In the Fourth Chamber of the Criminal Division of the National Court, Judge José Luis Calama addressed the case involving hackers Juan Carlos Ortega Guerrero from Seville, Daniel Baíllo Escarabajal from Cartagena, and José Luis Huertas Rubio from Madrid. They are accused of stealing bank information belonging to tens of thousands of Spanish taxpayers, according to separate orders issued on November 13 and November 29. The information came to light through access granted to a newspaper under the Prensa Ibérica group.
The two decisions were summarized by the case rapporteur, Judge Fermín Echarri. He noted that the evidence of guilt described in the October 16 decision, which recommended bringing the three computer experts to trial, remains sufficient to proceed against Baíllo Escarabajal and Ortega Guerrero. The court has not yet published its response to objections raised by Alcasec’s defense team.
Concerning Baíllo Escarabajal, Echarri explained that his appearance in Calama’s courtroom was tied to recruitment efforts. The domain cgpj-pnj.com was used to illegally obtain personally identifiable information and to access the computer systems of officials with the Basque Country Justice Administration. This domain, registered to a Russian company, operated through Eranet International Limited, a Hong Kong-based firm.
“Russian cyber crimes”
A phone number linked to a Telegram account was used to register the domain. The same suspect was active on two major Russian-language cybercrime forums, expolit.in and xss.is, which specialize in marketing access credentials or direct access to banking networks, according to Judge Echarri. The case proceeded without pausing to await information from Chinese authorities.
Alcasec’s testimony also connected Baíllo Escarabajal to a plan to target the Judicial Neutral Point by exploiting a digital certificate issued to a General Directorate of Traffic official. By creating a counterfeit site named cgpj-pnj.com and harvesting data from the Tax Office, additional identifying information was obtained.
This Cartagena-based computer scientist operated a system with at least three software programs controlling sixteen remote teams, including nine in Russia, three in Germany, two in Spain, one in the United Kingdom, and one in Ukraine.
Ortega Guerrero
Regarding Ortega Guerrero, the instructor stated that he used virtual identities to acquire data leaked from the Judicial Neutral Point. Through Telegram identities Diamante and Meliodas, he allegedly managed a network of 188 individuals engaged in cybercrime for financial gain, including activities such as smishing and other frauds.
At the time of his arrest, Ortega Guerrero’s home was found open. Investigators discovered a ready-to-use bulk SMS platform with 24 mobile phones and 114 SIM cards. The laptop history showed credentials obtained by hacking methods and phishing directed at customers of around 20 Spanish banks.
1.2 million
The authorities found that the 30 data packages obtained did not contain benign information. Instead, the data were the kind of material that would be reserved for third parties and could affect Spanish citizens. The investigation notes a criminal trajectory extending beyond October 30, 2022, and points to access from the Judicial Neutral Point that was restricted. The activity is classified as profit-driven, with cryptocurrency movements equaling or surpassing 1,237,637 euros, though no clear lawful income source was identified.
Judge Echarri’s decision also highlights the broader view held by the chamber. In 2022 and 2023, Ortega Guerrero acquired various movable and immovable assets valued at over 500,000 euros. Jewelry, watches, and cash totaling thousands of euros were seized, illustrating a pattern of wealth accumulation linked to criminal activity.