Kelvin Security hacking group leader arrested in Spain

The Spanish police have arrested one of the alleged leaders of the 'Kelvin Security' hacking group, which is believed to be responsible for 300 cyberattacks against organizations in 90 countries since 2020.

News of the arrest of a leader of the financial component of the group was posted to the Spanish National Police's Telegram channel Sunday morning, stating that the threat actors are linked to attacks on government institutions across Spain, Germany, Italy, Argentina, Chile, Japan, and the United States.

"The group's main objectives are critical infrastructure and government institutions, having attacked the City Councils of Getafe (Madrid), Camas (Seville), La Haba (Badajoz) and the Government of Castilla-La Mancha in Spain," reads the machine-translated Telegram post.

Kelvin Security is a hacking group believed to have been active since 2013, leveraging vulnerabilities in public-facing systems to obtain valid user credentials and steal confidential data from breached systems.

The threat actors were active on hacking forums, such as RaidForums and BreachForums, where they would sell the stolen data or leak it for free to other threat actors.

Two notable examples of Kelvin Security breaches are an attack on Vodafone Italia in November 2022 and a breach on U.S. consulting firm Frost & Sullivan in June 2020.

In both cases, Kelvin Security attempted to sell the data they had obtained from the victimized companies on hacker forums.

More recently, in April 2023, cybersecurity firm Cyfirma reported discovering links between Kelvin Security and ARES, a newly-emerged cybercrime platform dedicated to selling databases stolen from state organizations.

Hunting Kelvin since 2021

The Spanish police said the law enforcement operation involved multiple police units and was coordinated by the Alicante Prosecutor's Office.

According to the document, the police arrested one of Kelvin Security's leaders, a Venezuelan national, in Alicante on December 7, 2023.

The threat actor was primarily involved in laundering the criminal proceeds obtained through sales of stolen data, using cryptocurrency exchanges to make it harder to trace the money.

The police say the investigation on the group started in December 2021, which shows how complicated it is to track and identify cybercriminals.

The police confiscated several electronic items for forensic investigation in the hope that they would lead to the identification of co-conspirators, data buyers, affiliates, and others.

Law enforcement shared a video showing the raid on the threat actor's home and their arrest.