Between 14 and 17 July, a joint international operation, known as Eastwood and coordinated by Europol and Eurojust, targeted the cybercrime network NoName057(16).
Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands and the United States took simultaneous actions against offenders and infrastructure belonging to the pro-Russian cybercrime network.
The investigation was also supported by ENISA, as well as Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. The private parties ShadowServer and abuse.ch also assisted in the technical part of the operation.
The actions led to the disruption of an attack-infrastructure consisting of over one hundred computer systems worldwide, while a major part of the group’s central server infrastructure was taken offline. Germany issued six warrants for the arrest of offenders living in the Russian Federation. Two of these persons are accused of being the main instigators responsible for the activities of “NoName057(16)”. In total, national authorities have issued seven arrest warrants, which are directed, inter alia, against six Russian nationals for their involvement in the NoName057(16) criminal activities. All of the suspects are listed as internationally wanted, and in some cases, their identities are published in media. Five profiles were also published on the EU Most Wanted website.
National authorities have reached out to several hundred of individuals believed to be supporters of the cybercrime network. The messages, shared via a popular messaging application, inform the recipient of the official measures highlighting the criminal liability they bear for their actions pursuant to national legislations. Individuals acting for NoName057(16) are mainly Russian-speaking sympathisers who use automated tools to carry out distributed denial-of-service (DDoS) attacks. Operating without formal leadership or sophisticated technical skills, they are motivated by ideology and rewards.
Overall results of Operation Eastwood
- 2 arrests (1 preliminary arrest in France and 1 in Spain)
- 7 arrest warrants issued (6 by Germany, and 1 by Spain)
- 24 house searches (2 in Czechia, 1 in France, 3 in Germany, 5 in Italy, 12 in Spain, 1 in Poland)
- 13 individuals questioned (2 in Germany, 1 in France 4 in Italy, 1 in Poland, 5 in Spain)
- Over 1 000 supporters, 15 of which administrators, notified for their legal liability via a messaging app
- Over 100 servers disrupted worldwide
- Major part of NoName057(16) main infrastructure taken offline
NoName057(16) DDoS disruption attempts in favour of Russia
Offenders associated to the NoName057(16) cybercrime network targeted primarily Ukraine, but have shifted their focus to attacking countries that support Ukraine in the ongoing defence against the Russian war of aggression, many of which are members of NATO.
National authorities have reported a number of cyberattacks linked to NoName057(16) criminal activities. In 2023 and 2024, the criminal network has taken part in attacks against Swedish authorities and bank websites. Since investigations started in November 2023, Germany saw 14 separate waves of attacks targeting more than 250 companies and institutions.
In Switzerland, multiple attacks were also carried out in June 2023, during a Ukrainian video-message addressed to the Joint Parliament, and in June 2024, during the Peace Summit for Ukraine at Bürgenstock. Most recently, the Dutch authorities confirmed that an attack linked to this network had been carried out during the latest NATO summit in the Netherlands. These attacks have all been mitigated without any substantial interruptions.
Central coordination to target the pro-Russian cybercrime network
Europol facilitated the information exchange and supported the coordination of the operational activities, serving as a hub for the communication between national authorities and EU agencies. For that purpose, Europol organised over 30 online and offline meetings and two operational sprints. Europol also facilitated cooperation with private partners, who offered their assistance both ahead of and following the operation. The Agency provided extensive analytical support, as well as cryptocurrency tracing and forensic expertise over the course of the investigation. Europol coordinated the prevention campaign, released to alleged affiliates via messaging apps and social media channels.
During the action day against NoName057(16)’s affiliates, Europol set-up a coordination centre at its headquarters with representatives from France, Germany, Spain, the Netherlands and Eurojust, and made available a Virtual Command Post to connect the other participating countries with the coordination centre.
The Joint Cybercrime Action Taskforce (J-CAT) at Europol also supported the operation. This operational team consists of cyber liaison officers from different countries who work from the same office at Europol’s headquarters, delivering various forms of support to high-profile cybercrime investigations.
Through Eurojust, authorities were able to coordinate the judicial activities and plan their respective measures during the action day. The Agency ensured the execution of Mutual Legal Assists and multiple European Investigation Orders. During the action day on 15 July, Eurojust coordinated any last-minute judicial requests required during the operation.
Gamified manipulation to motivate pro-Russian cyberattacks
Investigations by national authorities identified NoName057(16) as an ideological criminal network that has been seen to profess support to the Russian Federation and, in the context of the Russian war of aggression against Ukraine, has been linked to numerous DDoS cyberattacks. During such attacks, a website or online service is flooded with traffic with the objective of overloading it and rendering it unavailable. In addition to the activities of the network, estimated at over 4 000 supporters, the group was also able to construct their own botnet made up of several hundred servers, used to increase the attack load.
To share calls to action, tutorials, updates, and to recruit volunteers, the group leveraged pro-Russian channels, forums, and even niche chat groups on social media and messaging apps. Volunteers often invited friends or contacts from gaming or hacking forums, forming small recruitment circles. These actors used platforms like DDoSia to simplify technical processes and provide guidelines, enabling new recruits to become operational quickly.
Participants were also paid in cryptocurrency, which incentivised sustained involvement and attracted opportunists. Mimicking game-like dynamics, regular shout-outs, leader boards, or badges provided volunteers with a sense of status. This gamified manipulation, often targeted at younger offenders, was emotionally reinforced by a narrative of defending Russia or avenging political events.
Click Here For The Original Source.
