Granada Hacker Doxxed Spain's Police and Prosecutors

The case sits at the worst intersection of state employment and modern surveillance economics. The targets were the police officers who chase cybercrime, the cybersecurity institute that defends Spanish networks, the prosecutors who file the indictments, and the tax agents who pursue financial crime. The compromise was not, INCIBE stated, a breach of its own systems. It was something subtler and harder to defend against: a deliberate aggregation of names, addresses, phone numbers, and identifiers pulled from old breach dumps and OSINT sources, packaged for harassment, and posted to multiple public platforms.

Key Takeaways

• Spain's National Police arrested a Granada local on May 27, 2026 for publishing the personal data of staff at seven sensitive state institutions, with the investigation supervised by Madrid's Court of Instruction No. 22.
• The leaks named employees of INCIBE, the National Security Council, the National Police, the Civil Guard, the State Attorney General's Office, the Ministry of Finance, and the Tax Agency.
• The doxxing operation ran under the moniker Police-ESP-Doxed, and INCIBE confirmed the data did not come from a direct system breach but from aggregated older breaches, credential dumps, and OSINT tools.
• The National Police warned the public that such disclosures expose officials to "harassment, threats, extortion attempts and coordinated targeting campaigns," and seized devices are still being examined for co conspirators.

Who Got Doxxed and How Many?

The National Police have not yet published a victim count. What they have confirmed is which agencies were targeted, and the list is striking for its precision. According to The Record and Bleeping Computer, the data sets covered:

• Staff at INCIBE, Spain's National Cybersecurity Institute and the state's primary CSIRT.
• Members of the National Security Council, the body that coordinates Spain's strategic security planning.
• Officers of the National Police and the Civil Guard, the two principal law enforcement bodies.
• Prosecutors and administrative staff inside the State Attorney General's Office.
• Officials of the Ministry of Finance and the Tax Agency.

The selection is the part that gives prosecutors their case. Random doxxing tends to skew toward whoever a personal grudge targets. Targeting six government agencies plus a cybersecurity institute, on multiple platforms, under a coordinated handle, reads as a campaign rather than a stunt.

What Is Police-ESP-Doxed?

Police-ESP-Doxed is the alias under which the data sets were published across multiple online platforms in the weeks before the arrest. INCIBE was clear that none of its own systems were directly compromised. The data instead matched the signature of an OSINT aggregation operation: old breach dumps, leaked credentials, and publicly accessible records cross referenced against Spain's professional registries until enough fields lined up to confirm a named officer's home address or family contacts.

That methodology is what makes the case so difficult to defend against in advance. Every individual data point in the aggregated profile already existed somewhere. We have covered the same pattern in the OnlyFans 340M compiled leak, where a 340 million record database was assembled from older Twitter, Instagram, and Spotify breaches and sold as a fresh hack. Police-ESP-Doxed is the same playbook turned against state workers.

Why Does Doxxing of State Workers Matter More Than Doxxing of Civilians?

Spain's National Police said it plainly: doxxing of this kind exposes officials to "harassment, threats, extortion attempts and coordinated targeting campaigns." For an INCIBE incident responder or a Civil Guard officer running an organised crime investigation, the consequences are concrete. The home address that surfaces in the dump is the address criminal organisations now have. The personal phone number that surfaces is the number harassment campaigns can dial. The Tax Agency staffer pursuing a fraud case has just had their family contact details published next to their professional role.

The downstream risk that matters most for inbox security is targeted phishing. A doxxed officer's personal email becomes a high value spear phishing target almost immediately. We saw the same pattern in the Mexican journalist Maria Teresa Montaño case, where an unknown device logged into a CPJ International Press Freedom Award recipient's email weeks after her personal information surfaced publicly. Once an attacker has the email address plus enough context to write a convincing message, the next step is the inbox.

What Is the Investigation Doing Now?

Investigators with the Spanish National Police are examining seized devices for evidence of co conspirators, alternate accounts, and any prior staging used to assemble the data sets. The court case is being handled by Madrid's Court of Instruction No. 22, the specialised investigative chamber that takes the highest profile national security and cybercrime cases. Officials have not ruled out additional arrests, and the formal motive of the detained suspect has not been disclosed.

Platforms hosting the original posts have been served takedown requests, but as with most modern leaks the data has already mirrored. Helpdesk searches and threat intelligence vendors confirm copies are circulating outside Spain. Any agency that appears on the affected list should now treat its staff as if their personal contact details are public for the indefinite future.

What Doxxed Workers and High Risk Individuals Should Do

If you work in law enforcement, the judiciary, journalism, or any role with an above average targeting risk, the playbook is the same as for the Spanish officers now caught up in Police-ESP-Doxed:

1. Move sensitive accounts to a hardware key. A passkey or YubiKey blocks the most common follow up attack, an account takeover via password reset code.
2. Treat any email referencing your role as untrusted by default. Spear phishing using doxxed details lands inside the first 72 hours after a leak. Verify out of band before clicking, replying, or sharing further information.
3. Lock down your phone account. SIM swapping is the second wave after a personal doxx. Add a PIN with your carrier, and remove SMS as a recovery option wherever possible.
4. File data broker deletion requests. The aggregation that built Police-ESP-Doxed depended on public broker records. California, Connecticut, and Texas now offer one shot deletion mechanisms, and a paid service like DeleteMe can cover the rest.
5. Report harassment immediately. Police forces increasingly track doxxing as the precursor to coordinated targeting. The earlier the pattern is reported, the easier it is to attribute.

What the Case Says About the Doxxing Economy

The arrest is a victory, but the underlying economy did not change. Old breach data is cheap, OSINT tools are widely available, and any motivated individual can build a Police-ESP-Doxed equivalent for any target community within a few weekends. The defensive position has to assume the leaks will keep happening and focus on the controls that survive after exposure: hardware authentication, out of band verification, and aggressive minimisation of which services hold your contact details in the first place. Spain caught one person. The methodology is still in the wild.