The 2025 Iberian Peninsula blackout was a deliberate cyberattack or engineered sabotage, not a technical grid failure
Where the evidence lands: ContradictedThat the 28 April 2025 Iberian blackout was not an ordinary technical failure but a deliberate act: a cyberattack on the Spanish and Portuguese grids (attributed by various tellings to Russia, Morocco or North Korea, or claimed by pro-Russian hacktivists), or an engineered event staged to justify tighter central control of the grid, or covert proof that the renewable-heavy Spanish system was sabotaged. In every version, a hidden hand intentionally switched off the lights and the true cause is being hidden behind a bland technical explanation.
Believed by: A large online audience during the outage and the days after; amplified by pro-Russian hacktivist channels and by accounts that recycled a fabricated CNN and von der Leyen quote, with softer suspicion lingering among people who distrust official grid operators or oppose the renewables build-out
The full story
What actually happened
At 12:33 CET on 28 April 2025, the electricity systems of mainland Spain and Portugal collapsed almost at the same instant. In a matter of seconds the grid shed roughly 31 GW of demand. Trains stopped between stations, traffic lights went dark, card payments failed, and mobile networks dropped. For most of the Iberian Peninsula the power stayed off for about ten hours, with restoration stretching into the night. It was the worst blackout Europe had seen in decades.
That much is documented and not in dispute. A sudden, continent-scale loss of power is frightening, and it is exactly the kind of event that invites the question who did this to us. Within hours, an answer arrived that felt to many people more satisfying than any engineering diagram: it was an attack. This file is about that answer, and whether it holds up.
The distinction matters, so it is worth stating plainly at the top. The blackout is a fact. The claim under review is narrower: that the blackout was a deliberate act, a cyberattack or an engineered event, rather than a technical failure of the grid. On that specific claim, the evidence is now in, and it runs the other way.
Why an attack seemed obvious
The cyberattack story did not come from nowhere, and steelmanning it honestly means acknowledging that several real things lined up to make it look plausible in the first hours.
The threat is genuine. Power grids really are a target. State-linked hackers probe critical infrastructure, and Western security agencies publish warnings about pro-Russia groups attacking utilities. Against that backdrop, a grid going dark reads as an attack before it reads as a fault. Anyone who dismissed the possibility out of hand would have been the careless one.
Someone claimed it. Within hours, two pro-Russian hacktivist collectives, Dark Storm Team and NoName057(16), publicly took joint credit, posting that they had cut the electricity in NATO countries. A confident, named claim of responsibility carries a weight that vague rumour does not, and it gave the theory an author.
The scale felt deliberate.Two countries, tens of gigawatts, all at once: intuitively, a failure that big looks coordinated. And a real policy argument was already running in the background about whether Spain's fast build-out of solar and wind had left the system thinly supported, which gave the sabotage framing something concrete to attach to.
The lights went out across an entire peninsula and a known hostile group said it did the deed. Suspecting an attack, in that first hour, was not irrational. It was where the evidence had to be checked, not where it ended.
So the honest case for taking the attack idea seriously is that the danger is real, a capable actor claimed the act, and the event was genuinely alarming. The conspiracy claim then goes further, that the attack happened and the technical explanation is a cover. That is the step the evidence has to bear, and it is where it gives way.
What the investigations found
Once investigators actually looked, the attack story found nothing to stand on, and it found it repeatedly, across independent bodies with no shared incentive to agree.
Spain's grid operator said almost immediately that its early analysis showed no intrusion into its systems. Spain's governmentthen ran what Secretary of State for Energy Sara Aagesen called the largest cybersecurity investigation in the country's history, sifting more than 300 GB of data, and concluded there was no evidence of a cyber-incident or cyberattack as the cause. Portuguese officials attributed the disturbance to a problem on the transmission network originating in Spain, not to any hostile actor.
