Else Beekman
On Monday, Spain’s fact-checking platform Newtral became the target of a coordinated cyberattack. The pro-Russian hacker group TwoNet claimed the attack. The hacktivists also asserts responsibility for disruptions affecting several Spanish government institutions.
According to Newtral, among the affected entities were the Ministry of Defence and the National Cryptologic Centre (CCN). The attack appears to be a direct response to Spain’s ongoing support for Ukraine. Of those allegedly affected, only Newtral has confirmed the attack.
What happened?
The Instituto Nacional de Ciberseguridad (Incibe) detected the attack on Newtral at 12.03 pm Spanish time. The hackers deployed a DDoS (Distributed Denial of Service) attack, a method that overwhelms a website with traffic until it crashes and becomes inaccessible.
Throughout the day, Newtral’s website experienced instability, but thanks to rapid intervention, it was restored. Both the media outlet and Spanish cybersecurity agencies continue to monitor the situation closely.
A larger offensive against Spain?
The attack on Newtral does not appear to be an isolated incident. In a statement posted on their Telegram channel, TwoNet claimed responsibility for cyberattacks on several Spanish government websites. These include the websites of the Ministry of Defence, the Ministry of Inclusion, Social Security and Migration, the National Cryptologic Centre (CCN), and the Real Instituto Elcano, a think tank specialising in international affairs. The group also recently claimed to have attacked the Ministry of Foreign Affairs.
According to TwoNet, these attacks serve as a warning: “With these attacks, we want to tell the Spanish government that they must stop supporting Ukraine. If they do not, we will continue targeting government sites and large corporations.” TwoNet even shared links to the online tool Check-Host.net to demonstrate that the targeted Spanish websites had indeed been taken offline.
Who is behind TwoNet?
TwoNet is one of several pro-Russian hacker groups that have emerged in recent years. According to cybersecurity expert Marcelino Madrigal, the group operates through a network of Telegram channels, distributing messages in multiple languages and targeting different countries.
Beyond cyberattacks, their messaging also includes anti-Ukraine propaganda. They frequently post insults against President Volodymyr Zelensky and call for regime change in Kyiv.
What is a DDoS attack, and how effective is it?
A DDoS attack (Distributed Denial of Service) is a relatively simple yet highly disruptive tactic used to disable websites. It works by flooding a server with excessive traffic from multiple sources, overloading the system and making the site inaccessible to regular users.
While DDoS attacks are mostly a temporary nuisance rather than a long-term threat, they can cause significant disruptions—particularly when targeting critical infrastructure such as government services or financial institutions.
What’s next?
TwoNet has already announced plans to launch a new wave of massive DDoS attacks in April, once again targeting Spanish government websites. This move is reportedly in response to Spain’s continued public support for Ukraine.
Spain is not the only country facing such threats. Since the outbreak of the war in Ukraine in 2022, pro-Russian hacker groups have become increasingly active, particularly against European nations that provide military and political backing to Kyiv.
Spain as a recurring target for pro-Russian hacktivists
The recent attack on Newtral and Spanish government sites is part of a broader pattern of cyber threats against Spain. According to the Security Navigator 2025 report by Orange Cyberdefense, published in December 2024, Spain is among the European nations most affected by cyberattacks. Since 2022, more than 6,600 cyberattacks have been carried out by pro-Russian hacker groups, with 96% of them targeting European countries, including Spain.
Additionally, in July 2024, Spanish police arrested three individuals suspected of participating in DDoS attacks against public institutions and strategic sectors in Spain and other NATO member states. These attacks, believed to be in collaboration with the pro-Russian hacker collective NoName057(16), specifically targeted countries that openly support Ukraine.
Furthermore, a report by the Helsinki Commission of the United States, released in late 2024, identified nearly 150 hybrid warfare operations attributed to Russia on NATO territory since the beginning of the Ukraine invasion. Two of these incidents occurred in Spain, specifically in Madrid and along the Alicante coastline. This further underscores Spain’s significance on Russia’s cyber warfare radar.
Also read: Pro-Russian hackers attack websites of Spanish state institutions and media