In a major international effort, law enforcement agencies across 19 countries have successfully disrupted a vast network of servers used to carry out cyberattacks in support of Russia’s invasion of Ukraine. The coordinated action, codenamed Operation Eastwood, targeted the pro-Russian hacktivist group NoName057(16), known for orchestrating large-scale distributed denial-of-service (DDoS) attacks against Ukraine and its allies.
Led by Europol and supported by Eurojust, the operation resulted in the dismantling of over 100 computer servers worldwide used to facilitate DDoS attacks. These servers formed the digital backbone of the group’s infrastructure, which had been used to disrupt government, financial, media, and critical infrastructure websites in Ukraine and several NATO-aligned countries.
Law Enforcement Actions and International Cooperation
As part of Operation Eastwood, authorities carried out:
- 2 arrests of Russian nationals — one in France and another in Spain
- 7 international arrest warrants, including six issued from Germany targeting individuals believed to be residing in Russia
- 24 house searches across Europe
- 13 suspect interviews conducted by national authorities
- Notifications to over 1,000 individuals who were found to be contributing to or supporting the DDoS campaigns, warning of their potential legal liability
Led by Germany’s Federal Criminal Police Office (BKA), the operation was the result of a complex, multi-year investigation supported by countries including the United States, Canada, Netherlands, United Kingdom, Sweden, Switzerland, and Ukraine.
Background on NoName057(16)
NoName057(16) is a Russian-speaking cyber group that emerged following Russia’s full-scale invasion of Ukraine in 2022. The group has gained notoriety for carrying out DDoS attacks against digital infrastructure in both Ukraine and its international supporters. By overwhelming public-facing websites with internet traffic, their goal has been to disrupt communications, services, and public trust.
What distinguishes NoName057(16) from more sophisticated cybercriminal groups is its mobilization of a large network of loosely affiliated supporters. The group provided user-friendly tools via messaging platforms like Telegram, enabling even less technically skilled individuals to participate in the group’s operations through a platform called “DDosia.”
Among the identified participants were at least 15 core administrators who organized daily attack campaigns and distributed detailed instructions to supporters via social media and dedicated platforms.
Since 2022, the group has claimed responsibility for repeated attacks on Ukrainian government and media websites, financial institutions, and government services in countries such as Germany, Sweden, Switzerland, the Netherlands, and the UK, and events linked to NATO or peace initiatives, such as summits and international conferences supporting Ukraine
For example, Germany reported at least 14 waves of attacks affecting over 250 entities. Sweden experienced temporary outages impacting banks and public services. Switzerland was targeted during Ukraine peace conferences in both 2023 and 2024. UK municipalities also faced disruptions to public service websites.
While the attacks were often short-lived and did not result in the theft of data, they succeeded in creating operational disruptions and media attention.
