In Europe, Emotet is described as one of the major criminal networks that operates across many computers in Spain through numerous offices. Cybercrime experts from the Ministry of Interior estimate that the Emotet worm infected about 130,000 computers in the country, and the figure shows no clear signs of decline.
Emotet ranks among the top cybersecurity threats in Spain during the period from July to September, according to Interior data. It has been labeled a leading attack in Europe, with researchers noting that the malware has been reactivated in a campaign that has persisted for months. Josep Albors, a cyber-threat specialist and director of research at Eset Spain, explains that the worm has seen a resurgence, a finding supported by the company’s own investigations into its recovered activity.
These campaigns involve mass email outreach that often carries an Office document or an attached link. Once opened, the malicious payload seeks to harvest data from the victim machine. Emotet has reemerged despite police actions that included recent operations just days before a NATO summit in Madrid.
In January 2021, Europol labeled Emotet in historical terms after a major international operation. An official Europol memo called it one of the most professional and long-lasting cybercrime tools ever seen, while noting its capacity to reconfigure itself to evade tracking and to reappear later in campaigns.
For bank accounts
Originating in 2014, Emotet began its life as a so-called bank worm with the aim of accessing financial servers by infiltrating and compromising linked computers. It sought to siphon traffic between current accounts, entering through compromised systems to steal funds.
Over time, the malware has proven valuable to criminals beyond simple theft. It has been used to recruit compromised machines into a network for mass mailings, often without the user’s awareness. The infected devices form a network sometimes described as a zombie army, which can be deployed to flood systems with denial-of-service traffic or to coordinate other criminal activities. Ransomware demands may follow after extortion attempts.
Spanish police estimate the infected base at about 130,000 machines and do not rule out further growth before year’s end. The attackers have refined the tool’s capabilities; for instance, the malware can reuse email lists from an infected machine or send new mass emails without relying on the original host’s list, according to Albors, who also contributed to Emotet detection and blocking methods.
Spain, preferred destination
Emotet and similar threats perform particularly well in Spain because many companies still place a high degree of trust in email communications. The crime balance sheet published by the Ministry of Internal Affairs shows a sharp rise in cybercrime for the third quarter, with a reported 89.3 percent increase in online crimes compared with 2019. The report tallies 217,571 computer-related crimes from July to September, with 87.9 percent of these being fraud and other cyber-enabled offenses. In the last year, interior sources counted 254,934 computer scams, reflecting a surge that has continued to astonish security officials.
Criminals do not limit themselves to accessing bank accounts; they also target data from organizations such as the Tax Administration, SEPES, Repsol, Iberdrola, Orange, and various municipalities. Police sources emphasize that many state and private sector organizations, including large listed firms, remain attractive targets due to personal and financial data stored within networks.
Missing hands
The growth rate of cybercrimes has outpaced the availability of public safety personnel to stop them. At a recent Home Affairs Committee session, concerns were raised about staffing shortfalls that lead to the creation of so-called ghost units within cybercrime operations when outreach from Madrid or Barcelona is limited. Critics point to a lack of skilled cybercrime specialists across the security forces and agencies, including the Civil Guard, Mossos d’Esquadra, the CNI, and the Armed Forces.
An example from Galicia was cited to illustrate the issue: Urense’s barracks are being adapted to house a cybercrime unit while other services are left understaffed. The broader problem highlighted is the persistent difficulty in attracting and retaining engineers and other experts. Officers with deep technical abilities often receive far higher salaries elsewhere in the private sector, along with benefits such as private health insurance, family education support, company cars, remote work, and flexible schedules, making it hard for state services to compete.
A basic police officer in cybercrime earns around 2,000 euros per month. Large tech firms with the scale of Fujitsu or Thales offer salaries up to six thousand euros and additional incentives, underscoring the ongoing talent drain from public security to private industry. These realities shape the ongoing challenge of defending critical infrastructure against sophisticated criminal networks and mass-distributed campaigns.
Attribution: insights drawn from interior ministry crime statistics and commentary from cybersecurity researchers and law enforcement officials. Observers note that the Emotet threat remains active and capable of re-emerging, underscoring the need for robust defense, rapid detection, and coordinated response across both the public and private sectors. Statements reflect the assessment of industry analysts and governmental briefings discussing the evolving landscape of cyber threats in Europe and beyond.