The decisive technical account came from the ENTSO-E expert panel, a group of dozens of specialists drawn from transmission operators, regional coordination centres and regulators, chaired by experts from unaffected operators. Its factual report attributed the collapse to a voltage surge the grid could not absorb: a combination of interacting factors, oscillations, gaps in voltage and reactive-power control, differing regulation practices, rapid output reductions and generator disconnections, produced fast voltage rises and a cascade of automatic shutdowns that ran its course in roughly thirty seconds. No stage of that account requires, or shows, an attacker.
The hacktivist claim, examined rather than repeated, dissolves. Dark Storm Team and NoName057(16) are known for denial-of-service actions and for boasting; they produced no technical evidence of having caused a grid collapse, and no investigation found an intrusion to match the boast. Taking credit for a disaster you did not cause is a standard way for such groups to raise their profile, and that is what the record shows here.
The fabrications that fed it
The attack narrative did not just lack evidence; it was actively propped up by invented evidence, and tracing those fakes is one of the clearest tells that this was rumour rather than a hidden truth.
A fabricated CNN report and a quote falsely attributed to European Commission president Ursula von der Leyenboth circulated, each dressing the cyberattack claim in the authority of a trusted institution. Neither was real. Separately, several major outlets, Reuters among them, briefly reported that Portugal's grid operator REN had blamed a rare atmospheric phenomenon; REN said it had made no such statement, and the outlets corrected themselves.
The attributions themselves kept moving. In different posts the culprit was Russia, then Morocco, then North Korea, with no consistent evidence tying the blackout to any of them. A real attribution, backed by forensic detail, tends to converge on one actor as evidence accumulates. A rumour cycles through villains depending on the audience. This one cycled.
A theory that has to borrow a fake news report and a fake quote to sound credible is telling you something. The scaffolding was invented, and when it was pulled away nothing underneath was left standing.
The real debate the story buried
The attack theory persists partly because it sits on top of a real argument, and it helps to separate the two so the legitimate one is not discredited by the false one.
There isa serious, open discussion about grid resilience. Modern systems lean heavily on inverter-based generation, solar and wind connected through power electronics rather than the spinning mass of conventional plants, and that changes how a grid supports voltage and rides through disturbances. The ENTSO-E panel's findings on voltage and reactive-power control, and its recommendations, are aimed squarely at this: how to keep a low-inertia, renewable-heavy system stable. Those are hard, real questions, and Spanish authorities also faced pointed questions about planning and whether reserves were arranged adequately for the conditions that day.
The conspiracy version takes that legitimate debate and inverts it. Instead of “the grid had a resilience weakness that engineers are now fixing,” it offers “the renewables were sabotage” or “the blackout was engineered to justify central control.” The difference is not subtle. One claim can be tested, and is being tested, through published data and recommendations. The other assumes a hidden intent for which no investigation found any trace.
The psychology is familiar. A technical cause that unfolds in thirty seconds of voltage physics is abstract and unsatisfying; a hostile hand is vivid and assigns blame to a person. When a fabricated CNN report and a confident hacktivist boast are both floating past in the same hour, the vivid story wins attention, and it keeps winning it long after the boring, documented explanation has arrived.
Where the evidence lands
Two things are true, and the discipline of this case is holding them apart. The blackout was real: on 28 April 2025 Spain and Portugal lost about 31 GW in seconds and went dark for roughly ten hours. The deliberate-attack claim is false: Spain's largest-ever cybersecurity investigation found no cyber-incident, Portugal traced the disturbance to the Spanish transmission network, and the ENTSO-E expert panel attributed the collapse to a voltage surge and cascading disconnections, with no attacker in the sequence. On the rated claim, that the blackout was a cyberattack or engineered sabotage, the verdict is Debunked.
That verdict does not dismiss the fear that drove the theory. Grids are a genuine target, hostile groups did claim this event, and the danger of a real attack on critical infrastructure is not imaginary. The point is that this particular blackout was investigated hard, from several independent directions, and every serious inquiry found a technical cause and no intrusion. A boast is not a breach, and a fabricated quote is not a finding.
