Authorities Seize Over 100 Servers Of The Pro‑Russian NoName057(16) Hacktivist Network

Europe’s cyberlaw enforcers just dealt a blow to the pro‑Russian hacktivist group NoName057(16), notorious for orchestrating DDoS attacks on NATO-aligned nations. A coordinated international operation led by Europol targeted the group’s infrastructure including more than 100 servers worldwide, and affiliates in a strike timed to disrupt its ability to launch cyberattacks from the source.

Tactical Takedown

The takedown, executed earlier this month under the banner name “Operation Eastwood“, was the result of a multi-country law enforcement operation targeting the group’s infrastructure, financial channels, and administrative operators.

The group gained notoriety for its highly coordinated digital assaults on critical infrastructure in Ukraine-supporting countries, including Poland, Lithuania, Norway, and the United States. Its weapon of choice was distributed denial-of-service (DDoS) attacks that crippled government portals, financial services, and public transport websites—often with overt political messaging and nationalistic undertones.

About NoName057(16)

Operating primarily through encrypted Telegram channels and GitHub repositories, NoName057(16) has been active since early 2022, launching aggressive DDoS attacks under the guise of patriotic retaliation for Western support to Ukraine.

Their infrastructure was supported by a publicly distributed DDoS toolkit called “DDOSIA,” which enabled followers and freelance hacktivists to launch packet floods against chosen targets using a plug-and-play interface. The campaign’s distributed model—paired with constant propaganda drops on Telegram—allowed the group to crowdsource digital disruption at scale.

According to Europol, the network relied on both centrally coordinated command-and-control servers and loosely affiliated contributors executing instructions provided in public forums.

Their tactics, while not the most sophisticated in the cyber arsenal, were effective precisely because of their relentless nature and ideological fervor. They primarily focused on:

• DDoS Attacks: Flooding websites and online services, making them inaccessible to legitimate users.
• Targeting Critical Sectors: Railways, transportation, media, healthcare, and government portals across Europe and North America have all felt their wrath.
• Propaganda and Intimidation: Beyond the technical disruption, their attacks served a psychological purpose, aiming to sow chaos and demonstrate Russia’s digital reach.

They weren’t just hackers; they were digital saboteurs, aligned with a broader geopolitical agenda, operating in a gray zone where patriotism and cybercrime seamlessly intertwined.

Also read: Undercover Researchers Decode Hidden Operations of NoName057(16)

Impact of ‘Operation Eastwood’

The law enforcement offensive was coordinated by Europol’s European Cybercrime Centre (EC3) and involved authorities from the Czech Republic, France, Germany, Hungary, Italy, Slovakia, the Netherlands, and the United States.

Key outcomes from the operation include:

• Two suspects arrested and multiple others identified across jurisdictions.

• Dozens of digital assets seized, including over 100 servers worldwide, Telegram admin credentials, GitHub-hosted malware tools, and likely cryptocurrency wallets tied to NoName057(16)’s crowdfunding campaigns.

• The group’s Telegram bot, used to assign attack targets and display real-time “victory” messages, was taken offline.

• While not explicitly stated in every detail, disrupting the financial channels that sustain such groups is always a critical component of these operations.

Last year, the Spanish authorities arrested three individuals linked to the hacktivist group from Mallorca, Huelva, and Seville. Information recovered from the seized devices and infrastructure during these arrests could possibly have been the starting point of Operation Eastwood.

Also read: Spanish Police Arrests Three Suspects Linked to NoName057(16) Attacks

The Victims

Since its inception, NoName057(16) has zeroed in on NATO-aligned countries. The group’s targets have included:

• Ministries and parliaments in the Nordic and Baltic states

• Energy and transport providers in Eastern Europe

• News agencies and media outlets in the United States, Germany, and France

• Banking portals and defense-linked services in Sweden, Poland, Czech Republic, and Italy

Many of these attacks followed political events such as arms deliveries to Ukraine or high-profile visits from Western leaders. According to Europol, this political opportunism was strategically timed to create digital disruption and social unrest while promoting pro-Kremlin narratives.

Telegram, GitHub, and the Crowdsourced DDoS Model

NoName057(16) leveraged GitHub to host its DDoS scripts and Telegram to communicate attack targets. One of their key innovations was the use of the DDOSIA platform, which allowed followers to launch attacks and receive cryptocurrency rewards.

This gamified hacktivism model blurred the lines between cybercrime, patriotic activism, and low-cost cyberwarfare. By outsourcing infrastructure destruction to willing volunteers, the group created what Europol called a “cybercrime-as-a-crowd” model.

But that decentralized strength also became a weakness. Law enforcement teams were able to track the Telegram admins and DDoS software updates via GitHub commits and relay servers. This digital breadcrumbs could also possibly have led directly to the infrastructure takedown and identification of suspects.

Europol says the offensive against NoName057(16) is ongoing. With suspects identified and infrastructure seized, the group’s future campaigns face heightened disruption.

Still, NoName057(16) thrives on ad hoc organization and loosely affiliated participants. Taking out servers is tactical; shifting ideology, platforms, and anonymity is strategic. Tracking Telegram channels, GitHub repos, and IP watermarking tactics will be vital for continued disruption.

Related