Operation Eastwood Targets NoName057(16) in Global Crackdown

An international effort, Operation Eastwood, has recently delivered a decisive blow to one of the most active pro-Russian cybercrime groups operating. Between July 14 and 17, this coordinated international law enforcement operation led by Europol and Eurojust took place across multiple countries.

The effort targeted NoName057(16), a pro-Russian hacktivist group responsible for extensive DDoS campaigns against Ukraine and allied states.

NoName057(16) and Their Ideological Role in Russian Cyberwarfare

NoName057(16) has become a major ideological threat actor, carrying out widespread Distributed Denial-of-Service (DDoS) attacks against Ukraine, NATO, and other perceived enemies of Russia. The group uses tactics similar to those of hacktivist collectives, especially former groups like KillNet and the Cyber Army of Russia, the latter of which has shown signs of ties to APT activity. By rallying Russian-speaking supporters with patriotic messages, gamified rewards, and tools like DDoSia, NoName057(16) helps advance Russia’s broader cyberwarfare goals.

Beyond Ukraine, its primary targets are:

• European institutions
• Financial service providers across the world (mainly NATO and allied countries)
• Critical infrastructure in NATO-aligned nations

The group adapted its focus in response to international events. Notable incidents include:

• Attacks on Dutch infrastructure during the recent NATO summit
• Coordinated disruptions in Switzerland during the 2024 Peace Summit for Ukraine
• Targeting Israeli entities during escalations tied to the Iran-Israel conflict
• Attacks on Japanese websites amid rising geopolitical tensions
• A recent wave of DDoS attacks focusing on German institutions

Their tactics were not limited to conventional cybercrime. By offering licryptocurrency rewards, fostering online status systems, and leveraging social media for recruitment, NoName057(16) built a digital volunteer army acting in alignment with Russian strategic interests.

This group, while primarily known for targeting Ukraine and its allies, has also been involved in other regional conflicts. In our Iran-Israel Conflict Threat Landscape Report, we documented 27 cyberattack claims attributed to NoName057(16), positioning them among the most active actors supporting pro-Iranian interests during that conflict.

What Are the Operational Outcomes?

Dubbed Operation Eastwood, the law enforcement initiative was spearheaded by Europol and Eurojust, with judicial and operational contributions from Czechia, France, Germany, Spain, Finland, Italy, the United States, and more. In total, authorities from over 20 countries joined forces.

The operation succeeded in dismantling the majority of NoName057(16)’s central infrastructure, severely disrupting its capacity to conduct future attacks. By cutting off command systems and communication lines, the takedown targeted the group’s operational backbone.

Key results included:

• Over 100 servers worldwide taken offline
• 2 arrests in France and Spain
• 7 arrest warrants issued, primarily targeting Russian nationals
• 24 house searches across Europe
• 13 individuals questioned
• 1,000+ sympathizers notified of their legal liabilities

Germany played a major role, issuing six of the seven arrest warrants. Two of these suspects are believed to be the group’s main instigators. Meanwhile, several key members have been added to the EU Most Wanted list, amplifying international pressure.

Although Operation Eastwood dealt a major blow to NoName057(16)’s operations, some of its core members are still at large, and the group may seek to regroup or rebrand in the future.

Conclusion

Operation Eastwood has marked a significant milestone in international cybercrime enforcement. The hacktivist group’s ideological motivations, decentralized operations, and geopolitical involvement highlight the evolving nature of digital threats. As global conflicts increasingly extend into cyberspace, coordinated actions like this set an important precedent for response.

At SOCRadar, we continuously track threat actors like NoName057(16) through our Cyber Threat Intelligence capabilities, helping organizations stay informed and resilient against emerging cyber threats. For detailed insights into the group’s TTPs and history, explore our Dark Web Profile for NoName057(16).