Poland Arrests Suspected DDoS Operator and Detains Defense Ministry Employee for Espionage
Poland’s Central Bureau for Combating Cybercrime (CBZC) arrested a 20-year-old suspected of conducting global DDoS attacks against high-profile and strategically important websites. Authorities said the suspect used a multi-layered botnet control architecture involving C2 “stressers” and command-and-control nodes (CNC), and seized computer equipment allegedly used to host and distribute DDoS tooling; the suspect reportedly confessed to most charges, was released on bail after a formal statement, and faces up to five years in prison if convicted.
Separately, Polish authorities detained a 60-year-old civilian employee in the Ministry of National Defense’s strategy and planning department on suspicion of espionage for a foreign intelligence service, with Polish officials indicating links to Russian and Belarusian services. Counterintelligence searched the suspect’s office and residence and seized phones, computers, and storage media; prosecutors filed espionage charges while officials cited “extensive evidence” and framed the case as part of broader hybrid warfare pressure on Poland, including sabotage, disinformation, and cyber activity attributed to Russia-linked actors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Poland arrests suspect in global DDoS operation
Poland’s Central Bureau for Combating Cybercrime arrested a 20-year-old man suspected of carrying out global DDoS attacks against high-profile and strategically important websites. Investigators searched his apartment, seized computer equipment, and dismantled infrastructure used to host and distribute DDoS tools.
Poland detains defense ministry employee on espionage charges
Polish authorities arrested a 60-year-old civilian employee of the Ministry of National Defense at ministry headquarters in Warsaw on suspicion of spying for a foreign intelligence service. Prosecutors charged him with espionage after counterintelligence searched his office and residence and seized electronic devices and storage media.
Russia-linked hackers target Poland's power grid and energy facilities
In December 2025, Russia-linked hackers reportedly targeted Poland’s power grid and compromised systems at about 30 distributed energy facilities, according to Polish officials cited in later reporting.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Police shut down global DDoS operation, arrest 20-year-old - Help Net Security
helpnetsecurity.com
Open sourcePoland detains defense ministry employee on suspicion of spying for Russia | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Polish police identify minors selling and administering DDoS attack tools
Poland’s Central Bureau for Combating Cybercrime (**CBZC**) identified **seven minors** (aged **12–16** at the time of the alleged activity) accused of distributing and administering online tools designed to facilitate **DDoS attacks**, in what authorities described as a **profit-driven** scheme. Investigators said the tools were used to attack a range of services, including **auction/sales portals, IT domains, hosting providers, and accommodation booking sites**. The investigation reportedly began after CBZC identified a **14-year-old** in the **Masovian Voivodeship** as an administrator of the DDoS tooling; analysis of seized artifacts led to six additional suspects. CBZC conducted searches across **Masovian, Lublin, Łódź, and Greater Poland**, seizing alleged attack infrastructure and evidence including **smartphones, laptops/computers, storage media, hard drives, a ledger, and handwritten documentation**. Due to the suspects’ ages, case materials were referred to **family courts** for further proceedings.
Mar 21, 2026
NoName057(16) DDoSia Campaign and Separate Polish Botnet Arrest
SOCRadar reported a coordinated, multi-country **DDoS campaign** attributed to pro-Russian actor **NoName057(16)** using the **DDoSia** tool, with **5,830** recorded attack entries against **160 domains** and **181 IPs** during the Jan 26–Feb 1, 2026 analysis window. The activity showed broad geographic targeting, led by the **UK (55%)**, followed by **Ukraine (12.7%)** and **Czechia (4.9%)**, and focused heavily on public-sector and critical-service targets; the report also noted frequent target-list updates distributed via Telegram and that **port 443** was the most targeted. Separately, Polish authorities (CBCZ) arrested and then bailed a **20-year-old** suspected of running a multi-layered botnet used to DDoS “numerous popular websites,” including sites described as strategically important, using “C2 stresser” and command-and-control nodes; police seized equipment and claimed to have dismantled infrastructure used to host/distribute DDoS tools, with additional arrests possible. An NSFOCUS monthly report on **December 2025 APT activity** (e.g., TransparentTribe, Sidewinder, Konni, Gamaredon) describes broader spear-phishing-led intrusion trends and is not tied to the NoName057(16) DDoSia activity or the Polish DDoS case.
Mar 21, 2026
Poland Arrests Suspected Phobos Ransomware Affiliate in Europol Operation Aether
Polish law enforcement arrested a **47-year-old man** in the Małopolska/Lesser Poland region on suspicion of involvement with the **Phobos ransomware** operation as part of **Europol-coordinated Operation Aether** targeting Phobos-linked infrastructure and affiliates. During a search of the suspect’s residence, Poland’s Central Bureau/Central Office for Combating Cybercrime (**CBZC**) seized devices and data investigators said could enable unauthorized access and ransomware activity, including **stolen credentials**, **passwords**, **credit card numbers**, and **server IP/access data**. Authorities said technical analysis indicated the seized materials could be used to breach electronic security and support “various attacks, including ransomware,” and alleged the suspect used **encrypted messaging** to communicate with the Phobos criminal group. Reporting also noted the seizure of a laptop and multiple smartphones, and that the suspect was charged with offenses related to creating/acquiring/sharing tools or data used to unlawfully obtain information and facilitate unauthorized system access; if convicted, he faces up to **five years** in prison. Operation Aether reporting additionally linked the enforcement activity to efforts against **8Base**, described as a ransomware group believed to be connected to Phobos.
Mar 21, 2026