A Quiet Benchmark for the Wrong Side
In March 2026, the Unidad Técnica de Policía Judicial of the Spanish Guardia Civil published its annual cyber-intelligence report, Ciberinteligencia: Análisis y Tendencias 2025, La Amenaza Tecnológica. The document is public, distributable to third parties without further authorisation, and has been signed by the commanding officer of the Grupo de Ciberinteligencia Criminal.
On its face, the report is a public service. It documents, with operational precision, the principal cybercrime trends of 2025 and the operations that have countered them. It is required reading for anyone with a CISO mandate or a threat intelligence function in Europe.
Read sideways, the report is something else. It is a candid benchmark of where the operational frontier has moved. The frontier, in 2025, sits on the side of the attacker.
This article reads the report sideways, in four observations.
Observation One: Crime-as-a-Service Has Better Customer Support Than Most Enterprise Tools
In October 2025, the Guardia Civil arrested in Cantabria a 25-year-old Brazilian developer operating under the alias “GoogleXCoder”. He was, by the unit’s assessment, the principal supplier of phishing kits to the Spanish-speaking cybercrime ecosystem. He had been active since 2023.
The business model, as documented in the report, has a particular elegance. GoogleXCoder offered, via Telegram, three distinct service tiers: precise cloning of legitimate banking and public-administration portals, real-time capture of credentials, authentication codes and OTPs, and integration with complementary illicit services such as control panels and distribution systems. Customers paid a few hundred euros per day. The service included personalisation, technical support, and continuous updates.
The report notes, in a sentence the cybersecurity industry should print and frame: “La sofisticación proviene del software, no del operador.” The sophistication comes from the software, not from the operator. The Guardia Civil writes this as a description of phishing kits. It is also, in 2026, a description of the median Security Operations Centre.
Some of the customer-facing channels of this market had names that documented the attitude toward the victim with unusual frankness. One was called “Robarle todo a las abuelas”, which is to say, “steal everything from the grannies”. The channel was operational. It had subscribers. They paid by the day.
Adjacent to this case, the report documents Operación MOSENIK, in November 2025, which dismantled a SIM-box infrastructure of 35 industrial units, 865 GSM modems, and over 60,000 unused Spanish SIM cards, all operated by a single person via a small fleet of computers. The infrastructure was capable of sending millions of messages and calls simultaneously. The cost-base was minimal. The output was industrial.
The defender, faced with this market, often arrives at the GRC Committee with a slide titled “Phishing Awareness Campaign Q2 Refresh”. The slide is approved by acclamation. The dashboard is green.
Observation Two: The Criminal Call Centre Has a Panic Button
In April 2026, the Guardia Civil, together with the Policía Nacional and the Mossos d’Esquadra and with the operational support of EUROPOL, dismantled the criminal organisation behind Operación HUMO DIGITAL. The organisation operated, the report states, “call centers temporales equipados con medidas de seguridad extremas, incluyendo un botón del pánico capaz de desconectar de inmediato los sistemas informáticos ante una posible intervención policial”.
The criminal call centre had a panic button. It was documented. It worked.
This is not a detail. It is the operational signature of an organisation that has, at some point, sat down to map the threat landscape, identified law enforcement intervention as a credible scenario, and engineered a specific countermeasure with measurable activation time. The call centre, in other words, has a documented continuity plan with a defined trigger and a tested response.
The same continuity plan, in the median European bank, takes the form of a 247-slide deck, a 112-page IAM policy, a 78-page Identity Governance Manual, and a service account from 2003 that nobody has yet found the time to decommission. The bank does not have a panic button. It has a committee that meets quarterly to discuss whether a panic button would be aligned with the strategic framework.
The full scope of the operation makes the asymmetry more visible. The organisation, the Guardia Civil reports, defrauded more than 300 victims of over 10 million euros, used numerous fraudulent websites simulating cryptocurrency investment platforms and well-known companies, paid for promoted advertisements promising extraordinary returns, and channeled the proceeds through shell companies and false advisors. Twenty-one people were arrested. More than 1.3 million euros in cash and cryptocurrencies were recovered, alongside luxury vehicles and high-end watches.
The luxury vehicles and high-end watches are, in their own way, also a benchmark. They are the visible part of an investment thesis that funds proven itself, over the period 2023-2025, more lucrative than most listed cybersecurity vendors.
Observation Three: Ransomware Now Operates on Quadruple Extortion
The 2025 report consolidates, with operational detail, the maturation of the ransomware model into what the Guardia Civil terms “extorsión cuádruple”. The four layers are sequenced.
First, the systems are encrypted. The victim cannot operate. Second, the data is exfiltrated and the publication of that data is threatened, raising the reputational and legal cost of non-payment. Third, the clients, partners and employees of the victim are contacted directly with threats, distributing the social pressure across the whole supply chain. Fourth, DDoS attacks are launched against the residual infrastructure of the victim, complicating any attempt at recovery.
Each of the four layers is engineered. None is improvised. The model is, the report notes, “una de las tácticas más agresivas y lucrativas empleadas por los grupos criminales”. It is also a textbook case of integrated risk amplification, applied from the wrong direction.
