Spain arrests doxer publishing data on INCIBE/AG/Civil Guard staff (Police-ESP-Doxed)

incident · item:spain-national-police-arrest-doxer-incibe-ag-civil-guard

Coverage timeline

first 2026-06-02 → last 2026-06-02

Briefs

1 distinct

Sources cited

15 hosts

Sections touched

active_threats

Co-occurring entities

see Related entities below

Story timeline

2026-06-02CTI Daily Brief — 2026-06-02
active_threatsFirst coverage. National Police arrest (Granada, 27 May) over BreachForums doxing of national-security/cyber-authority staff; OSINT+prior-breach aggregation.

Where this entity is cited

active_threats1

Source distribution

bleepingcomputer.com4 (20%)
helpnetsecurity.com2 (10%)
thehackernews.com2 (10%)
ic3.gov1 (5%)
policia.es1 (5%)
edpb.europa.eu1 (5%)
kaspersky.com1 (5%)
krebsonsecurity.com1 (5%)
other7 (35%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×2
Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
incidentincident:die-linke-qilin-2026×1
Germany KRITIS-DachG (CER Directive transposition) in force March 2026 — public administration first time in CI scope; registration deadline 17 July 2026
campaignpolicy:germany-kritis-dachg-2026×1
Germany's federal cabinet approves Cybersicherheitsstärkungsgesetz — BKA, BSI and Federal Police gain authority to redirect attacker traffic and disable infrastructure
incidentitem:germany-cybersicherheitsstaerkungsgesetz-bka-bsi-bundespolizei-active-defence×1
Ghost Stadium PhaaS — 300+ FIFA domain clones targeting EU fans
campaignitem:ghost-stadium-phaas-300-fifa-domain-clones-eu-fan-credentials×1

All cited sources (20)

Items in briefs about Spain arrests doxer publishing data on INCIBE/AG/Civil Guard staff (Police-ESP-Doxed) (2)

Spain arrests doxer who published personal data on INCIBE, prosecutorial and security-service staff

From CTI Daily Brief — 2026-06-02 · published 2026-06-02 · view item permalink →

Spain's National Police arrested an individual in Granada on 27 May 2026 for publishing personal data belonging to staff of the State Attorney General's Office (Fiscalía General del Estado), the National Cybersecurity Institute (INCIBE), the National Police, the Civil Guard and the National Security Council; the operation was overseen by Madrid Investigating Court No. 22 (BleepingComputer, 2026-06-01 · Policía Nacional, 2026-06-01). The data was published on BreachForums under the "Police-ESP-Doxed" handle. INCIBE has previously assessed that no direct compromise of its systems occurred — the dossiers were assembled from older breaches, credential dumps and OSINT, with some records containing names of staff who had left years earlier. The investigation opened after police detected "mass dissemination" of the data, which they assessed as an immediate risk to the named individuals and institutions.

Why it matters to us: This is the OSINT-aggregation-plus-prior-breach-enrichment pattern aimed squarely at the personnel of a national cybersecurity authority and security services — a reconnaissance precursor to targeted phishing, vishing and coercion against critical-infrastructure officials. Swiss and EU public-sector security teams should treat circulated staff dossiers as an elevated-phishing trigger and push data-broker opt-out / breach-exposure monitoring for sensitive-role employees.

Ghost Stadium PhaaS — 300+ FIFA domain clones, multi-language fake SSO, targeting UK/Germany/Portugal/Spain fan credentials before June 11 kickoff

From CTI Daily Brief — 2026-05-30 · published 2026-05-30 · view item permalink →

The FBI issued PSA260527 on 27 May 2026 warning that a Chinese-speaking financially-motivated threat actor tracked by Group-IB as Ghost Stadium has deployed more than 300 phishing sites impersonating fifa.com, all reproducing the official site pixel-for-pixel including a fake single-sign-on authentication flow in multiple languages (FBI IC3 PSA260527, 2026-05-27; BleepingComputer, 2026-05-28). Typosquatted domains span alternative TLDs (.org, .xyz, .live, .sale) and character substitutions; additional fake employment portals impersonate FIFA HR functions. Criminal objectives include credential and financial-data theft via the fake SSO, counterfeit ticket and hospitality sales, fake merchandise and streaming-rights fraud. UK, Germany, Portugal, and Spain are explicitly named as target demographics. Browser-based security controls (Safe Browsing, SmartScreen) do not protect against freshly-registered domains before abuse is reported. For defenders at organisations with large employee populations purchasing World Cup tickets: advise bookmarking https://www.fifa.com directly; treat any search-result-sponsored result for FIFA ticket purchases as unverified. The high-intensity fraud window is the lead-up to the July 19 final.