Spanish Cyberterrorism: 19-Year-Old Student Arrested for Massive Political Data Leak Targeting Prime Minister Pedro Sánchez

Breached Company

Breached Company

9 min read
Spanish Cyberterrorism: 19-Year-Old Student Arrested for Massive Political Data Leak Targeting Prime Minister Pedro Sánchez
Photo by Sam Williams / Unsplash

How a computer science student from Gran Canaria orchestrated one of Spain's most significant political data breaches from his parents' home, exposing thousands of high-profile figures in what authorities are calling an act of cyberterrorism

Breaking News: Unprecedented Political Data Leak Rocks Spain

In a dramatic turn of events that has sent shockwaves through Spanish political circles, authorities have arrested a 19-year-old computer science student for orchestrating what investigators are calling one of the most significant acts of cyberterrorism in modern Spanish history. The case, which targeted Spain's highest political figures including Prime Minister Pedro Sánchez, represents a new level of domestic cyber threats against democratic institutions.

Spanish police arrested Yoel O.Q., a 19-year-old computer science student, in Arinaga (Gran Canaria) for allegedly orchestrating a major data leak involving personal information of Prime Minister Pedro Sánchez, several government ministers, journalists, and individuals involved in the Cerdán case. The attack, considered an act of cyberterrorism, was conducted from his parents' home and faces charges of terrorism, terrorist threats, cyberterrorism with intent to destabilize, and coercion of state institutions.

The Scope of the Attack: A Systematic Targeting Campaign

Initial Discovery and Investigation

Spain's Audiencia Nacional launched an investigation into a large-scale data leak targeting high-level Spanish political figures as a possible act of cyberterrorism. The leaked data, which includes personal information such as national ID numbers, addresses, phone numbers, and emails, was posted in at least two Telegram channels over several days in June 2025.

The Three-Wave Attack Pattern

The cyberterrorism operation unfolded in a calculated three-wave pattern:

Wave 1 - Cabinet Ministers and Leadership: The attackers published data on Prime Minister Pedro Sánchez, nine ministers, regional leaders, the president of Congress, and former officials from Partido Popular (PP) and Podemos parties. This initial leak targeted approximately 300 individuals and set the stage for the broader campaign.

Wave 2 - Political Expansion: The second wave expanded to include regional leaders and other political figures, demonstrating the systematic nature of the attack and the extensive database the perpetrators had compiled.

Wave 3 - Mass Political Targeting: The final wave included 3,000 additional individuals, specifically targeting thousands of PSOE (Spanish Socialist Workers' Party) and Podemos affiliates, indicating a comprehensive assault on Spain's center-left political ecosystem.

High-Profile Victims

The victims include some of Spain's most prominent political figures:

  • Prime Minister Pedro Sánchez - Complete personal information exposed
  • Nine Current Ministers - Including sensitive contact details
  • Francina Armengol - President of the Congress of Deputies
  • Salvador Illa - President of the Generalitat of Catalonia
  • Yolanda Díaz - Second Vice President and Minister of Labor
  • Félix Bolaños - Minister of the Presidency and Justice
  • Regional Leaders and Former Officials - From multiple political parties
  • Journalists and Media Figures - Expanding beyond political targets

The Perpetrators: Young Extremists Operating from Home

Primary Suspect Profile

Yoel O.Q., the main suspect, was detained at his parents' home on the island of Gran Canaria. Contrary to expectations of a sophisticated cyber criminal network, investigators discovered that this devastating attack was orchestrated by a 19-year-old computer science student living with his family in the Cruce de Arinaga neighborhood.

The Accomplice Network

A second suspect, Cristian Ezequiel S.M., was also arrested as an alleged accomplice. According to investigation sources, he was aware of Yoel's activities and participated in some capacity in the cyberterrorism operation.

Ideological Motivation

Both suspects were reportedly active participants in far-right online communities and operated within ultra-ideology chat groups. The leaked data was accompanied by hashtags including #noalacorrupcion (no to corruption), #españalibre (free Spain), and #sanchezdimision (Sánchez resignation), reflecting clear anti-government sentiment and political motivation.

Global Cybercrime Crackdown: Major Law Enforcement Operations of 2024-2025
As digital crime continues to evolve in sophistication and scale, international law enforcement agencies have responded with increasingly coordinated global operations. These efforts have resulted in significant arrests, infrastructure takedowns, and the disruption of major cybercriminal networks. The period of 2024-2025 has seen some of the most impactful cybercrime operations
Breached CompanyBreached Company

Technical Analysis: Low-Tech Approach, High-Impact Results

The Paradox of Simplicity

One of the most striking aspects of this case is that Yoel O.Q. did not fit the typical profile of a professional hacker. According to investigators, he was not an expert hacker dedicated to infiltrating networks with maximum security, yet he managed to compile and leak sensitive personal data of thousands of high-profile individuals.

