In a significant international effort, law enforcement agencies from 12 countries, coordinated by Europol and Eurojust, have successfully dismantled the pro-Russian hacking group NoName057(16). This operation, codenamed Eastwood, led to the disruption of over 100 servers worldwide and the neutralization of the group’s central attack infrastructure. The collaborative action resulted in multiple arrests, the issuance of arrest warrants, and the dismantling of a sophisticated distributed denial-of-service (DDoS) attack network that had been targeting Ukraine and its NATO allies.
Background on NoName057(16):
NoName057(16) emerged in March 2022, shortly after Russia’s invasion of Ukraine. The group quickly gained notoriety for launching DDoS attacks against Ukrainian news and media websites, including Zaxid and Fakty UA. Their activities soon expanded to target government agencies, media outlets, and private companies across Europe and North America, particularly those supportive of Ukraine. The group’s primary objective was to silence organizations they deemed anti-Russian by disrupting their online services.
Operational Tactics and Recruitment:
The group operated through various online platforms, notably Telegram, to coordinate attacks, disseminate propaganda, and recruit supporters. They employed gamification techniques to attract and retain participants, offering cryptocurrency payments, leaderboards, and digital badges as incentives. This approach was particularly effective in engaging younger individuals, who were motivated by both ideological alignment and the prospect of rewards. Participants were often recruited from gaming and hacking forums, creating tight-knit circles of sympathizers.
NoName057(16) utilized the open-source DDoSia platform to facilitate their attacks. This tool allowed volunteers to contribute computing resources to coordinated DDoS campaigns, effectively amplifying the scale and impact of their operations. The group also maintained a botnet comprising several hundred servers, further enhancing their attack capabilities.
Notable Attacks and Targets:
The group’s activities were closely aligned with political events and statements perceived as hostile to Russia. For instance, in February 2025, following Italian President Sergio Mattarella’s comparison of Russia’s actions in Ukraine to those of Nazi Germany, NoName057(16) launched DDoS attacks against major Italian entities. Targets included Milan’s Linate and Malpensa airports, the Transport Authority, Intesa San Paolo bank, and the ports of Taranto and Trieste. Although these attacks were swiftly mitigated by the Italian National Cybersecurity Agency, they underscored the group’s responsiveness to political developments.
In December 2024, the group targeted Canadian organizations across the telecom, transportation, government, and financial sectors. These attacks were reportedly in retaliation for Canada’s support of Ukraine. The group’s ability to mobilize quickly and target a diverse range of entities highlighted their operational agility and the breadth of their network.
Operation Eastwood: The Crackdown
Between July 14 and 17, 2025, Operation Eastwood was executed, marking a significant milestone in the fight against cybercrime. The operation involved law enforcement and judicial authorities from countries including France, Germany, Spain, the Netherlands, and the United States. The coordinated effort led to:
– Arrests and Warrants: Two preliminary arrests were made in France and Spain. Additionally, seven international arrest warrants were issued, six by Germany and one by Spain. Among those targeted were six Russian nationals, including two identified as the primary instigators behind NoName057(16)’s activities.
– Infrastructure Disruption: Over 100 servers used by the group were taken offline, effectively dismantling their central attack infrastructure. This action significantly impaired the group’s ability to coordinate and execute further attacks.
– Searches and Questioning: Authorities conducted 24 house searches across multiple countries and questioned 13 individuals connected to the network. These actions aimed to gather evidence and disrupt the group’s operations at various levels.
– Public Awareness and Deterrence: National authorities contacted over 1,000 suspected supporters through messaging applications, informing them of potential criminal liability under national legislation. This move served both as a deterrent and as a means to raise awareness about the legal consequences of participating in such activities.
Implications and Significance:
The successful execution of Operation Eastwood underscores the importance of international collaboration in combating cyber threats. The operation not only disrupted a significant pro-Russian cybercrime network but also sent a strong message about the global community’s commitment to maintaining cybersecurity and holding malicious actors accountable.
The dismantling of NoName057(16) highlights the effectiveness of coordinated law enforcement actions and the critical role of public-private partnerships in addressing cyber threats. The involvement of private sector entities, such as ShadowServer and abuse.ch, provided essential technical support and intelligence, demonstrating the value of collaboration between public authorities and private organizations in enhancing cybersecurity resilience.
Conclusion:
Operation Eastwood represents a pivotal moment in the ongoing battle against cybercrime. By dismantling NoName057(16), authorities have not only neutralized a significant threat but also set a precedent for future international cooperation in addressing cyber threats. The operation serves as a reminder of the evolving nature of cyber warfare and the necessity for continuous vigilance, collaboration, and innovation in cybersecurity efforts.
