water, agriculture, and energy sectors. The stated mission of Operation Red Circus revolves around mitigating risks related to planned malicious cyber campaigns by actively seeking arrest warrants for individuals associated with hacktivist organizations.
Spanish police conducted a thorough search of the suspect’s residence, confiscating computer equipment and hardware used for cryptocurrency storage. They also froze a cryptocurrency wallet suspected to receive financial proceeds linked to his illegal activities. This action highlights the ongoing intersection between cybercrime and cryptocurrency, which hackers frequently exploit for financial gain.
CARR has been notorious for its high-profile attacks, with notable victims including water utilities in Texas, a meat processing facility in Los Angeles, a Polish wastewater treatment plant, and even a French water mill.
The ramifications of such cyber-enabled actions have not gone unnoticed by U.S. authorities. In July 2024, leaders of CARR, specifically Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, were sanctioned by the U.S. Department of the Treasury for their roles in these cyber operations. Additionally, in 2025, a Ukrainian national named Victoria Eduardovna Dubranova was extradited to the United States and indicted for her involvement in operations related to CARR and NoName057(16).
The U.S. Department of State has also responded proactively by offering substantial rewards for actionable intelligence regarding CARR and Z-Pentest, as well as NoName057(16). These rewards reflect a commitment to counter the growing threats posed by such hacktivist groups, highlighting the international effort to combat cybercrime that transcends national borders.
The arrest of the suspect underscores ongoing tensions in the cyber realm, aligning with broader narratives on national security and the impact of state-sponsored hacking on global stability. As cyber threats continue to evolve, the collaboration between nations becomes increasingly vital in addressing these challenges effectively.