What deserves to survive the debunking is the legitimate question underneath: how a modern, renewable-heavy grid maintains voltage and stability, and whether operators and regulators planned well enough for the conditions that day. That conversation is worth having on its own terms. Collapsing it into a story about a hidden switch and a covered-up attacker does not sharpen it; it just borrows the alarm of a real disaster to sell a claim the evidence has already closed.
What's still unexplained
- The precise sequence is still being distilled into lessons. The ENTSO-E factual report identified the voltage cascade, and the final report set out recommendations, but exactly which planning and operational decisions most contributed, and how responsibility is shared between operators, is still being worked through. None of that reopens the attack claim; it refines the technical account.
- Grid resilience under high renewables is a legitimate open problem. How much system inertia, voltage support and reactive-power reserve a modern inverter-heavy grid needs to ride through disturbances is an active engineering and policy question, distinct from any question of sabotage.
- Accountability remains contested. A year on, debate continued over whether operators and regulators planned adequately for the conditions that day, which is a governance question about competence and oversight, not evidence of a deliberate plot.
Point by point
The claim: Pro-Russian hacktivists claimed responsibility, which shows the blackout was a cyberattack.
What the record shows: A claim of credit is not evidence of causation. Dark Storm Team and NoName057(16) are known for disruptive denial-of-service actions and opportunistic boasting, and they offered no technical proof of having caused a grid collapse. Red Eléctrica found no intrusion, and Spain's national cybersecurity review, examining more than 300 GB of data, found no cyber-incident. Groups routinely take credit for events they did not cause to inflate their profile; that is what the investigations conclude happened here.
The claim: It was a foreign cyberattack by Russia, Morocco or North Korea, later covered up.
What the record shows: The attribution shifted from post to post, which is a hallmark of rumour rather than intelligence. No government or grid operator identified any hostile intrusion. Spain's government called its probe the largest cybersecurity investigation in the country's history and found no evidence of an attack; Portugal traced the disturbance to the Spanish transmission network; the ENTSO-E panel found a technical cascade. The naming of three different countries, with no consistent evidence for any, points to viral speculation, not a concealed culprit.
The claim: A fabricated CNN report and a von der Leyen quote confirmed the cyberattack.
What the record shows: Both were fakes. The CNN report and the quote attributed to the European Commission president were fabricated and circulated to lend authority to the attack narrative. Separately, several outlets including Reuters briefly reported that Portugal's REN blamed a rare atmospheric phenomenon; REN said it had issued no such statement and the outlets corrected the story. The information around the blackout was polluted with invented sourcing, which is the opposite of a documented cyberattack.
The claim: The blackout was engineered to justify more central control, or to hide that renewables sabotaged the grid.
What the record shows: This reframes a genuine engineering debate as a plot. The ENTSO-E expert panel identified a combination of interacting factors: voltage and reactive-power control gaps, differences in voltage-regulation practice, rapid output reductions and generator disconnections, and uneven system stabilisation, leading to fast voltage rises and a cascade. High shares of inverter-based renewables raise real questions about system inertia and voltage support, and those are being addressed openly through published findings and recommendations. A hard engineering problem being studied in public is not the same as a covert act of sabotage.
The claim: A blackout this large across two countries cannot be an accident; someone must have switched it off.
What the record shows: Scale is not a signature of intent. Interconnected grids are engineered so that a local disturbance can, under the wrong conditions, cascade across a wide area in seconds; that is precisely how protective relays and automatic disconnections work. The ENTSO-E panel describes a cascade unfolding over roughly thirty seconds from voltage instability. Historic large blackouts, from the 2003 US and Northeast event to Italy the same year, likewise spread fast from technical faults with no attacker involved.
