Global crackdown hits pro-Russian cybercrime, 100+ systems taken down worldwide

In a major blow to pro-Russian cybercrime, authorities across Europe and the United States launched a sweeping international crackdown on the hacking group NoName057(16) between 14 and 17 July. The coordinated operation, codenamed Eastwood and led by Europol and Eurojust, targeted the group’s members and infrastructure.

Law enforcement and judicial authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States took part in the simultaneous actions. The investigation was further supported by ENISA and authorities from Belgium, Canada, Estonia, Denmark, Latvia, Romania, and Ukraine.

The operation disrupted a global attack infrastructure comprising more than 100 computer systems, and a significant portion of the group’s central servers was taken offline.

German authorities issued six arrest warrants for individuals residing in the Russian Federation, including two alleged ringleaders behind NoName057(16)’s operations. In total, national authorities have issued seven arrest warrants, targeting, among others, six Russian nationals suspected of involvement in the group’s criminal activities. All suspects are now internationally wanted, with some of their identities publicly disclosed in the media.

National authorities have contacted several hundred individuals suspected of supporting the NoName057(16) cybercrime network. Using a popular messaging platform, officials sent notices informing recipients of the legal consequences they may face under national laws for their involvement.

The group’s supporters are primarily Russian-speaking sympathizers who use automated tools to launch DDoS attacks. Lacking formal leadership or advanced technical expertise, these individuals are driven by ideological motives and the prospect of rewards.

Overall results of Operation Eastwood:

• 2 arrests (1 preliminary arrest in France and 1 in Spain)
• 7 arrest warrants issued (6 by Germany, and 1 by Spain)
• 24 house searches (2 in Czechia, 1 in France, 3 in Germany, 5 in Italy, 12 in Spain, 1 in Poland)
• 13 individuals questioned (2 in Germany, 1 in France 4 in Italy, 1 in Poland, 5 in Spain)
• Over 1 000 supporters, 15 of which administrators, notified for their legal liability via a messaging app
• Over 100 servers disrupted worldwide
• Major part of NoName057(16) main infrastructure taken offline

Members of the NoName057(16) cybercrime network initially focused their attacks on Ukraine but have since expanded their targets to include countries that support Ukraine in its defense against Russia’s war of aggression, many of them NATO members.

National authorities have reported numerous cyberattacks linked to the group. In 2023 and 2024, NoName057(16) was involved in attacks on Swedish government agencies and banking websites. Since the investigation began in November 2023, Germany has experienced 14 distinct waves of attacks, affecting more than 250 companies and institutions.

In Switzerland, the group launched multiple attacks in June 2023, coinciding with a Ukrainian video address to the Joint Parliament, and again in June 2024 during the Peace Summit for Ukraine held at Bürgenstock. Most recently, Dutch authorities confirmed that an attack attributed to NoName057(16) occurred during the NATO summit in the Netherlands. All of these incidents were successfully mitigated without causing significant disruption.