Spain arrests doxer who published personal data on INCIBE, prosecutorial and security-service staff

Spain's National Police arrested an individual in Granada on 27 May 2026 for publishing personal data belonging to staff of the State Attorney General's Office (Fiscalía General del Estado), the National Cybersecurity Institute (INCIBE), the National Police, the Civil Guard and the National Security Council; the operation was overseen by Madrid Investigating Court No. 22 (BleepingComputer, 2026-06-01 · Policía Nacional, 2026-06-01). The data was published on BreachForums under the "Police-ESP-Doxed" handle. INCIBE has previously assessed that no direct compromise of its systems occurred — the dossiers were assembled from older breaches, credential dumps and OSINT, with some records containing names of staff who had left years earlier. The investigation opened after police detected "mass dissemination" of the data, which they assessed as an immediate risk to the named individuals and institutions.

Why it matters to us: This is the OSINT-aggregation-plus-prior-breach-enrichment pattern aimed squarely at the personnel of a national cybersecurity authority and security services — a reconnaissance precursor to targeted phishing, vishing and coercion against critical-infrastructure officials. Swiss and EU public-sector security teams should treat circulated staff dossiers as an elevated-phishing trigger and push data-broker opt-out / breach-exposure monitoring for sensitive-role employees.