Spanish authorities have arrested four alleged members of 'Anonymous Fénix' for conducting DDoS attacks against government ministries and public institutions, with activity peaking after Valencia's flash floods.
Spanish authorities have arrested four alleged members of a hacktivist group believed to have carried out cyberattacks targeting government ministries, political parties, and various public institutions. The group, which called itself "Anonymous Fénix" and claimed they were affiliated with the Anonymous hacker collective, conducted distributed denial-of-service (DDoS) attacks against targets in Spain and several South American countries, according to the Spanish Civil Guard.
From April 2023 to February 2026
The first attacks occurred in April 2023 and peaked after the flash floods that struck Valencia in late October 2024, when the group's members attacked multiple government websites, claiming Spanish authorities were responsible for the deaths and destruction caused by the storm. Anonymous Fénix also used X and Telegram to spread anti-government messaging and recruit volunteers for its campaigns.
"From September 2024 they increased their activity and initiated a campaign of recruitment of volunteers with the aim of perpetrating cyberattacks against relevant domains," the Spanish Civil Guard said over the weekend. "They reached their peak after the DANA of Valencia when they managed to successfully attack different websites of the Public Administration, justifying that they were 'the responsible for the tragedy.'"
The arrests
The Civil Guard arrested the group's administrator and moderator in May 2025, in Alcalá de Henares, near Madrid, and Oviedo, in the northern region of Asturias. After analyzing the evidence collected following those arrests, investigators identified two additional members of the group as its most active operatives, who were arrested earlier this month in Ibiza and Móstoles, near Madrid.
Following the arrests, Spanish courts also ordered the seizure of the group's accounts on X and YouTube and ordered the closure of its Telegram channel. No details on specific charges or potential penalties were provided in the Civil Guard's announcement.
Context and recent trends
In recent months, Spanish authorities have been actively pursuing various cybercriminal groups. In December 2024, Spanish authorities detained a 19-year-old suspect in Barcelona for allegedly breaching nine companies. Earlier in 2024, they dismantled the "GXC Team" crime-as-a-service (CaaS) platform that pushed AI-powered phishing kits, Android malware, and voice-scam tools.
More recently, in January, the Spanish National Police arrested 34 suspects linked to a criminal network involved in cyber fraud and believed to be connected to the Black Axe crime ring.
These arrests highlight the growing sophistication of hacktivist operations and the challenges law enforcement faces in tracking decentralized groups that leverage social media for recruitment and coordination. The case also demonstrates how real-world events, such as natural disasters, can be exploited by hacktivist groups to justify their activities and recruit new members.
The Anonymous Fénix case is particularly notable because it shows how hacktivist groups have evolved their tactics, moving from simple DDoS attacks to more complex operations involving social media manipulation, volunteer recruitment, and strategic timing of attacks to maximize impact and media attention.
Comments
Please log in or register to join the discussion