An international operation coordinated by Europol has disrupted the infrastructure of a pro-Russian hacktivist group known as NoName057(16) that has been linked to a string of distributed denial-of-service (DDoS) attacks against Ukraine and its allies.
The actions have led to the dismantling of a major part of the group’s central server infrastructure and more than 100 systems across the world. The joint effort also included two arrests in France and Spain, searches of two dozen homes in Spain, Italy, Germany, the Czech Republic, France and Poland, and the issuance of arrest warrants for six Russian nationals.
The effort, codenamed Operation Eastwood, took place between July 14 and 17, and involved authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States. The investigation was also supported by Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine.
NoName057(16) has been operational since March 2022, acting as a pro-Kremlin collective that mobilizes ideologically motivated sympathizers on Telegram to launch DDoS attacks against websites using a special program called DDoSia in exchange for a cryptocurrency payment in an effort to keep them incentivized. It sprang up shortly after Russia’s invasion of Ukraine.
Five individuals from Russia have been added to the E.U. Most Wanted list for allegedly supporting NoName57(16) –
- Andrey Muravyov (aka DaZBastaDraw)
- Maxim Nikolaevich Lupin (aka s3rmax)
- Olga Evstratova (aka olechochek, olenka)
- Mihail Evgeyevich Burlakov (aka Ddosator3000, darkklogo)
- Andrej Stanislavovich Avrosimow (aka ponyaska)
“BURLAKOV is suspected of being a central member of the group ‘NoName057(16)’ and as such of having made a significant contribution to performing DDoS attacks on various institutions in Germany and other countries,” according to a description posted on the Most Wanted fugitives site.
“In particular, he is suspected of assuming a leading role within the group under the pseudonym ‘darkklogo’ and in this role of having taken decisions including on the development and further optimisation of software for the strategic identification of targets and for developing the attack software, as well as having executed payments relating to renting illicit servers.”
Evstratova, also believed to be a core member of the group, has been accused of taking on responsibilities to optimize the DDoSia attack software. Avrosimow has been attributed to 83 cases of computer sabotage.
Europol said officials have reached out to more than 1,000 individuals who are believed to be supporters of the cybercrime network, notifying them of the criminal liability they bear for orchestrating DDoS attacks using automated tools.
“In addition to the activities of the network, estimated at over 4,000 supporters, the group was also able to construct their own botnet made up of several hundred servers, used to increase the attack load,” Europol noted.
“Mimicking game-like dynamics, regular shout-outs, leaderboards, or badges provided volunteers with a sense of status. This gamified manipulation, often targeted at younger offenders, was emotionally reinforced by a narrative of defending Russia or avenging political events.”
In recent years, threat actors have been observed staging a series of attacks aimed at Swedish authorities and bank websites, as well as against 250 companies and institutions in Germany over the course of 14 separate waves since November 2023.
Last July, Spain’s La Guardia Civil arrested three suspected members of the group for participating in “denial-of-service cyber attacks against public institutions and strategic sectors of Spain and other NATO countries.”
The development comes as Russian hacktivist groups like Z-Pentest, Dark Engine, and Sector 16 are increasingly training their sights on critical infrastructure, going beyond DDoS attacks and website defacements that are typically associated with ideologically motivated cyber attacks.
“The groups have aligned messaging, coordinated timing, and shared targeting priorities, suggesting deliberate collaboration supporting Russian strategic cyber objectives,” Cyble said.
