The arrest of four alleged leaders of the hacker group Anonymous Fénix in Spain has become one of the most talked-about events in recent months. This operation is significant for the country, as it concerns the security of government resources and the protection of citizens’ information. After the tragedy in Valencia, when hundreds of people died in October 2024, cyberattacks on ministry and political organization websites sparked concern among Spaniards and raised questions about the resilience of the digital infrastructure.
According to El Pais, the detained men are suspected of coordinating a series of attacks on government and party websites immediately after the devastating DANA (Depresión Aislada en Niveles Altos) in October 2024. The group, calling itself Anonymous Fénix, stated that their actions were motivated by a desire to punish politicians they deemed responsible for the tragedy. During searches, authorities found masks symbolizing the Anonymous movement, as well as equipment used in the attacks.
Group methods and structure
The group specialized in DDoS attacks, which involve massive attempts to overload websites and render them inaccessible to users. According to investigators, these actions did not cause serious damage, but they did highlight the vulnerability of government resources. Most of the targeted sites quickly resumed operations; however, the very fact that the attacks succeeded sparked public outcry.
Within the group, roles were clearly defined: two of the detainees managed chats on X (formerly Twitter), Telegram, and YouTube, where they posted attack reports and recruited new members. The other two were the most active executors. All accounts and channels were blocked by the Civil Guard and the National Cryptology Center, which reports to the intelligence agency CNI. Prior to this case, none of the detained individuals had been previously targeted by law enforcement for similar offenses.
Investigation and Arrests
The first two suspects were detained as early as May last year in the cities of Alcalá de Henares and Oviedo. However, authorities withheld details of the operation to avoid jeopardizing the ongoing investigation. Information obtained from their devices led to the discovery of two more alleged organizers, who were later arrested in Ibiza and Móstoles.
Interestingly, not all of those detained were young; two are over thirty, which is unusual for such groups. In their initial statements, members emphasized their experience in cyber activism, describing themselves as ‘veterans’ in the field.
Activity and Influence
The Anonymous Fénix group emerged in the spring of 2023 and initially attracted little attention: their chats had few subscribers, and their posts covered not only Spain but also other countries, notably Venezuela and Colombia. However, in September 2024, their activity surged—they began openly recruiting new members, inviting anyone interested to join the ‘Resistance 3.0’ through Telegram.
The peak of the attacks came after DANA, when government websites were targeted by a series of coordinated DDoS attacks. Through their channels, the group spread false information about the tragedy and blamed the government and President Pedro Sánchez for what had happened. After the first arrests, the group’s activity nearly ceased, with their last post dating back to the end of May.
In recent years, Spain has faced several high-profile cyberattacks targeting government structures. In 2023, similar incidents took place in Catalonia and Andalusia, when unknown actors tried to take down municipal and regional ministry websites. These attacks were also linked to political events and mass protests. In both cases, law enforcement quickly restored the resources, but these episodes highlighted just how vulnerable digital systems remain even in developed countries.
