A multinational cyber enforcement operation – led by the European Union’s (EU’s) Europol and Eurojust agencies – has successfully disrupted the NoName057(16) pro-Russian hacktivist cyber crime network responsible for multiple distributed denial of service (DDoS) attacks.
Europol said that offenders associated with the network targeted primarily targets in Ukraine but shifted their focus to other European countries, many of them Nato members, following the outbreak of war in 2022.
“National authorities have reported a number of cyber attacks linked to NoName057(16) criminal activities,” said Europol.
“In 2023 and 2024, the criminal network has taken part in attacks against Swedish authorities and bank websites. Since investigations started in November 2023, Germany saw 14 separate waves of attacks targeting more than 250 companies and institutions.
“In Switzerland, multiple attacks were also carried out in June 2023, during a Ukrainian video-message addressed to the Joint Parliament, and in June 2024, during the Peace Summit for Ukraine at Bürgenstock.
“Most recently, the Dutch authorities confirmed that an attack linked to this network had been carried out during the latest Nato summit in the Netherlands. These attacks have all been mitigated without any substantial interruptions.”
Takedowns
The so-called Operation Eastwood has resulted in the takedown of 100 servers and a major part of the NoName operation’s infrastructure, two arrests in France and Spain and 24 property searches across Europe.
Europol said that 13 individuals have also been questioned and over 1,000 ‘supporters’ of the NoName network – including 15 admins – have been notified for their legal liability. These individuals are understood to be Russian-speaking hacktivists.
Additionally, the German authorities have issued six arrest warrants against Russian nationals. Five of them have been named as Andrej Stanislavovich Avrosimov, Mihail Evgeyevich Burlakov (aka darkklogo), Olga Evstratova (aka olechochek), Maxim Lupin and Andrey Muravyov. A seventh warrant has been issued by Spanish police.
Burlakov and Evstratova are both accused of being among the group’s ringleaders – Burlakov is suspected of leading on developing and optimising the softwares used to identify targets, and subsequently attack them, as well as overseeing payments made to rent NoName’s server infrastructure. Evstratova allegedly played a key role in the creation and optimisation of NoName’s proprietary DDoSia malware.
All of these individuals – who are listed on Europol’s Most Wanted website – are believed to be located in Russia.
Large network
Unlike well-known Russian state threat actors such as Fancy Bear, the ideologically-driven NoName network is thought to have acted more like a cyber criminal ransomware gang, without support from the Russian authorities but on the unspoken understanding that Moscow would not interfere with their work.
Europol estimates that at its peak, NoName had around 4,000 supporters and had been able to build a botnet made up of several hundred servers, which were used to bombard their targets with junk traffic.
NoName’s leaders used pro-Russian channels, web forums, and niche chat groups on social media and messaging forums, with volunteers often informally recruiting their friends and contacts from the gaming and hacking communities.
These individuals were given access to platforms, such as DDoSia, to simplify their processes and automate cyber attacks, meaning the operation could stand up new recruits quickly and enable them to work effectively with minimal technical skillsets.
NoName’s volunteer army was paid in cryptocurrency, incentivising sustained commitment and involvement, and Europol said this may also have played a factor in attracting opportunists to the group.
Culturally, NoName mimicked computer game dynamics, with regular shout-outs, leaderboards, and earned badges doled out to instill a sense of status.
Leaders emotionally reinforced this gamified manipulation – often targeted at young, impressionable people – by playing off the narrative of defending their country, where national propaganda often exploits the memory of the 25 million Soviet citizens killed during World War II to convince people that the country is facing a renewed Nazi onslaught.
Rafa López, security engineer at Check Point, said: “While the recent international crackdown on the NoName057(16) group has disrupted their operations, it is unlikely to mark the end of their activities. This Russia-affiliated hacktivist group, which primarily targets countries with anti-Russian stances, continues to operate through encrypted channels like Telegram and Discord. Although their DDoS capabilities have been reduced, they are shifting toward more sophisticated methods, including system intrusions and data exfiltration. The group remains active and has built a vast network of affiliates, with thousands of volunteers across various platforms, including online gaming and hacktivist forums.
“We recommend that organisations strengthen their defences by implementing multi-layered security strategies, including robust DDoS protection, intrusion detection systems, and regular security audits.
“It is also essential to educate employees about the risks of cyber attacks, as well as to monitor for unusual activities on communication platforms that might indicate potential recruitment efforts. By staying vigilant and proactive, companies can better safeguard themselves against evolving threats from groups like NoName057(16),” said Lopez.
The operation brought together authorities from Czechia, Finland, France, Germany, Italy, Lithuania, the Netherlands, Poland, Spain, Sweden, and the US, with support also received from agencies in Belgium, Canada, Denmark, Estonia, Latvia, Romania and Ukraine. Private sector bodies ShadowServer and abuse.ch also provided technical support.
