Spanish authorities have arrested four alleged members of a hacktivist group believed to have carried out cyberattacks targeting government ministries, political parties, and various public institutions.

The group, which called itself "Anonymous Fénix" and claimed they were affiliated with the Anonymous hacker collective, conducted distributed denial-of-service (DDoS) attacks against targets in Spain and several South American countries, according to the Spanish Civil Guard.

The first attacks occurred in April 2023 and peaked after the flash floods that struck Valencia in late October 2024, when the group's members attacked multiple government websites, claiming Spanish authorities were responsible for the deaths and destruction caused by the storm.

Anonymous Fénix also used X and Telegram to spread anti-government messaging and recruit volunteers for its campaigns.

"From September 2024 they increased their activity and initiated a campaign of recruitment of volunteers with the aim of perpetrating cyberattacks against relevant domains," the Spanish Civil Guard said over the weekend.

"They reached their peak after the DANA of Valencia when they managed to successfully attack different websites of the Public Administration, justifying that they were 'the responsible for the tragedy.'"

The Civil Guard arrested the group's administrator and moderator in May 2025, in Alcalá de Henares, near Madrid, and Oviedo, in the northern region of Asturias. After analyzing the evidence collected following those arrests, investigators identified two additional members of the group as its most active operatives, who were arrested earlier this month in Ibiza and Móstoles, near Madrid.

Following the arrests, Spanish courts also ordered the seizure of the group's accounts on X and YouTube and ordered the closure of its Telegram channel. No details on specific charges or potential penalties were provided in the Civil Guard's announcement.

In recent months, Spanish authorities also detained a 19-year-old suspect in Barcelona for allegedly breaching nine companies and dismantled the "GXC Team" crime-as-a-service (CaaS) platform that pushed AI-powered phishing kits, Android malware, and voice-scam tools.

More recently, in January, the Spanish National Police arrested 34 suspects linked to a criminal network involved in cyber fraud and believed to be connected to the Black Axe crime ring.