Twelve countries, in coordination with Eurojust and Europol, have dismantled the hacktivist group NoName057(16), responsible for numerous distributed denial-of-service (DDoS) attacks on critical infrastructure—including power suppliers and public transport—across Europe. On 15 July, authorities shut down a global botnet involving hundreds of systems and identified eight suspects, including key figures residing in the Russian Federation.
NoName057(16) has professed support for the Russian Federation since the start of the war of aggression against Ukraine. Since the start of the war, it has executed multiple DDoS attacks against critical infrastructure during high-level (political) events. The group has also exhibited anti-NATO and anti-U.S. sentiment. During a DDoS attack, a website or online service is flooded with traffic, overloading its capacity and thus making it unavailable. The hacktivist group has executed 14 attacks in Germany, some of them lasting multiple days and affecting around 230 organisations including arms factories, power suppliers and government organisations. Attacks were also executed across Europe during the European elections. In Sweden, authorities and bank websites were targeted, while in Switzerland multiple attacks were carried out during a video message given by the Ukrainian President to the Joint Parliament in June 2023, and during the Peace Summit for Ukraine in June 2024. Most recently, the Netherlands was targeted during the NATO Summit at the end of June.
To execute their attacks, the group recruited supporters through a messaging service. It is estimated that the hackers were able to mobilise around 4000 users who supported their operations by downloading malware that made it possible for them to participate in the DDoS attacks. The group also built its own botnet using hundreds of servers around the world that increased the attack load, causing more damage.
Coordination of the many international partners was crucial for the success of the operation. Through Eurojust, authorities were able to coordinate their findings and plan an action day to target the hacktivist group. The Agency ensured that multiple European Investigation Orders and Mutual Legal Assistance processes were executed. During the action day on 15 July, Eurojust coordinated any last-minute judicial requests that were needed during the operation.
Europol facilitated the information exchange, supported the coordination of the operational activities and provided extended operational analytical support, as well as crypto tracing and forensic support during the lent of the investigation, and coordinated the prevention and awareness raising campaign, released to unidentified yet offenders via messaging apps and social media channels. During the action day, Europol set-up a Command Post at Europol’s headquarters and made available a Virtual Command post for online connection with the in-person Command.
The investigation culminated in an action day on 15 July where actions targeting the group took place in eight countries. Authorities were able to disrupt of over 100 servers worldwide. Searches took place in 24 places across Germany, Spain, Italy, Czechia, Poland and France to gather evidence for the investigation. Additionally, authorities informed the group and 1100 supporters and 17 administrators about the measures taken and the criminal liability they bear for their actions. International arrest warrants have been issued for eight suspects. Germany issued six warrants for the main suspects living in the Russian Federations. Two suspects are accused of being the main instigators responsible for the activities of NoName057(16). Photos and descriptions of some of the suspects can be found on the websites of Europol and Interpol.
The following authorities were involved in the actions:
- Czechia: District Prosecutor’s Office of Prague 5; Police, National Counterterrorism, Extremism and Cybercrime Agency (NCTEKK)
- Estonia: Estonian Police and Border Guard Board
- Germany: Prosecutor General’s Office Frankfurt am Main – Cyber Crime Centre; Federal Office of Police fedpol
- Finland: Prosecution District of Southern Finland; National Bureau of Investigation – Cybercrime Investigation Unit
- France: Paris Public Prosecutor’s Office – National Jurisdiction against Organised Crime (JUNALCO) ; National Cyber Unit of the Gendarmerie nationale
- Latvia: State Police of Latvia – International Cooperation Department & Cybercrime Enforcement Department
- Lithuania: Prosecutor General’s Office of Lithuania; Lithuanian Criminal Police Bureau
- Netherlands: Public Prosecutor’s Office of the Netherlands and Police of the Netherlands
- Spain: Investigative Central Court nr. 1 Audiencia Nacional; Audiencia Nacional Prosecutor´s Offices; National Police
- Sweden: Polisen
- Switzerland: Office of the Attorney General of Switzerland; Federal Office of the Police
- United States: Federal Bureau of Investigation (FBI) xt
