Europol-Led Operation Eastwood Disrupts NoName057(16) DDoS Infrastructure

A coordinated multinational law enforcement operation known as Operation Eastwood has disrupted the pro-Russian threat actor group NoName057(16), responsible for widespread DDoS activity targeting Ukraine and NATO-aligned countries. The operation, led by Europol and Eurojust between July 14–17, involved law enforcement from 19 countries and resulted in the dismantling of over 100 servers used to conduct cyberattacks. Europol confirmed that “a major part of the group's central server infrastructure was taken offline,” disrupting their ability to coordinate and execute DDoS campaigns. Germany issued six arrest warrants for Russian nationals, including two identified as key leaders of the network, while additional arrests occurred in France and Spain. The takedown follows a pattern of cyber disruption activity linked to major geopolitical events, including recent NATO and Ukraine-related summits targeted by NoName057(16).

NoName057(16) operates with a decentralized model, relying on Russian-speaking sympathizers who use tools like DDoSia to conduct attacks. Europol describes them as “operating without formal leadership or sophisticated technical skills,” motivated instead by pro-Russian ideology and cryptocurrency-based rewards. The group has gamified its recruitment, offering badges and recognition in online spaces to incentivize participation, particularly among younger individuals. In total, over 1,000 suspected supporters were notified of potential legal consequences via messaging platforms, a strategy designed to apply legal pressure on peripheral actors within the group’s ecosystem. Law enforcement agencies also questioned 13 individuals and conducted 24 house searches across several countries. Authorities note that this disruption will impact the group’s operational capacity and hinder its influence across the Western cyber threat landscape.

The arrests and infrastructure takedown mark a significant step in countering ideologically motivated cyberattacks against critical infrastructure and government institutions. While NoName057(16) initially focused on Ukraine, its activity expanded to allied nations supporting Kyiv’s defense, including high-profile incidents in Sweden, Germany, Switzerland, and the Netherlands. Investigations revealed that since late 2023, Germany alone experienced 14 waves of attacks impacting over 250 targets. The group’s visibility and impact prompted an intelligence-driven response coordinated across both national and international jurisdictions. As Europol emphasized, the operation demonstrates how joint action can apply operational and legal pressure on loosely organized but disruptive cybercriminal groups.