Spain Arrests Alleged Kelvin Security Money Laundering Head

Spanish national police on Sunday arrested an alleged key money laundering figure of the profit-seeking Kelvin Security hacking operation who reportedly entered the country as a tourist.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail’s ATO & Fraud Prevention Challenge

Authorities opened an investigation into the group in December 2021 after hackers penetrated systems belonging to the cities of Madrid, Sevilla and Badajoz as well as the regional government of Castilla-La Mancha.

The Ministry of the Interior said security experts attributed the attacks to Kelvin Security – at least partially – after seeing posts on criminal forums selling stolen data. The Spanish government calculated that Kelvin Security, which launched in 2013, has sold data taken from more than 300 organizations in 90 countries over the past three years. Threat intel firm Cyfirma said the group is likely based in Russia and has “a significant presence on deep and dark web forums.”

The detained man – authorities are not revealing his name – is the head of Kelvin Security’s money laundering operation, the ministry said, and he operates mainly in cryptocurrency. Video released by the ministry shows police searching for devices in what appears to be a residence and escorting a man wearing a black hoodie to a waiting car.

Local media reported that the suspect had entered Spain on Nov. 18 with his wife and sister, traveling to the Mediterranean coastal city of Alicante. They didn’t take a return flight to Venezuela scheduled for Nov. 29, and one reporter stated that the man is on a Caracas blacklist and had been hoping to leave the South American country.

Kelvin Security has claimed responsibility for a number of high-profile data breaches including that of Vodafone Italy, Dish México, a Chilean bank, New York consultancy Frost & Sullivan and carmaker BMW. Its strategy is to attack critical infrastructure and government agencies across the globe and exfiltrate logon credentials and sensitive internal information, the ministry said.

The threat actor’s most recent attack was against the headquarters of an unnamed multinational energy firm, and it stole a confidential client list containing more than 85,000 names.