The supply side of this model is even more revealing. Ransomware-as-a-Service (RaaS), the Guardia Civil writes, has reached in 2025 a level of maturity that brings its structure close to that of a formal enterprise. The developer groups maintain infrastructure, update variants, offer intuitive control panels for affiliates, provide manuals and technical support, evasion tools, optimized encryption, and automated systems for data filtration and publication. Many RaaS programs include customer-support functions for the criminals themselves, alongside internal reputation mechanisms that reward the most “efficient” affiliates.
The defender, reading these sentences in sequence, encounters a moment of professional vertigo. Customer support. Internal reputation. Reward mechanisms for efficient affiliates. These are not improvised structures. They are the structures of any well-run product organisation. They are also the structures the median European bank has been told, by its consultants, that it should implement, in the next strategic cycle, possibly by 2028.
Two operations of 2025 illustrate the scale. Operación AETHER, coordinated by EUROPOL, led to the arrest of four leaders of the 8Base ransomware group, all Russian citizens, accused of using a Phobos variant. The operation involved law enforcement from 14 countries. Over 400 companies were alerted to ongoing or imminent attacks. Operación TALENT dismantled the international cybercrime forums Cracked and Nulled, which together hosted more than ten million users buying and selling stolen data, access credentials, criminal manuals and AI-based vulnerability detection tools. Two arrests in Valencia. Cryptoassets worth more than 234,000 euros recovered.
The numbers, in both operations, are the kind of numbers that appear in product analytics dashboards. Ten million users. Four hundred companies alerted. The defender’s quarterly KPI report, by contrast, reports policy training completion rates.
Observation Four: The Convergence Is Complete
The fourth observation is the one that most clearly closes the period in which cybersecurity could be understood as a technical discipline isolated from the broader threat ecosystem.
The Guardia Civil documents, with unusual operational detail, the activity in Spain and Europe of the Neo Black Movement of Africa, known as Black Axe. The organisation originated in the 1970s, in the student environment of the University of Benin in Nigeria. A part of its membership evolved, over fifty years, into transnational criminal structures, retaining internal symbolic elements such as the representation of a black axe.
In 2025, Black Axe operates, the report states, a portfolio that combines Business Email Compromise fraud, romance scams, money laundering through shell companies and financial mules, human trafficking for sexual exploitation of women trafficked into Europe, and internal violence to enforce control. The group operates under a hierarchical model with central or regional leadership (“Chairman”) coordinating autonomous cells in distinct territories. Differentiated roles have been identified, including the “Priest” who leads ritual activities, the “Eyes” responsible for surveillance, the “Criers” for propaganda and recruitment, and the “Butchers”, responsible for the coercive and violent part of the organisation.
The group has consolidated presence, the Guardia Civil states, in Italy, Ireland, Germany, the United Kingdom and Spain. Illicit financial operations linked to the group have been detected in the Americas and on other continents. Operación Jackal of INTERPOL, in 2022, involved fourteen countries across four continents and resulted in more than 70 arrests against Black Axe and other organised crime groups of West African origin.
Since 2025, the Guardia Civil co-leads the EUROPOL Operational Task Force “Heartbreaker”, under the EUROPOL AP High Risk framework, with 9 member countries and the United States Secret Service, to combat Black Axe specifically. EUROPOL has classified the group as High Value Target.
The defender, in this context, no longer faces a “cybercriminal”. The defender faces a transnational organisation, fifty years old, that has added cyber to an existing portfolio of trafficking, violence, money laundering and political reach. The boundary between cybercrime and organised crime, the report writes elsewhere, has begun to blur at the operational level. Operación IFADE-YUZUK, in 2025, documented this convergence at the financial layer: a network laundering several million euros per week through stablecoin compensation, fed by opaque trade flows from China and counterfeit goods. Twenty-seven million euros in cryptocurrencies intervened. Eight million in cash. Twenty-six point four million USDT blocked. Twenty-three arrests. Fifty-two members.
The CISO whose threat model assumes the adversary is a technical specialist working alone has not been reading the right documents. The right document, in 2026, is this one.
The Guardia Civil report is, on its face, a public service. It is also, unintentionally, the most candid benchmark of operational excellence available this year. The attacker has matured its product organisation. The attacker has documented continuity plans. The attacker has tiered service offerings. The attacker rewards efficient affiliates. The attacker has consolidated its supply chain across cyber, financial, and physical dimensions.
The defender, in the median European bank, has a slide deck. The slide deck has 247 KPIs. None of the 247 KPIs measure whether the attacker is winning.
The next time the GRC Committee admires the maturity of its own framework, somebody could read this report aloud.
All my books on cybersecurity and governance are here 👉 https://www.amazon.it/stores/author/B0FB47T6Q4/allbooks
Sources: Guardia Civil, Ciberinteligencia: Análisis y Tendencias 2025 (document is public and distributable to third parties without further authorisation, as stated on page 2 of the report itself). Operations referenced: GoogleXCoder (p. 10), MOSENIK (p. 13), HUMO DIGITAL (p. 26), AETHER (p. 30), TALENT (p. 32), Jackal (INTERPOL 2022, p. 18), IFADE-YUZUK (p. 34), OTF Heartbreaker (p. 18).
