Multinational cyber operation dismantles pro-Russian hacktivist network.
- A major cyber operation has disrupted the NoName057(16) pro-Russian hacktivist network.
- The group targeted Ukraine and expanded to NATO members following the 2022 conflict.
- Operation Eastwood led to 100 server takedowns, two arrests, and 24 property searches.
- Key figures are accused of developing malware and managing infrastructure for distributed denial-of-service attacks.
- The network utilized gamified tactics and cryptocurrency payments to recruit and incentivize volunteers.
A significant cyber enforcement operation, spearheaded by the European Union’s Europol and Eurojust agencies, has successfully dismantled the NoName057(16) pro-Russian hacktivist cybercrime network. This group is responsible for numerous distributed denial-of-service (DDoS) attacks across Europe.
Initially targeting Ukraine, the network shifted its focus to other European countries, many of which are NATO members, after the conflict escalated in 2022. National authorities reported a surge in cyber attacks linked to NoName057(16)’s activities.
“National authorities have reported a number of cyber attacks linked to NoName057(16) criminal activities,” Europol stated. The network engaged in attacks against Swedish authorities and bank websites in 2023 and 2024. Investigations that began in November 2023 revealed 14 separate waves of attacks in Germany, impacting over 250 companies and institutions.
Switzerland also experienced multiple attacks in June 2023, coinciding with a Ukrainian video message to its Joint Parliament, and again in June 2024 during the Peace Summit for Ukraine. Most recently, Dutch authorities confirmed an attack linked to the network occurred during the latest NATO summit in the Netherlands. All these attacks were mitigated without significant disruptions.
Takedowns and Arrests
Operation Eastwood resulted in the takedown of 100 servers, significantly impacting NoName’s infrastructure. Two individuals were arrested in France and Spain, with 24 property searches conducted across Europe. Europol reported that 13 individuals were questioned, and over 1,000 “supporters,” including 15 administrators, were notified of their legal liability. These individuals are believed to be Russian-speaking hacktivists.
German authorities issued six arrest warrants against Russian nationals. Andrej Stanislavovich Avrosimov, Mihail Evgeyevich Burlakov (also known as darkklogo), Olga Evstratova (also known as olechochek), Maxim Lupin, and Andrey Muravyov were named. Spain issued a seventh warrant. Burlakov and Evstratova are considered ringleaders. Burlakov allegedly led software development for target identification and attacks, and managed server infrastructure payments. Evstratova is accused of a key role in creating and optimizing NoName’s proprietary DDoSia malware.
These individuals, listed on Europol’s Most Wanted website, are believed to be in Russia.
A Sophisticated Network
Unlike state-sponsored groups such as Fancy Bear, the ideologically driven NoName network operated similarly to a cybercriminal ransomware gang. It is thought to have functioned without direct Russian state support, operating under an implicit agreement of non-interference.
Europol estimates NoName had around 4,000 supporters at its peak, utilizing a botnet of several hundred servers to flood targets with junk traffic. Leaders recruited volunteers through pro-Russian channels, web forums, and social media chat groups, often drawing from gaming and hacking communities.
These recruits were given access to platforms like DDoSia, which simplified processes and automated attacks, allowing for rapid onboarding of new, less technically skilled members. Volunteers were compensated with cryptocurrency, a move that incentivized sustained involvement and likely attracted opportunists.
NoName fostered a competitive culture, mimicking computer games with shout-outs, leaderboards, and earned badges to promote a sense of status. Leaders reportedly reinforced this gamified manipulation, often targeting younger individuals, by leveraging narratives of national defense and invoking historical propaganda related to World War II casualties.
López advised organizations to strengthen defenses with multi-layered security, robust DDoS protection, intrusion detection systems, and regular security audits. He also stressed the importance of employee education on cyber risks and monitoring communication platforms for recruitment efforts. Staying vigilant is key to safeguarding against evolving threats.
The operation involved authorities from Czechia, Finland, France, Germany, Italy, Lithuania, the Netherlands, Poland, Spain, Sweden, and the US, with support from Belgium, Canada, Denmark, Estonia, Latvia, Romania, and Ukraine. Private sector entities ShadowServer and abuse.ch provided technical assistance.
