Europol Disrupted “NoName057(16)” Hacking Group’s Infrastructure of 100+ Servers Worldwide

A coordinated international cybercrime operation successfully dismantled the pro-Russian hacking network NoName057(16), taking down over 100 servers worldwide and disrupting their central attack infrastructure. 

The joint operation, dubbed “Eastwood,” coordinated by Europol involved 12 countries and resulted in multiple arrests, warrants, and the neutralization of a sophisticated distributed denial-of-service (DDoS) attack network that had been targeting Ukraine and its NATO allies.

Key Takeaways
1. 12 countries dismantled the pro-Russian group NoName057(16).
2.  100+ servers offline, 2 arrests, 7 warrants issued.
3. Gamified DDoS attacks with 4,000+ supporters.

The technical aspects of the operation were bolstered by private sector partnerships with ShadowServer and abuse.ch, demonstrating the critical importance of public-private collaboration in cybersecurity operations. 

Germany issued six arrest warrants for Russian nationals, identifying two individuals as the primary instigators behind NoName057(16)’s activities. 

The operation resulted in two preliminary arrests in France and Spain, 24 house searches across multiple countries, and the questioning of 13 individuals connected to the network.

DDoS Attacks Target Ukraine Supporters 

NoName057(16) operated as an ideological criminal network supporting the Russian Federation, utilizing sophisticated recruitment and motivation techniques to build a network of over 4,000 supporters. 

The group employed gamified manipulation tactics, including cryptocurrency payments, leaderboards, and badge systems to incentivize sustained participation in DDoS attacks against Ukrainian infrastructure and NATO member countries supporting Ukraine.

The cybercriminals leveraged platforms like DDoSia to simplify technical processes and provide operational guidelines, enabling rapid recruitment and deployment of new attackers.

These distributed denial-of-service attacks involved flooding target websites and online services with traffic to render them unavailable. 

The network constructed its own botnet comprising several hundred servers to amplify attack capabilities beyond individual volunteer contributions.

The operation’s success stemmed from extensive international coordination, with Europol facilitating over 30 meetings and two operational sprints while providing cryptocurrency tracing and forensic expertise. 

National authorities reached out to over 1,000 suspected supporters through messaging applications, informing them of potential criminal liability under national legislation.

Recent attacks linked to NoName057(16) included targeting Swedish authorities and banking websites in 2023-2024, over 250 German companies and institutions across 14 attack waves, and disruption attempts during the Ukrainian Peace Summit at Bürgenstock and the NATO summit in the Netherlands. 

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now