Full Report
Authorities didn’t name the man or file formal charges, but accuse him of participating in attacks linked to Cyber Army of Russia Reborn and NoName. The post Spain arrests suspected hacker linked to Russian hacktivist campaign appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Cyber Army of Russia Reborn (CARR) & NoName057(16)
## Attribution & Identity
* **Actor Name:** Cyber Army of Russia Reborn (CARR)
* **Aliases:** Z-Pentest
* **Associated Groups:** NoName057(16) (often referred to as NoName)
* **Identification:** Russian state-sponsored hacktivist groups.
* **Key Individuals:**
* **Yuliya Vladimirovna Pankratova:** Alleged leader and primary hacker (Sanctioned).
* **Denis Olegovich Degtyarenko:** Primary hacker (Sanctioned).
* **Victoria Eduardovna Dubranova:** Ukrainian national and group participant (Indicted/Convicted).
* **Unnamed Suspect:** A man arrested in Palencia, Spain (March 2026) for providing logistical support and participating in campaigns.
## Activity Summary
The groups have been active since at least 2022, operating as pro-Russian hacktivist fronts. Recent operations involve high-profile attacks against critical infrastructure in the U.S. and Europe. In 2025 and 2026, international law enforcement (notably the FBI and Spanish National Police under "Operation Riptide") successfully targeted the groups' logistics and financial networks, leading to the arrest of a facilitator in Spain who assisted members in fleeing to Russia.
## Tactics, Techniques & Procedures
* **Distributed Denial of Service (DDoS):** Primary method used by NoName057(16) to disrupt Western services.
* **Critical Infrastructure Intrusion:** Direct attacks on industrial control systems (e.g., water systems).
* **Influence Operations:** Spreading pro-Russian and anti-Western narratives via "specialized portals" and social media.
* **Logistical Support:** Use of cross-border transit (Poland and Belarus) to exfiltrate members to Russia.
* **Financial Operations:** Use of cryptocurrency for payments and illicit financial networking.
* **MITRE ATT&CK IDs (Inferred):**
* **T1498:** Network Denial of Service
* **T0884:** Connection Request Filter (Specific to ICS/Water systems context)
* **T1583.003:** Stealing/Purchasing Virtual Private Servers (Logistical support)
## Targeting
* **Sectors:** Critical Infrastructure (Water systems, Meat plants), Government, Financial Networks.
* **Geography:** United States, Europe (specifically Spain), Ukraine.
* **Victims:** Various critical infrastructure providers and Western entities opposing Russian interests.
## Tools & Infrastructure
* **Hardware:** Seized computers and cryptocurrency storage devices (hardware wallets).
* **Financial Infrastructure:** Cryptocurrency wallets used for receiving criminal payments.
* **Infrastructure:** Global financial networks used for fraud and money laundering.
## Implications
CARR and NoName represent a blurring of the line between independent hacktivism and state-sponsored operations. Their ability to target physical infrastructure (water and food supply) indicates a high-risk threshold. The groups serve as a mechanism for Russia to conduct deniable disruptive operations while simultaneously running propaganda campaigns. This arrest highlights increasing trans-Atlantic cooperation (FBI/Europol/Spanish Police) in tracking the physical logistics and financial "exit ramps" used by these cyber actors.
## Mitigations
* **DDoS Protection:** Implement robust rate-limiting and cloud-based scrubbing services to mitigate NoName057(16) style attacks.
* **OT/ICS Hardening:** Secure industrial control systems with air-gapping where possible and strict identity and access management (IAM) for critical infrastructure.
* **Cryptocurrency Monitoring:** Financial institutions should flag and monitor North-bound or Russia-linked crypto-wallets associated with known hacktivist indicators.
* **Inter-agency Cooperation:** Continue intelligence sharing via CISA and FBI advisories (e.g., AA25-343A) regarding pro-Russian hacktivist TTPs.