Spain Arrests Man Behind Government Employee Doxing Campaign

Spanish National Police arrested a man in Granada on May 27 after identifying him as the person responsible for a coordinated campaign to dox government employees across some of the country's most sensitive institutions. The operation exposed personal data tied to personnel at the National Cybersecurity Institute (INCIBE), the National Security Council, the National Police, the Civil Guard, the State Attorney General's Office, the Ministry of Finance, and the Tax Agency. Authorities described the leak as an immediate threat to the safety of those affected and to national security.

The arrest came after Madrid's Court of Instruction No. 22 opened an investigation following the mass dissemination of the data across multiple online platforms. Police moved quickly once the scope of the exposure became clear.

What Was Leaked and Where It Came From

The data did not come from a single, targeted breach of a government system. Investigators believe the suspect compiled it from a combination of older credential dumps, prior data breaches, and open-source intelligence gathering. Some of the records were outdated. A portion of the INCIBE data included names and details of employees who had left the organization years before the leak appeared.

That detail matters. It shows how effectively old, fragmented data can be repurposed and weaponized when someone puts in the effort to aggregate it. The underlying records may have been stale, but the damage to current employees — who share names, job titles, and institutional affiliations with former colleagues — was real.

The threat actor handle linked to the operation was "Police-ESP-Doxed." The data appeared on a BreachForum iteration and on Doxbin, two platforms frequently used to distribute stolen or aggregated personal information.

A Broader Pattern Targeting Spanish Officials

The arrested suspect's activity was part of a wider pattern of targeted exposure aimed at Spanish state personnel. In March 2026, personal data belonging to hundreds of Spanish judges and prosecutors surfaced on Doxbin. That dataset included full names, national identification numbers, personal mobile phone numbers, and professional email addresses.

Taken together, the two incidents point to a deliberate focus on individuals who work inside Spain's legal, law enforcement, and security apparatus. These are not random credential leaks. They are targeted efforts to surface the identities of people whose safety depends, in part, on a degree of operational anonymity.

The risk created by doxing government employees in these roles goes well beyond embarrassment or nuisance. Personnel at counterterrorism-adjacent bodies, prosecutors, and intelligence staff can face genuine physical risk when their personal contact details become publicly searchable.

The Arrest and What Comes Next

Police searched the suspect's home following the arrest and seized multiple computers and electronic devices. Those devices are now in the hands of forensic specialists. Investigators are analyzing them to determine the full scope of the suspect's activity and, critically, whether anyone else was involved.

Authorities have not ruled out additional arrests. The investigation remains open.

The speed of the police response drew explicit attention in the official statement. Given how broadly the data had already spread by the time the investigation began, moving fast was essential to limiting further exposure. The platforms where the data appeared, BreachForum and Doxbin, are not obscure corners of the internet. Content published there circulates quickly and does not disappear cleanly.

Why Aggregated Old Data Still Causes Real Harm

Cases like this one push back against a common assumption: that old breaches stop mattering once the immediate incident response is over. They do not. Data from breaches that occurred years ago continues to circulate, gets merged with data from other incidents, and can be reassembled into detailed profiles of real people.

The government employee doxing campaign in Spain required no sophisticated intrusion. No zero-day was used. No government network was penetrated. The suspect reportedly built the dataset from sources already in circulation, then chose targets based on where they worked. The harm came from the assembly, not the acquisition.

For organizations managing staff who hold sensitive roles, this is a meaningful threat model to account for. Personal information already in the wild, old email addresses, former workplace affiliations, mobile numbers from years-old breaches, can resurface in targeted form at any point. The question is not only whether systems are secure today, but whether past exposure of employee data has been tracked and addressed.

Key Takeaways

Spain's rapid response and the resulting arrest demonstrate that law enforcement is treating doxing of government employees as a serious criminal matter, not a secondary concern. The case also reinforces that aggregated open-source data can produce security risks as significant as a direct breach. As forensic analysis of the seized devices continues, more details about the operation's scope and any potential accomplices are likely to emerge.