The infrastructure of pro-Russian hacktivist gang NoName057(16) has been disrupted as part of the Europol-led law enforcement effort Operation Eastwood.

The group were involved in distributed denial-of-service intrusions against Ukraine and its allies, including Germany, Switzerland and Sweden. 

Central Server Infrastructure

Aside from dismantling more than a hundred computer systems leveraged by the group, Operation Eastwood also took down NoName057(16)'s central server infrastructure, according to Europol. Such action coincided with the arrests of different suspects in France and Spain, with the former also sequestering communications equipment leveraged by the group.

The FBI has also confirmed participation in the operation but additional details regarding its involvement were not provided.

"Individuals acting for NoName057(16) are mainly Russian-speaking sympathisers who use automated tools to carry out distributed denial-of-service (DDoS) attacks. Operating without formal leadership or sophisticated technical skills, they are motivated by ideology and rewards," said Europol, who noted the group's membership to consist mostly of young threat actors.

Rafa López, security engineer at Check Point, said: "While the recent international crackdown on the NoName057(16) group has disrupted their operations, it is unlikely to mark the end of their activities. This Russia-affiliated hacktivist group, which primarily targets countries with anti-Russian stances, continues to operate through encrypted channels like Telegram and Discord.

"Although their DDoS capabilities have been reduced, they are shifting toward more sophisticated methods, including system intrusions and data exfiltration. The group remains active and has built a vast network of affiliates, with thousands of volunteers across various platforms, including online gaming and hacktivist forums."

Gamification

Investigations by national authorities identified NoName057(16) as having over 4 000 supporters, and the group were able to construct their own botnet made up of several hundred servers, used to increase the attack load.

To share calls to action, tutorials, updates, and to recruit volunteers, the group leveraged pro-Russian channels, forums, and niche chat groups on social media and messaging apps. Volunteers often invited friends or contacts from gaming or hacking forums, forming small recruitment circles. These actors used platforms like DDoSia to simplify technical processes and provide guidelines, enabling new recruits to become operational quickly.

Participants were also paid in cryptocurrency, which incentivised sustained involvement and attracted opportunists. Mimicking game-like dynamics, regular shout-outs, leader boards, or badges provided volunteers with a sense of status. This gamified manipulation, often targeted at younger offenders, was emotionally reinforced by a narrative of defending Russia or avenging political events.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.