Europol lists Spanish head of Russian cyber terrorism network among its most wanted

Europol, the European Union's agency for police cooperation, has placed Enrique Arias Gil, a 37-year-old Spanish citizen accused of being the head of the 'NoName057' cyberterrorist group in Spain, on its most wanted list. This is the most active platform of Russian hackers sponsored by the Kremlin's secret services and responsible for countless attacks on European institutions and national bodies and administrations, especially coinciding with the general elections in the summer of 2023.

The police file describes him as a "Russian disinformant", 177 centimetres in height, brown-eyed, Russian-speaking and accused of crimes of computer damage offences with terrorist intent and membership of a criminal organisation. His trail was lost after the operation carried out last July in several EU and foreign countries against this group of "hacktivists", which resulted in the arrest of two ringleaders in Spain and France, 13 people under investigation, 24 searches and the issuing of seven arrest warrants for, among others, "six Russian citizens for their participation in the criminal activities" of NoName057.

Operation Eastwood, which began on 14 July, involved law enforcement agencies from 19 countries. Authorities in the Czech Republic, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States "took simultaneous action against the criminals and infrastructure belonging to the pro-Russian cybercrime network", Europol explained at the time, noting that the investigation was also "supported" by Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine, as well as the private companies ShadowServer and Abuse.ch.

Europol claimed that its dismantling would have cleared up nearly a hundred "server" attacks on institutions around the world through "DDoS disruption attempts in favour of Russia". The police institution also identified nearly a thousand "sympathisers" and collaborators of this group, including 15 administrators, who, since they could not be arrested, have been "notified of their legal responsibility".

Europol noted that the vast majority of these collaborators are "mainly Russian-speaking sympathisers using automated tools to carry out distributed denial-of-service attacks" and that they operate as lone wolves "without formal leadership or sophisticated technical skills", only "motivated by ideology and rewards".

According to his profile on the internet, Arias Gil holds a PhD in international security from the Instituto Universitario General Gutiérrez Mellado-UNED, and a Master's degree in international security and civil protection management from the Universidad Europea de Madrid. He is also an expert in Islamic culture and religion and has a degree in political science and administration.

He has also received training in intelligence and international security at institutions such as the intelligence and security analysis group (GIASP), the international campus for security and defence (CISDE), and the foundation for strategic and international studies (FESEI); and has published research articles at the Spanish institute for strategic studies (IEEE), the research unit on security and cooperation, Al-Ghurabá and the general Gutiérrez Mellado university institute.

His group, NoName057, was born in March 2022 shortly after the start of the invasion of Ukraine. Its first actions were cyber attacks on Ukrainian, US and European websites, targeting government agencies, media outlets and private companies.

In Spain, they unleashed their hostility in the summer of 2023, when they attacked a hundred websites belonging to institutions, public bodies and companies as punishment for “the support for Zelensky’s regime by Spain’s Russo-phobic authorities with taxpayers’ money”. On 23 July of that year, election day, Kremlin-sponsored hackers claimed to have taken down the interior ministry’s website, which indeed experienced intermittent problems between 4 and 7pm, although the special website headed by Fernando Grande Marlaska did remain accessible throughout.

Precisely, on 12 May, the interior ministry launched a tender for a contract valued at 791,340 euros, IVA sales tax included, to obtain two licences to access the world's largest database of cyberthreats and hackers for two years. The reason for this disbursement - according to the file to which SUR had access - was to be able to shield the ministry's applications (including those used in the general elections) against the continuous attacks by 'NoName057' hackers.