[German]Law enforcement authorities have dismantled the network of the Russian NoName057(16) cyber group, with the help of Europol and other institutions. The perpetrators targeted the IT infrastructure of Ukraine and supporting countries, including many EU member states.
Operation Eastwood against NoName057(16)
The international operation called Eastwood, which was coordinated by Europol and Eurojust, took place between July 14 and 17, 2025. It was directed against the cybercrime network NoName057(16).
Law enforcement and judicial authorities from Germany, France, Finland, Italy, Lithuania, Poland, Sweden, Switzerland, the Netherlands, Spain, the Czech Republic and the United States were involved. During the operation, the institutions simultaneously targeted the perpetrators and the infrastructure of the pro-Russian cybercrime network.
The investigation and operation were also supported by ENISA as well as Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine. The private parties ShadowServer and abuse.ch supported the technical part of the operation..
Countries of Operation Eastwood
The actions of Operation Eastwood led to the disruption of an attack infrastructure consisting of over a hundred computer systems worldwide. A large part of the group's central server infrastructure was taken offline.
In Germany, six arrest warrants were issued for offenders living in the Russian Federation. Two of these individuals are accused of being the main perpetrators of the activities of "NoName057(16)".
In total, the national authorities have issued seven arrest warrants, including against six Russian nationals for their involvement in the criminal activities of NoName057(16). All suspects are wanted internationally and in some cases their identities have been published in the media. Five profiles have also been published on the EU Most Wanted website.
According to Europol, the national authorities have contacted several hundred people who are believed to be supporters of the cybercrime network. In the messages, which are distributed via a popular messaging application, the recipients are informed of the official measures and made aware of the criminal liability they bear for their actions in accordance with national legislation.
The individuals acting on behalf of NoName057(16) are mainly Russian-speaking sympathizers who use automated tools to carry out distributed denial of service (DDoS) attacks. They operate without formal leadership or sophisticated technical skills and are motivated by ideology and rewards.
Overall results of Operation Eastwood
- 2 arrests (1 provisional arrest in France and 1 in Spain)
- 7 arrest warrants issued (6 in Germany and 1 in Spain)
- 24 house searches (2 in Czech Republic, 1 in France, 3 in Germany, 5 in Italy, 12 in Spain, 1 in Poland)
- 13 people were interrogated (2 in Germany, 1 in France, 4 in Italy, 1 in Poland, 5 in Spain)
- Over 1,000 supporters, including 15 administrators, were informed of their legal responsibility via a messaging app
Over 100 servers worldwide were disrupted and a large part of the main infrastructure of NoName057(16) was taken offline.
DDoS disruption attempts in favor of Russia
The perpetrators associated with the NoName057(16) cybercrime network primarily targeted Ukraine with their cyberattacks. However, they later shifted their focus to attacking countries that support Ukraine in its ongoing defense against Russia's war of aggression, many of which are NATO members.
The national authorities of these countries have reported a number of cyberattacks linked to the criminal activities of NoName057(16). In 2023 and 2024, the criminal network was involved in attacks on Swedish authorities and banking websites. Since the investigation began in November 2023, there have been 14 different waves of attacks in Germany, targeting more than 250 companies and institutions.
In Switzerland, several attacks were also carried out in June 2023 during a Ukrainian video message to the joint parliament and in June 2024 during the peace summit for Ukraine on the Bürgenstock. Recently, the Dutch authorities confirmed that an attack linked to this network was carried out during the last NATO summit in the Netherlands. All these attacks were repelled without any significant disruption.
The investigation by the national authorities revealed that NoName057(16) is an ideological criminal network. It claims to support the Russian Federation. The group is associated with numerous DDoS cyberattacks in connection with the Russian war of aggression against Ukraine. In such attacks, a website or online service is flooded with data traffic with the aim of overloading it and making it inaccessible.
In addition to the activities of the network, which is estimated to have over 4,000 supporters, the group was also able to set up its own botnet of several hundred servers to increase the attack load.
To spread calls to action, instructions and updates, and to recruit volunteers, the group used pro-Russian channels, forums and even niche chat groups on social media and messaging apps. Volunteers often invited friends or contacts from gaming or hacker forums and formed small recruitment circles. These actors used platforms like DDoSia to simplify technical processes and provide guidelines to get new "recruits" up and running quickly.
