‘Natohub’ Hacker Allegedly Responsible for US Army, NATO Breaches Arrested In Spain
Read also: Pakistan-based website network selling hacking tools dismantled, a suspect behind the €210M Coinrail crypto heist arrested, and more.
Thursday, February 6, 2025
A hacker who allegedly targeted US Army, UN and NATO databases arrested in Spain
Spanish law enforcement has arrested a hacker known as ‘Natohub’ responsible for over 40 cyberattacks on organizations. The suspect, who operated under various aliases on Dark Web forums, gained access to public and private entities, including the Civil Guard, Ministry of Defense, National Mint, NATO, US Army, and multiple universities.
The attacks spanned from 2023 into 2024, targeting both national and international bodies, with the intruder extracting sensitive data and sometimes publishing or selling it.
The National Police, in collaboration with the Civil Guard, arrested the individual in Calpe (Alicante) following a lengthy investigation that began in early 2024. The investigation started after a Madrid business association reported a data leak on a forum. Seized items from the search included computer equipment and cryptocurrencies.
The hacker's activities included damaging IT services, illegal access to computer systems, and money laundering. Although the suspect used advanced techniques to cover his tracks, the investigation eventually linked him to a series of high-profile cyberattacks, including defacing websites and stealing personal data.
US and the Netherlands take down Pakistan-based website network selling hacking tools
The US Justice Department, in coordination with the Dutch National Police, seized 39 domains and associated servers linked to a Pakistan-based network operated by Saim Raza (also known as HeartSender and Manipulators Team).
Raza's network, active since 2020, facilitated the sale of hacking and fraud-enabling tools, such as phishing kits and email extractors, primarily used by transnational organized crime groups.
These tools were sold to criminals involved in business email compromise schemes, resulting in over $3 million in losses to victims in the US. The websites also provided instructions for those without technical expertise.
In a separate statement, the Dutch police announced the arrest of three individuals in the Netherlands and Spain for involvement in the worldwide distribution of Sky ECC crypto phones, mainly used by internationally operating criminals and their organizations. The criminal communications network Sky ECC was dismantled in 2021 following a large-scale international investigation by France, Belgium and the Netherlands.
Turkish authorities arrest cybercrime group for breaching MERNIS database
Turkish authorities have arrested members of a cybercrime group involved in the breach of the MERNIS (Central Population Management System), a government database containing sensitive information about citizens, including their ID numbers. The suspects are accused of running illegal queries on the system in exchange for money, using the stolen data for extortion and blackmail.
The operation, which was carried out by the Istanbul Police Department Cyber Crime Branch, led to the detention of 64 suspects, including several minors. Of the total number of detained individuals, 50 were referred to criminal judges with a request for arrest, while 14 others were placed under judicial control.
The investigation revealed that the suspects had gained unauthorized access to MERNIS and its associated systems by acquiring the passwords of authorized users. Once inside, they used a system referred to as the "panel" to make unauthorized queries on the database.
The stolen information included highly sensitive data, such as personal identification numbers, land registry details, health records, and other institutional information. The cybercriminals allegedly used this information to make illegal profits, either by selling it or using it as leverage for blackmail and threats online.
22-year-old accused of $65 million crypto theft
The US authorities charged 22-year-old Canadian Andean Medjedovic with stealing approximately $65 million by exploiting vulnerabilities in decentralized finance (DeFi) protocols. According to court documents, Medjedovic targeted the KyberSwap and Indexed Finance decentralized exchange aggregators, which manage digital token liquidity pools on the Ethereum network.
Medjedovic allegedly exploited weaknesses in the automated smart contracts used by both platforms. He drained around $48.4 million from 77 KyberSwap Elastic liquidity pools and about $16.5 million from two liquidity pools of Indexed Finance, commonly referred to as index pools.
In addition to the theft, Medjedovic is accused of laundering the illicit funds through a series of complex transactions. He allegedly used cryptocurrency exchange accounts opened with false identification, a crypto mixer to obscure the funds' origins, and various swap and bridging transactions to move the stolen assets.
The charges against Medjedovic include wire fraud, unauthorized damage to a protected computer, attempted extortion under the Hobbs Act, conspiracy to commit money laundering, and money laundering. If convicted, he faces a maximum sentence of up to 10 years for unauthorized damage to a protected computer and up to 20 years for each of the other charges.
An alleged suspect behind €210M Coinrail crypto heist apprehended in France
A 24-year-old man, accused of hacking the South Korean cryptocurrency platform Coinrail in 2018 and stealing an amount now valued at €210 million, was arrested and formally indicted in Paris after a three-year investigation. The original theft involved €26 million, but due to the rise in cryptocurrency prices, the current value of the stolen assets is much higher.
The suspect's name first surfaced in 2021 during another investigation related to the hacking of the Gatehub platform. Investigators connected the two cases, and after questioning three suspects, including one in Morocco, they identified the young man as responsible for the 2018 Coinrail hack.
The suspect was arrested while driving a €700,000 luxury car and wearing an €80,000 watch, both purchased using stolen cryptocurrency. His arrest came after he returned from Saint-Barthélemy, and investigators conducted searches at his residence, seizing luxury items and freezing funds from his bank accounts. The man now faces charges of organized theft, money laundering, and attacks on automated data processing systems. His girlfriend has also been indicted for organized money laundering.
The investigation involved international cooperation across multiple countries, including Morocco, South Korea, Monaco, and the United Arab Emirates, where the suspect claimed residency. He has been placed in provisional detention while awaiting a hearing.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
Key Dutch has been working in information technology and cybersecurity for over 20 years, starting his first job with Windows 95 and dial-up modems. As the Editor-in-Chief of our Cybercrime Prosecution Weekly blog series, he compiles the most interesting news about police operations against cybercrime, as well as about regulatory actions enforcing data protection and privacy law.