Distribution Method: Telegram Channels

The attackers used Telegram channels as their primary distribution method, utilizing usernames like @akkaspace and @Pakito to post the sensitive information. This choice of platform indicates an understanding of both reach and the relative anonymity that encrypted messaging platforms can provide.

Data Types Compromised

The leaked information included:

  • National ID numbers (DNI) - Spain's equivalent to Social Security numbers
  • Home addresses - Current residential locations of targets
  • Phone numbers - Both personal and professional contact information
  • Email addresses - Some current, others outdated but still sensitive
  • Professional affiliations - Political party memberships and roles

Classification as Cyberterrorism

The incident is being prosecuted under Article 573 of Spain's reformed 2015 Penal Code as cyberterrorism. This classification is reserved for cyberattacks intended to destabilize political institutions or the state's social and economic structures, emphasizing the severity with which Spanish authorities view this case.

Charges Filed

Both suspects face multiple serious charges:

  • Terrorism - Under Spain's anti-terrorism legislation
  • Terrorist Threats - For intimidating political figures
  • Cyberterrorism with Intent to Destabilize - Specific to the digital nature of the attack
  • Coercion of State Institutions - Attempting to influence government operations
  • Intimidation of Relevant Collectives - Targeting politicians and journalists for their institutional roles

The case represents a significant legal precedent in Spain for prosecuting politically motivated cyber attacks as terrorism rather than simple data breaches or hacking offenses. This classification reflects the government's recognition that cyber attacks against democratic institutions pose fundamental threats to state security.

The Broader Context: Spain's Cybersecurity Challenges

Connection to the Koldo Case

The timing and targeting of this cyberterrorism attack is particularly significant given its connection to the Koldo Case, a high-profile corruption investigation centered on COVID-era public procurement contracts for medical supplies. Several individuals involved in or connected to this corruption investigation were specifically targeted in the data leaks.

Historical Context of Cyber Threats to Spanish Leadership

This attack comes in the context of previous cyber threats against Spanish leadership. In 2021, the mobile phones of Prime Minister Pedro Sánchez and Defence Minister Margarita Robles were infected with Pegasus spyware, highlighting the ongoing vulnerability of Spanish political figures to cyber surveillance and attacks.

Pattern of Spanish Cyber Arrests

This arrest is part of a broader pattern of significant cybercrime investigations in Spain. Earlier in 2025, Spanish police arrested another hacker known as "Natohub" who was accused of conducting over 40 cyberattacks targeting NATO, the US Army, and various Spanish government bodies, demonstrating Spain's emergence as both a target and source of significant cyber threats.

Operational Details: From Investigation to Arrest

Timeline of the Investigation

The investigation began in June 2025 when the data leaks first appeared on Telegram channels. Spain's National Court immediately classified the incident as potential cyberterrorism, triggering involvement from the Audiencia Nacional and specialized cybercrime units.

The Arrest Operation

On Tuesday, July 1, 2025, agents from the National Police's General Information Commission (CGI) conducted simultaneous arrests in Gran Canaria. The operation included:

  • Early morning raid on Yoel's family home in Arinaga
  • Seizure of electronic devices including multiple computers and mobile devices
  • Search of digital evidence to establish the full scope of the operation
  • Immediate transfer to Madrid for processing by the National Court

Evidence Collection and Analysis

During the raids, police seized large quantities of computer equipment for forensic analysis. Investigators are examining the suspects' electronic devices to uncover broader evidence of intent, additional accomplices, or other criminal activities.

The Telegram Factor: Encrypted Platforms and Political Extremism

Platform Choice Strategy

The perpetrators' choice of Telegram as their primary distribution platform reflects a sophisticated understanding of how encrypted messaging platforms can amplify political messaging while providing some degree of operational security. The use of multiple channels allowed for broader distribution and made takedown efforts more complex.

Far-Right Online Ecosystem

The suspects' operation within far-right online communities highlights the growing concern about how extremist ideologies are being weaponized through cyber capabilities. The combination of political extremism and technical skills represents a particular threat vector that security agencies worldwide are increasingly monitoring.

Amplification and Viral Spread

The systematic release of data over multiple days created sustained media attention and political pressure, demonstrating an understanding of how to maximize the impact of leaked information through careful timing and presentation.

Political and Security Implications

Impact on Spanish Politics

The leak has created significant political turmoil in Spain, coming at a time when the government is already dealing with corruption investigations and political opposition. The exposure of personal information of thousands of political figures across the spectrum has raised serious questions about the security of personal data for public officials.

Security Protocol Reassessment

The incident has forced a comprehensive reassessment of cybersecurity protocols for Spanish political figures and government institutions. The fact that such extensive personal information was available to be leaked suggests significant gaps in data protection practices.

