Pro-Russian DDoS group NoName057(16) disrupted by international law enforcement operation

An international law enforcement operation conducted this week targeted the members of and infrastructure used by NoName057(16), a pro-Russian hacktivist group that has conducted distributed denial-of-service (DDoS) attacks across Europe since early 2022.

Operation Eastwood disrupted over 100 servers worldwide and resulted in two arrests, seven international arrest warrants, and 24 house searches across multiple jurisdictions. The operation, coordinated by Europol and Eurojust with participation from 12 countries, broke up a cybercrime network that had mobilized an estimated 4,000 members who conducted attacks against entities in countries across Europe and in Israel.

NoName057(16) used Telegram channels, specialized forums, and messaging applications to distribute attack tools, tutorials, and plans. The group employed gamification techniques including leaderboards, badges, and cryptocurrency rewards to keep members active, particularly targeting younger individuals by claiming the group was defending or working on behalf of Russia.

Group members relied on the open-source “DDoSia” platform and a botnet comprising several hundred servers, which allowed the group to scale attack capacity. Participants downloaded malware that enabled them to contribute computing resources to coordinated attacks, with the most active contributors receiving financial incentives in cryptocurrency.

The group chose its targets based on political events. At first, they attacked websites in Ukraine. Later, they expanded their attacks to countries in NATO and organizations that support Ukraine. Some of their attacks took place during the European elections, affecting Swedish government agencies and bank websites. They also timed attacks with major political events, including the Ukrainian president’s speech to the Swiss parliament and the NATO summit in the Netherlands.

Germany issued six of the seven arrest warrants, with two suspects identified as primary operators residing in Russia. The operation involved help from law enforcement agencies in Czechia, Estonia, Finland, France, Germany, Latvia, Lithuania, the Netherlands, Poland, Spain, Sweden, Switzerland, and the United States.