Spanish authorities have arrested an 18-year-old hacker known as “Natohub,” accused of breaching multiple high-profile government and military systems, including databases belonging to NATO, the U.S. Army, and Spain's Ministry of Defense.
The hacker, who operated under multiple aliases on dark web forums, carried out at least 40 cyberattacks throughout 2024, targeting both public institutions and private organizations.
The arrest was carried out last Tuesday in Calpe, Alicante, by Spain's PolicÃa Nacional in collaboration with the Guardia Civil. Authorities had been investigating Natohub for over a year, initially launching their probe in February 2024 after a Madrid-based business association reported its website had been hacked and defaced. Further analysis revealed that the hacker had not only defaced the site but also exfiltrated sensitive data, which was later published on dark web forums.
During a search of the suspect's residence, law enforcement seized multiple electronic devices, along with cryptocurrency wallets containing over 50 accounts with various crypto assets. The police are still analyzing the confiscated materials and have not ruled out uncovering additional cybercrimes.
Cyberattacks on key organizations
The hacker's activities spanned numerous high-profile targets, with breaches affecting both national and international entities. Some of the most notable attacks attributed to Natohub include:
- Spain's Guardia Civil, the country's national law enforcement agency.
- Ministry of Defense, involving potential leaks of sensitive military data.
- NATO databases, with stolen information reportedly including details on personnel.
- The U.S. Army, where confidential data may have been compromised.
- Spain's Ministry of Education, impacting students and academic institutions.
- The International Civil Aviation Organization (ICAO), where the hacker leaked over 42,000 recruitment records dating back to 2016.
The ICAO, a specialized United Nations agency responsible for aviation safety regulations, confirmed the breach in early January 2025, assuring that no operational aviation systems were impacted. However, the exposed data included applicants' full names, birth dates, email addresses, and employment histories—raising concerns about the security of sensitive international organizations.
One of Natohub's most damaging attacks occurred in December 2024, when he reportedly infiltrated the databases of Spain's Ministry of Defense and the Guardia Civil, leaking confidential internal documents. Following this breach, Spain's law enforcement intensified its efforts to track the hacker, ultimately leading to the recent arrest.
Methods and online activity
Natohub was known for boasting about his cyber intrusions on dark web forums, frequently changing aliases to evade detection. His strategy involved a combination of anonymized communication channels to obscure traces of activity, the use of Tor and VPNs to mask IP addresses and locations, and cryptocurrency transactions to launder funds obtained from selling stolen data.
The hacker was reportedly selling or freely distributing stolen information, depending on the target and potential buyers. One notable case involved NATO's Cooperation Portal, where data from 362 officials was exfiltrated and later sold.
Legal implications
Despite the severity of the accusations, after being detained and presented before a judge, Natohub was released with passport restrictions to prevent him from leaving Spain. He now faces multiple charges, including unauthorized access to computer systems, theft and disclosure of confidential information, damage to IT infrastructure, and money laundering through cryptocurrency transactions. If convicted, the hacker could face significant prison time under Spanish and potential international cybercrime laws. The U.S. and other affected nations may also seek extradition depending on further findings.
SVG Phishing Attacks Escalate, Now Using CAPTCHA for Evasion
Well , this is not good news .