Democratic Institution Threats

The classification of this attack as cyberterrorism reflects recognition that cyber attacks against political figures represent fundamental threats to democratic institutions and the rule of law, not merely privacy violations or typical criminal activity.

International Context: Global Trend of Political Cyber Attacks

Rising Threat of Domestic Cyber Extremism

This case exemplifies a growing global trend where domestic extremist groups are leveraging cyber capabilities to target their own governments and political systems. Unlike state-sponsored attacks from foreign adversaries, these domestic threats often have intimate knowledge of local political dynamics and vulnerabilities.

Comparison to International Cases

Similar cases of politically motivated cyber attacks have occurred worldwide, but the Spanish case is notable for its comprehensive targeting of an entire political ecosystem and its classification under terrorism statutes rather than typical cybercrime laws.

Implications for Democratic Societies

The case raises important questions about how democratic societies should balance cybersecurity measures with civil liberties, and how to address the growing threat of politically motivated cyber attacks by domestic actors.

Technical Security Lessons

Data Protection Failures

The ability of a 19-year-old student to compile such comprehensive personal information about thousands of political figures suggests significant failures in data protection practices across multiple institutions and organizations.

Social Engineering vs. Technical Exploitation

The case demonstrates that devastating cyber attacks don't always require sophisticated technical capabilities—sometimes social engineering, data aggregation, and strategic distribution can be equally damaging.

The Insider Threat Dimension

While not technically an insider threat, the case highlights how individuals with legitimate access to information (through political party membership, public records, or other means) can weaponize that access for malicious purposes.

Response and Mitigation Strategies

Immediate Government Response

The Spanish government's swift classification of the incident as cyberterrorism and the rapid arrest of suspects demonstrates a coordinated response between law enforcement, intelligence services, and the judicial system.

Enhanced Protection Measures

Following the incident, Spanish authorities are implementing enhanced protection measures for political figures, including:

  • Improved personal data security protocols
  • Enhanced monitoring of extremist online communities
  • Strengthened coordination between cybersecurity agencies and political institutions

The case may prompt updates to Spain's legal framework for addressing politically motivated cyber attacks, ensuring that law enforcement has appropriate tools to combat this emerging threat vector.

Looking Forward: Implications for Cybersecurity

Evolving Threat Landscape

This case represents an evolution in the cybersecurity threat landscape, where domestic extremist groups are increasingly capable of conducting sophisticated information warfare operations against their own governments.

The Role of Young Attackers

The involvement of teenage perpetrators highlights the need for cybersecurity education and intervention programs targeting young people who may be recruited into extremist cyber activities.

Platform Responsibility

The use of encrypted messaging platforms to distribute sensitive personal information raises questions about platform responsibility and the balance between privacy protection and preventing harmful activities.

Conclusion: A Watershed Moment for Digital Democracy

The arrest of Yoel O.Q. and Cristian Ezequiel S.M. represents more than just a successful law enforcement operation—it marks a watershed moment in understanding how domestic cyber threats can target the foundations of democratic society. The case demonstrates that cyberterrorism is no longer solely the domain of sophisticated nation-state actors or international criminal organizations.

The fact that a 19-year-old computer science student could orchestrate such a comprehensive attack against Spain's political establishment from his parents' home in Gran Canaria illustrates both the democratization of cyber capabilities and the evolving nature of political extremism in the digital age.

Key takeaways from this case include:

  1. Domestic Cyber Extremism - The growing threat of politically motivated cyber attacks by domestic actors requires new approaches to cybersecurity and counterterrorism
  2. Data Protection Gaps - The extensive personal information available for exploitation suggests systematic failures in protecting sensitive data of public figures
  3. Legal Framework Evolution - The classification as cyberterrorism sets important precedents for how democratic societies address politically motivated cyber attacks
  4. Youth Radicalization - The involvement of teenage perpetrators highlights the intersection of online extremism and cyber capabilities

As Spain's investigation continues and the suspects face trial, this case will likely become a landmark example of how democratic societies must adapt their legal, technical, and social frameworks to address the evolving intersection of cybersecurity, political extremism, and threats to democratic institutions.

The Spanish cyberterrorism case serves as a stark reminder that in the digital age, the security of democratic institutions depends not only on protecting against foreign adversaries but also on addressing the growing capabilities of domestic extremist groups who seek to destabilize society through cyber means.

This analysis is based on ongoing investigations and public court filings. The case continues to develop as Spanish authorities conduct their investigation and prepare for prosecution.

Read more

2025: The Year Law Enforcement Struck Back - A Comprehensive Review of Major Cybercriminal Takedowns

How international cooperation and sophisticated investigative techniques delivered unprecedented blows to global cybercrime networks The year 2025 has emerged as a watershed moment in the fight against cybercrime, with law enforcement agencies worldwide delivering a series of devastating blows to criminal networks that had previously operated with near impunity. From

By Breached Company