Poland Arrests Suspected DDoS Operator and Detains Defense Ministry Employee for Espionage
Poland’s Central Bureau for Combating Cybercrime (CBZC) arrested a 20-year-old suspected of conducting global DDoS attacks against high-profile and strategically important websites. Authorities said the suspect used a multi-layered botnet control architecture involving C2 “stressers” and command-and-control nodes (CNC), and seized computer equipment allegedly used to host and distribute DDoS tooling; the suspect reportedly confessed to most charges, was released on bail after a formal statement, and faces up to five years in prison if convicted.
Separately, Polish authorities detained a 60-year-old civilian employee in the Ministry of National Defense’s strategy and planning department on suspicion of espionage for a foreign intelligence service, with Polish officials indicating links to Russian and Belarusian services. Counterintelligence searched the suspect’s office and residence and seized phones, computers, and storage media; prosecutors filed espionage charges while officials cited “extensive evidence” and framed the case as part of broader hybrid warfare pressure on Poland, including sabotage, disinformation, and cyber activity attributed to Russia-linked actors.
Timeline
Feb 5, 2026
Poland arrests suspect in global DDoS operation
Poland’s Central Bureau for Combating Cybercrime arrested a 20-year-old man suspected of carrying out global DDoS attacks against high-profile and strategically important websites. Investigators searched his apartment, seized computer equipment, and dismantled infrastructure used to host and distribute DDoS tools.
Feb 3, 2026
Poland detains defense ministry employee on espionage charges
Polish authorities arrested a 60-year-old civilian employee of the Ministry of National Defense at ministry headquarters in Warsaw on suspicion of spying for a foreign intelligence service. Prosecutors charged him with espionage after counterintelligence searched his office and residence and seized electronic devices and storage media.
Dec 1, 2025
Russia-linked hackers target Poland's power grid and energy facilities
In December 2025, Russia-linked hackers reportedly targeted Poland’s power grid and compromised systems at about 30 distributed energy facilities, according to Polish officials cited in later reporting.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Polish police identify minors selling and administering DDoS attack tools
Poland’s Central Bureau for Combating Cybercrime (**CBZC**) identified **seven minors** (aged **12–16** at the time of the alleged activity) accused of distributing and administering online tools designed to facilitate **DDoS attacks**, in what authorities described as a **profit-driven** scheme. Investigators said the tools were used to attack a range of services, including **auction/sales portals, IT domains, hosting providers, and accommodation booking sites**. The investigation reportedly began after CBZC identified a **14-year-old** in the **Masovian Voivodeship** as an administrator of the DDoS tooling; analysis of seized artifacts led to six additional suspects. CBZC conducted searches across **Masovian, Lublin, Łódź, and Greater Poland**, seizing alleged attack infrastructure and evidence including **smartphones, laptops/computers, storage media, hard drives, a ledger, and handwritten documentation**. Due to the suspects’ ages, case materials were referred to **family courts** for further proceedings.
1 months ago
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
1 months ago
Poland Arrests Suspected Phobos Ransomware Affiliate in Europol Operation Aether
Polish law enforcement arrested a **47-year-old man** in the Małopolska/Lesser Poland region on suspicion of involvement with the **Phobos ransomware** operation as part of **Europol-coordinated Operation Aether** targeting Phobos-linked infrastructure and affiliates. During a search of the suspect’s residence, Poland’s Central Bureau/Central Office for Combating Cybercrime (**CBZC**) seized devices and data investigators said could enable unauthorized access and ransomware activity, including **stolen credentials**, **passwords**, **credit card numbers**, and **server IP/access data**. Authorities said technical analysis indicated the seized materials could be used to breach electronic security and support “various attacks, including ransomware,” and alleged the suspect used **encrypted messaging** to communicate with the Phobos criminal group. Reporting also noted the seizure of a laptop and multiple smartphones, and that the suspect was charged with offenses related to creating/acquiring/sharing tools or data used to unlawfully obtain information and facilitate unauthorized system access; if convicted, he faces up to **five years** in prison. Operation Aether reporting additionally linked the enforcement activity to efforts against **8Base**, described as a ransomware group believed to be connected to Phobos.
1 months ago