Europol Disrupts Pro-Russian NoName057(16) DDoS Hacktivist Group in Major International Operation

In a significant crackdown, Europol, along with its counterparts from 12 countries, has successfully targeted the infrastructure and members of the pro-Russian hacktivist group NoName057(16), responsible for distributed denial-of-service (DDoS) attacks across Europe, Israel, and Ukraine.

The operation, dubbed "Operation Eastwood," was conducted on July 15, 2025, and aimed to disrupt the systems and individuals behind the group's activities. The coordinated effort involved law enforcement agencies from Czechia, Estonia, Finland, France, Germany, Latvia, Lithuania, the Netherlands, Poland, Spain, Sweden, Switzerland, and the United States.

NoName057(16) emerged in March 2022, following the outbreak of war in Ukraine, with a stated objective of carrying out DDoS attacks against companies and critical infrastructure supporting Ukraine. The group utilizes Telegram channels and the "DDoSia" project, leveraging volunteers' computers to crowdsource DDoS attacks on targeted organizations.

Since its inception, NoName057(16) has carried out numerous high-profile attacks, including those during the European elections and against key infrastructure in several European countries. According to Eurojust, the group's actions have disrupted critical services in Germany, Poland, Lithuania, Latvia, Estonia, Sweden, and other nations.

"The hacktivist group has executed 14 attacks in Germany, some of which lasted multiple days and affected around 230 organizations, including arms factories, power suppliers, and government institutions," reads a statement from Eurojust. "Attacks were also conducted across Europe during the European elections. In Sweden, authorities and bank websites were targeted, while in Switzerland, multiple attacks occurred during a video message given by the Ukrainian President to the Joint Parliament in June 2023, and during the Peace Summit for Ukraine in June 2024."

Most recently, the Netherlands was targeted during the NATO Summit at the end of June. The operation resulted in the disruption or takedown of over 100 servers hosting the group's infrastructure, with two arrests made as part of this operation (one preliminary arrest in France and one in Spain) and seven European arrest warrants issued.

The authorities also sent warnings to 1,100 participants and 17 administrators via Telegram, informing them that they faced criminal liability for their actions. Six of the warrants issued by Germany are directed towards individuals believed to be residing in Russia, with two suspected of being the primary operators of the group.

Despite this significant blow to NoName057(16), authorities acknowledge that the core members are located in Russia and are likely to rebuild their infrastructure, rendering the operation's impact somewhat short-lived. Nevertheless, the ongoing threat posed by the group remains a concern, with new attacks and breaches reported against German companies.

As cloud attacks become increasingly sophisticated, attackers continue to succeed using surprisingly simple techniques. Recent data from Wiz reveals eight key techniques employed by cloud-fluent threat actors, including APT28 hackers who utilize Signal chats to launch malware attacks on Ukraine. The evolving landscape of cloud-based threats highlights the importance of ongoing vigilance and cooperation among law enforcement agencies.

Other recent developments in the realm of cyberattacks include the targeting of critical infrastructure in Ukraine by New PathWiper data wiper malware, as well as allegations that Russia's Tupolev, a strategic warplane manufacturer, has been hacked. Russian hackers have also been linked to Dutch Police hacks and are believed to be tracking aid routes to Ukraine. These incidents underscore the ongoing struggle between cyber threat actors and law enforcement agencies worldwide.