The people who keep the pro-Russian hacktivist machine running are starting to get names attached to them. Spain’s national police, acting on a tip from the FBI, have arrested a man at his home in Palencia accused of providing logistical and operational support to some of the most active pro-Russia hacktivist crews on the internet — the Cyber Army of Russia Reborn (CARR), also known as Z-Pentest, along with the DDoS collective NoName057(16).
The arrest is part of Operation Riptide, an international effort to disrupt malicious cyber activity and hold its enablers accountable. Though Spanish authorities announced it in July 2026, the arrest itself took place back in March, following an investigation that a August 2025 FBI tip set in motion.
Not the Hacker — the Fixer
What makes this case distinct is who was arrested. The suspect is not accused of personally breaching a water plant or knocking a government site offline. He is accused of being the support layer — the person who kept an operator functioning.
According to investigators, the man provided logistical and operational backing to a Ukrainian hacker working for CARR, and — most strikingly — allegedly tried to help that hacker escape to Russia via a route through Poland and Belarus. He used various encrypted messaging apps to stay in contact with other members, coordinating activity and providing support for their operations.
That is a meaningful shift in enforcement focus. Hacktivist groups are resilient precisely because they are diffuse — a rotating cast of volunteers, fixers, and coordinators rather than a fixed org chart. Arresting the person who arranges travel, handles logistics, and keeps the encrypted channels running strikes at the connective tissue that lets these crews persist, much as the indictment of bulletproof-hosting operators targets the infrastructure layer rather than any single gang.
Who CARR, Z-Pentest, and NoName Are
The groups the suspect allegedly supported are not nuisance-level defacers. CARR and Z-Pentest have been linked to attacks on critical infrastructure in the U.S. and Europe, including intrusions against water and food-processing facilities and the SCADA systems of an American energy firm. NoName057(16) is the DDoS workhorse of the pro-Russian scene, hammering European government and transport sites in retaliation for support of Ukraine.
This is the same threat category Breached has tracked across a widening European front: Russia’s suspected manipulation of physical surveillance cameras to map NATO logistics in the Netherlands, the destructive water-utility attack Denmark attributed to Russian state actors, and the case of the Ukrainian woman recruited to sabotage children’s water parks and critical infrastructure for Russia. The line between “hacktivist” and “state proxy” in this ecosystem is deliberately blurry — nominally independent volunteers pursuing objectives that align neatly with Moscow’s, often with a tolerance from Russian authorities that looks a lot like sponsorship. It is the same edge-device-and-infrastructure targeting that Russia’s Sandworm has industrialized.
The FBI Tip and the Transnational Assist
The mechanics matter. An FBI tip in August 2025 triggered a Spanish investigation that produced a March 2026 arrest, announced publicly in July under a named international operation. That chain — U.S. intelligence, European police action, coordinated disclosure — is the model Western agencies increasingly use against actors they cannot reach directly inside Russia.
It is the same cross-border pattern behind Spain’s recent dismantling of a €140 million BEC fraud ring and behind the Dutch FIOD’s seizure of Stark Industries’ bulletproof servers. When the principals sit safely in Moscow, law enforcement goes after the reachable periphery: the fixers, the hosts, the money mules, the coordinators who make the occasional mistake of living somewhere with an extradition treaty.
Why Support Roles Are the Right Target
A single fixer’s arrest will not stop CARR, Z-Pentest, or NoName. But the strategic logic is sound. Hacktivist collectives survive on the assumption that everyone in the network is anonymous and untouchable. Every arrest of a coordinator or enabler erodes that assumption, forces operational-security overhead onto the survivors, and — as the alleged Poland-Belarus escape plan shows — closes exfiltration routes that operators rely on when the heat rises.
The people who point the DDoS cannons and probe the SCADA systems get the headlines. The people who arrange their logistics, hold their encrypted address books, and plan their escapes keep them in business. Operation Riptide’s bet is that arresting the second group is how you eventually reach the first.
Sources
- The Record — Spain arrests alleged supporter of pro-Russian hacktivist groups after FBI tip
- BleepingComputer — Spain arrests suspected member of pro-Russian hacktivist groups
- CyberScoop — Spain arrests suspected hacker linked to Russian hacktivist campaign
- The Register — Spain collars alleged pro-Russia hacktivist after FBI tip-off
- Security Affairs — Spanish Police Arrest Man Linked to CARR, Z-Pentest, and NoName057(16)



