Sanxenxo City Council Held Hostage: Hackers Demand Bitcoin Ransom in Brazen Spanish Cyberattack
Digital extortion hits local government—and the price of freedom is paid in crypto.
The Attack Vector
Forget sophisticated state actors. This was a blunt-force trauma to municipal operations. Hackers infiltrated systems, encrypted critical data, and slammed the digital vault shut. No data, no access, no public services until demands are met. The weapon of choice for the getaway? A Bitcoin wallet address.
The Ransom Note
The message was clear: pay up in Bitcoin, or your data stays locked. It’s a classic ransomware playbook, now targeting the soft underbelly of civic infrastructure. The attack exposes a brutal truth—every organization, from global corps to small-town councils, is a potential payday. Local governments often lack the enterprise-grade cybersecurity budgets, making them low-hanging, high-impact fruit.
Cryptocurrency's Double-Edged Sword
Here’s the perennial tension. Bitcoin offers a decentralized, borderless payment rail—a feature celebrated by libertarians and leveraged by criminals. The very pseudonymity that protects user privacy also provides cover for illicit demands. It’s the ultimate tool for a digital heist: irreversible transactions with no intermediary to freeze funds. The Sanxenxo case is another stark entry in the ledger of crypto’s complicated public narrative.
The Fallout and The Future
The council faces a nightmare scenario. Paying the ransom funds criminal enterprises and offers no guarantee of data return. Refusing could mean prolonged paralysis and the monumental cost of rebuilding systems from scratch—if backups were also compromised. It’s a lose-lose calculus forced upon public servants.
This incident isn’t an outlier; it’s a template. As long as Bitcoin remains the preferred currency of the digital shadows, and public sector IT lags behind, these attacks will continue. It’s a costly reminder that in the new world of digital risk, your most valuable asset isn’t on your balance sheet—it’s in your servers. And sometimes, protecting it requires more than good governance; it requires an ironclad defense. After all, in the high-stakes game of cyber security, the only thing more volatile than the crypto market is the cost of being unprepared.
What happened to Sanxenxo City Council in Pontevedra
According to recent reports, hackers got into the City Hall’s internal systems on January 26, 2026, locking it up and encrypting thousands of documents. This prevents access to essential information and makes it impossible for officials to work.
The incident has been confirmed by the government itself and cited in local news reports. The hackers reportedly used malware to infiltrate the main network, and as a result of the attack, the municipal server became completely inoperative, affecting essential services for residents that are processed at the main office.
Fortunately, not all areas of the municipality were affected by the attack. The municipal companies Nauta and Turismo were unaffected by the attack, but this is reportedly because they operate on independent networks.
The City Hall’s online portal also remained operational, allowing citizens to continue their procedures online.
What the hackers want
The attackers have demanded a ransom of $5,000 in bitcoin (BTC) to restore the files, a meager amount considering the bargaining chip they have, which is relatively vanilla for an attack of this magnitude. This could mean the perpetrators are small time or one-off criminals rather than a sophisticated group that has been linked to greater exploits in the US.
The demands have also mostly gone ignored by the municipality, whose officials refused to pay the ransom. They instead filed a formal complaint with the Civil Guard and activated daily backups.
The backups are expected to restore the systems within the next few hours. However, Mayor Telmo Martín has revealed that despite hopes things can be restored in the next 24 to 48 hours, the process may take longer was originally anticipated.
Ransomware attacks are targeting Spanish municipalities
The incident in Sanxenxo is not a standalone case and is part of an increase in ransomware attacks targeting local governments in Spain.
These ransomware attacks started becoming rampant in 2025, with similar incidents reported in municipalities such as Badajoz, Melilla, and Villajoyosa. The attack on Badajoz was particularly severe as it blocked administrative procedures for a population of nearly 150,000.
This year, aside from Sanxenxo, areas like Beniel, a municipality in the Region of Murcia, and Adeje, in Tenerife, also faced cyberattacks that rendered their digital systems inoperable.
In the town hall of Adeje, in Tenerife, the municipal website was temporarily shut down because unauthorized access was detected, and security protocols were activated.
The major difference between the previous cases that have been reported and the most recent one, which targeted the Sanxenxo City Council’s City Hall, is that in Sanxenxo’s case, the hackers demanded $5,000 in ransom.
Meanwhile, there have been no reports of ransom demands in Bitcoin from other municipalities. But this could represent a pivot from the established trend, which could open the floodgates for demands when the incident happens.
Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.
