Hackers demand Bitcoin ransom to release encrypted data in an attack targeting the Sanxenxo City Council in Spain

The Sanxenxo City Council, in Pontevedra, in the autonomous community of Galicia, is currently living through a cyberattack that has resulted in a standoff between the City Council and the hackers who have made their demands known. 

The city has signaled plans to move forward without paying the $5,000 BTC ransom required to release encrypted data in an attack that has compromised thousands of administrative documents from the Sanxenxo City Council in Spain.

What happened to Sanxenxo City Council in Pontevedra

According to recent reports, hackers got into the City Hall’s internal systems on January 26, 2026, locking it up and encrypting thousands of documents. This prevents access to essential information and makes it impossible for officials to work. 

The incident has been confirmed by the government itself and cited in local news reports. The hackers reportedly used malware to infiltrate the main network, and as a result of the attack, the municipal server became completely inoperative, affecting essential services for residents that are processed at the main office.

Fortunately, not all areas of the municipality were affected by the attack. The municipal companies Nauta and Turismo were unaffected by the attack, but this is reportedly because they operate on independent networks. 

The City Hall’s online portal also remained operational, allowing citizens to continue their procedures online. 

What the hackers want 

The attackers have demanded a ransom of $5,000 in Bitcoin (BTC) to restore the files, a meager amount considering the bargaining chip they have, which is relatively vanilla for an attack of this magnitude. This could mean the perpetrators are small time or one-off criminals rather than a sophisticated group that has been linked to greater exploits in the US. 

The demands have also mostly gone ignored by the municipality, whose officials refused to pay the ransom. They instead filed a formal complaint with the Civil Guard and activated daily backups. 

The backups are expected to restore the systems within the next few hours. However, Mayor Telmo Martín has revealed that despite hopes things can be restored in the next 24 to 48 hours, the process may take longer was originally anticipated. 

Ransomware attacks are targeting Spanish municipalities 

The incident in Sanxenxo is not a standalone case and is part of an increase in ransomware attacks targeting local governments in Spain. 

These ransomware attacks started becoming rampant in 2025, with similar incidents reported in municipalities such as Badajoz, Melilla, and Villajoyosa. The attack on Badajoz was particularly severe as it blocked administrative procedures for a population of nearly 150,000.

This year, aside from Sanxenxo, areas like Beniel, a municipality in the Region of Murcia, and Adeje, in Tenerife, also faced cyberattacks that rendered their digital systems inoperable.

In the town hall of Adeje, in Tenerife, the municipal website was temporarily shut down because unauthorized access was detected, and security protocols were activated. 

The major difference between the previous cases that have been reported and the most recent one, which targeted the Sanxenxo City Council’s City Hall, is that in Sanxenxo’s case, the hackers demanded $5,000 in ransom. 

Meanwhile, there have been no reports of ransom demands in Bitcoin from other municipalities. But this could represent a pivot from the established trend, which could open the floodgates for demands when the incident happens.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.