Spanish Police Arrest Doxer Behind Massive Leak of Government Employee Data

On May 27, the Spanish National Police detained a suspect linked to a large‑scale doxing campaign that exposed personal details of employees across several critical state bodies, including the National Cybersecurity Institute (INCIBE), the State Attorney General’s Office, the National Police, the Civil Guard and the National Security Council. The operation, dubbed Police‑ESP‑Doxed on the underground forum BreachForum, culminated in a coordinated raid that seized laptops, external drives and a range of networking equipment.

---

What was leaked and why it matters

The published dossiers contained full names, national ID numbers (DNI), personal mobile numbers, and professional email addresses. In some cases the data included outdated records—employees who left INCIBE years ago—suggesting the attacker compiled information from multiple sources over time. While the leak did not appear to stem from a direct compromise of INCIBE’s internal systems, the aggregation of publicly available breach dumps, credential leaks and OSINT tools created a curated set that posed a real risk to personal safety and to the integrity of the institutions involved.

The exposure of judges, prosecutors and senior security officials raises concerns about potential intimidation, blackmail or targeted phishing attacks. "When personal identifiers are combined with official contact channels, the attack surface expands dramatically," warns Dr. Marta Fernández, senior security analyst at the European Cybersecurity Agency (ENISA). "Even stale data can be weaponized if an adversary can link it to current roles or recent activities."

---

How the investigation unfolded

The investigation was overseen by Madrid Investigative Court No. 22. According to the police press release, the operation began after analysts detected a sudden surge of data uploads on the public paste site Doxbin in early May. The uploads included hundreds of records that matched employee lists previously seen in breach dumps from 2022‑2024.

Key steps in the response:

1. Rapid attribution – Law‑enforcement cyber‑units cross‑referenced file hashes with known breach repositories and identified a recurring uploader handle, "Police‑ESP‑Doxed."
2. Targeted surveillance – Using metadata from the paste uploads and traffic logs from the forum, investigators narrowed the suspect’s IP range to a residential address in Madrid.
3. Coordinated raid – On May 27, a tactical team executed a search warrant, confiscating two laptops, three external SSDs, a Raspberry Pi used for automated scraping, and a collection of encrypted USB sticks.
4. Forensic triage – The seized devices are now undergoing deep‑packet inspection and timeline reconstruction at the National Police’s Digital Forensics Lab.

---

Technical takeaways for security teams

The Spanish case underscores several practical lessons for organizations handling sensitive employee data:

1. Treat historical breach data as an active threat

Even if a breach occurred years ago, the leaked information can be repurposed. Maintain an inventory of all past incidents and regularly audit whether exposed fields (names, IDs, phone numbers) appear in any new threat‑intel feeds.

2. Harden public‑facing directories

Limit the amount of personal data displayed on staff directories. Use role‑based access controls (RBAC) to ensure only authenticated users can view contact details, and consider masking DNI numbers unless absolutely required.

3. Deploy data‑loss‑prevention (DLP) that scans outbound traffic

Modern DLP solutions can flag bulk uploads of CSV or JSON files containing personal identifiers. Configure rules to alert on mass exfiltration attempts, even when the data is compressed or encrypted.

4. Monitor underground forums and paste sites

Automated OSINT feeds from platforms like BreachForum, Doxbin and similar sites can provide early warning of emerging dumps. Tools such as SpiderFoot or PassiveTotal can be scheduled to pull new entries matching your organization’s keywords.

5. Conduct regular phishing simulations using realistic data

If attackers already possess employee names and phone numbers, they can craft highly convincing spear‑phishing messages. Simulated campaigns that incorporate real‑world data help gauge user resilience and refine detection rules.

---

What’s next for the investigation?

Police have indicated that the seized devices may reveal additional participants or even a broader supply chain of data brokers. "We are looking for evidence of automated scrapers, credential‑stealing scripts, and any links to foreign intelligence services," said Inspector Luis Ortega, spokesperson for the National Police Cyber Division.

The investigation remains open, and authorities have warned that further arrests are possible as forensic analysis progresses. Meanwhile, INCIBE continues to advise all public sector employees to update passwords, enable multi‑factor authentication, and report any suspicious contact attempts.

---

Practical steps for affected agencies

• Immediate password rotation for all accounts listed in the leak.
• Enable MFA on email, VPN and privileged access portals.
• Review and purge legacy accounts that no longer belong to current staff.
• Deploy threat‑intel feeds that flag known compromised credentials associated with the leaked usernames.
• Educate staff on the dangers of oversharing personal details on social media platforms like LinkedIn and Facebook.

---

The Spanish doxing incident is a reminder that the battle for data privacy extends beyond the moment of a breach. By treating historical leaks as living threats and tightening both technical and procedural controls, organizations can reduce the risk that a scraped spreadsheet becomes a weapon in the hands of a determined adversary.

Source: KELA