Pro-Russian Cybercrime Group NoName057(16) Hit Hard In Global Takedown | #cybercrime | #infosec

A global police operation has dealt a heavy blow to the pro-Russian cybercrime network dubbed NoName057(16), which has been accused of launching disruptive digital attacks in support of Moscow’s war against Ukraine.

Between 14 and 17 July, law enforcement agencies from across Europe and North America carried out coordinated raids and seizures under Operation Eastwood. The crackdown was led by Europol and Eurojust, and supported by a wide coalition of countries and cybersecurity experts.

It dismantled a major portion of the group’s infrastructure, took servers offline, issued arrest warrants, and warned hundreds of suspected sympathisers.

NoName057(16) is known for orchestrating distributed denial-of-service (DDoS) attacks; cheap, loud, and effective methods for flooding websites with traffic until they crash. Their targets have included Ukrainian institutions, European governments, banks, parliaments, and NATO events. Their motivation? Ideology, influence, and a steady drip of cryptocurrency rewards.

A Criminal Network Without a Leader 

Investigators say the group isn’t tightly organised. There’s no clear hierarchy. No genius in a basement. Just a sprawling network of Russian-speaking volunteers, pulled in through social media, hacker forums, and gamified propaganda.

They call on sympathisers to attack. They share tutorials and tools. They praise top performers and pay them in crypto. It’s part political theatre, part online mob. 

But now, many of those volunteers are learning what that support costs.

More than 1,000 suspected backers (15 of them identified as administrators) received warnings via messaging apps. The messages were blunt: your actions are illegal. You are being watched. Legal consequences are on the table.

Arrests, Seizures, and Disruption 

The operation also led to:

• Two arrests (in France and Spain) 

• Seven arrest warrants, including Six targeting Russian nationals 

• 24 house searches across Czechia, France, Germany, Italy, Spain, and Poland 

• 13 individuals questioned 

• Over 100 servers taken down 

• Major parts of the group’s infrastructure wiped offline

Germany, a key player in the investigation, issued six warrants. Two suspects are believed to be ringleaders. The names of several individuals are now public, with five featured on the EU’s Most Wanted website.

The FBI also participated, alongside police forces from countries including Sweden, Lithuania, the Netherlands, Switzerland, and Finland. Support came from Canada, Belgium, Denmark, Estonia, Latvia, Romania, Ukraine, and ENISA. Private partners ShadowServer and abuse.ch assisted with the technical side.

DDoS in the Name of the Kremlin

While NoName057(16) started out targeting Ukrainian systems, they soon widened their scope. Anyone who showed support for Ukraine became fair game.

In Germany, the group carried out 14 waves of cyberattacks against more than 250 institutions between late 2023 and mid-2024. In Switzerland, they struck in sync with symbolic moments, like a Ukrainian video address to Parliament and the Bürgenstock Peace Summit. The Netherlands also reported attacks during this year’s NATO summit.

Authorities say that although the attacks caused disruption, they were ultimately mitigated. 

The group’s botnet (hundreds of servers strong) was key to their effectiveness. That’s what made this week’s takedown so significant. By knocking out core systems, authorities disrupted the group’s ability to coordinate, communicate, and attack at scale.

Europol and Eurojust at the Helm

Behind the scenes, Europol coordinated more than 30 meetings and operational sprints. It provided forensic expertise, crypto tracing, and ran a prevention campaign targeting suspected members. 

Eurojust helped plan and execute legal actions across borders. Mutual Legal Assistance requests and European Investigation Orders were fast-tracked. On 15 July, as action teams moved in, Eurojust handled real-time judicial support to ensure no time was lost.

Representatives from Germany, France, Spain, the Netherlands and Eurojust were stationed at Europol’s headquarters during the takedown. A virtual command post linked them to counterparts in participating countries. 

Cybercrime Meets Gamification 

What sets NoName057(16) apart is how it recruits. 

They use the language of gamers. Rewards. Leaderboards. Badges. Status. 

You don’t need to know how to code. You just need to believe in the cause, or want some crypto. Their DDoS platform, “DDoSia,” lowers the barrier to entry. Everything else is about emotion. Anger, belonging, and purpose. 

Investigators believe many of the group’s 4,000+ supporters were pulled in this way. Some were teenagers. Others were opportunists. All are now under the microscope.

Multi-Layered Security Needed

According to Rafa López, security engineer at Check Point, “While the recent international crackdown on the NoName057(16) group has disrupted their operations, it is unlikely to mark the end of their activities.” 

He says the Russia-affiliated hacktivist group, which primarily targets countries with anti-Russian stances, continues to operate through encrypted channels like Telegram and Discord. “Although their DDoS capabilities have been reduced, they are shifting toward more sophisticated methods, including system intrusions and data exfiltration. The group remains active and has built a vast network of affiliates, with thousands of volunteers across various platforms, including online gaming and hacktivist forums.

“As experts in cybersecurity, we recommend that organisations strengthen their defences by implementing multi-layered security strategies, including robust DDoS protection, intrusion detection systems, and regular security audits. It is also essential to educate employees about the risks of cyberattacks, as well as to monitor for unusual activities on communication platforms that might indicate potential recruitment efforts. By staying vigilant and proactive, companies can better safeguard themselves against evolving threats from groups like NoName057(16),” López ends.