Spain Arrests Four Suspected Anonymous Hackers Over DDoS Attacks Protesting Flood Response

Spanish police arrested four individuals identifying as members of hacktivist group Anonymous Fénix last week, accusing them of orchestrating distributed denial-of-service (DDoS) attacks against government ministries and public institutions. The arrests cap a year-long investigation stemming from attacks that protested authorities' handling of the catastrophic 2024 DANA floods that killed 229 people in Valencia.

Guardia Civil officers apprehended two "most active members" in Ibiza and Móstoles, adding to two group leaders arrested in Madrid and Asturias in May 2025. According to court documents, the suspects allegedly targeted Spanish government websites and political parties, claiming these entities were "responsible for the tragedy" through inadequate disaster preparedness and response.

The 2024 DANA floods resulted from isolated high-altitude depressions causing unprecedented rainfall. Beyond the staggering death toll, psychological studies indicate approximately 30% of Valencia's children now exhibit trauma symptoms during rainstorms. This lingering public trauma fueled widespread criticism of Spain's crisis management systems.

Investigators obtained court orders to seize Anonymous Fénix's social media accounts, including their X profile and YouTube channel, while authorities proactively shut down their Telegram presence. Forensic analysis revealed the group operated with surprisingly limited reach—their X account had under 700 followers, and Telegram subscribers numbered in the dozens according to El País. Despite this modest infrastructure, Guardia Civil confirmed several successful DDoS disruptions against government web services.

Legal experts note these actions violate multiple layers of Spanish and EU legislation:

1. EU NIS Directive: Mandates operational resilience for critical infrastructure operators
2. Spanish Penal Code Article 197: Criminalizes unauthorized system access and disruption
3. GDPR Articles 32/33: Requires protection against availability attacks impacting personal data systems

While no personal data breaches were reported, successful DDoS attacks against public services could trigger GDPR violation fines up to €10 million or 2% of global revenue if investigations prove systemic security failures. The incidents also highlight tensions between hacktivism and lawful protest channels, with cybersecurity professor Elena Rodríguez stating: "DDoS attacks inevitably harm citizens relying on digital services—they're digital vandalism that undermines legitimate grievances about disaster response."

The case signals Spain's hardening stance against hacktivism following Anonymous' historical operations against corporations like PayPal and Sony. With Anonymous Fénix's infrastructure dismantled, authorities will likely pursue charges carrying 3-5 year prison terms under Spain's cybercrime laws. Meanwhile, Valencia continues implementing flood prevention upgrades recommended in post-disaster audits, including sensor-based early warning systems and reinforced drainage infrastructure.