Timeline
- 2025-04-28At 12:33 CET the Spanish and Portuguese grids collapse together, shedding about 31 GW of load in seconds. Most of mainland Spain and Portugal loses power; transport, payments and telecoms fail. Restoration takes roughly ten hours in most areas, stretching into the night.
- 2025-04-28Within hours, two pro-Russian hacktivist collectives, Dark Storm Team and NoName057(16), claim joint responsibility online, posting that they had cut electricity in NATO countries. No technical detail accompanies the boast.
- 2025-04-28False and misleading posts spread fast. Some blame a Russian, Moroccan or North Korean cyberattack; others circulate a fabricated CNN report and a quote falsely attributed to European Commission president Ursula von der Leyen. Several outlets, including Reuters, briefly report that Portugal's grid operator REN blamed a rare atmospheric phenomenon; REN later says it issued no such statement and the outlets correct the record.
- 2025-04-28Spain's grid operator Red Eléctrica says its early analysis shows no intrusion into its systems. European Council president António Costa says there is no indication of a cyberattack.
- 2025-04-29Portuguese officials attribute the event to a problem on the transmission network originating in Spain, pushing back on the idea that Portugal was the source or that a hostile actor was involved.
- 2025-05The World Economic Forum and cybersecurity commentators note the key distinction: this blackout was not a cyberattack, but the threat to power grids from real cyber operations is genuine, which is part of why the attack story felt plausible.
- 2025-05-15Spain's government rules out a cyberattack. Secretary of State for Energy Sara Aagesen describes the largest cybersecurity investigation ever conducted in the country and states there is no evidence of a cyber-incident or cyberattack as the cause.
- 2025-06-17Spain's official report attributes the blackout to a combination of technical failures, including voltage-control shortcomings and planning gaps in how reactive power was managed, and again rules out a cyberattack.
- 2025-10-03The ENTSO-E expert panel publishes its factual report, attributing the collapse to fast voltage rises and cascading generator disconnections that developed over roughly thirty seconds. Its final report, with recommendations, follows in March 2026. Neither finds any sign of a deliberate attack.
From the case file
The actual records: declassified, released, or leaked. We link straight to each document in its official archive, so you never have to take our word for it. Read the originals yourself.
Contradicted. That a massive blackout hit Spain and Portugal on 28 April 2025 is not in dispute: roughly 31 GW of load vanished in seconds and power was out for about ten hours across most of the peninsula. The rated claim is narrower, that the collapse was a deliberate cyberattack or an engineered event. That claim is debunked. Spain's government ran what it called its largest-ever cybersecurity investigation and found no evidence of a cyber-incident; Portuguese officials pointed to a transmission-network problem originating in Spain; and the ENTSO-E expert panel attributed the cascade to a voltage surge that tripped protective shutdowns within about thirty seconds. Two pro-Russian hacktivist groups boasted of causing it, but no investigator found any intrusion behind the outage.
Sources
- 1.2025 Iberian Peninsula blackout, Wikipedia (2026)
- 2.Iberian Peninsula blackout sparks spread of false theories online, Euronews (2025)
- 3.Iberian blackout: Cyberattack is not to blame, but the threat to power grids is real, World Economic Forum (2025)
- 4.Spanish government rules out that a cyberattack caused nationwide blackout, Spain in English (2025)
- 5.Spain says April's blackout was caused by multiple technical failures and rules out cyberattack, Euronews (2025)
- 6.28 April 2025 Iberian blackout: Expert Panel investigation, ENTSO-E (2025)
- 7.ENTSO-E publishes Expert Panel final report on 28 April 2025 blackout in Spain and Portugal, ENTSO-E (2026)
- 8.Perfect storm of multiple factors behind 2025 Iberia power blackout, experts say, Euronews (2026)
- 9.Pro-Russian hackers claim responsibility for major power outage across Spain, Portugal, Morocco World News (2025)
Help us investigate
This is a living case file. If you spot an error or know evidence we missed, tell us, and weigh in on where you land.
Where do you land?
Cast your read on this one.