News Flash

Pro-Russian hackers from Noname unmasked: 600 servers shut down and five arrest warrants issued

A large-scale European operation led by Europol and Eurojust uncovers the cybercriminal network behind DDoS attacks on institutions and companies.

The group Noname057(16)

30 July 2025

Table of contents

  • The long trail of cyberattacks
  • Operation Eastwood: dismantling the network
  • A central hub in Russia
  • Recruitment through Telegram
  • A strong signal, but the digital war continues

The long trail of cyberattacks

The group Noname057(16) is one of the most notorious in the pro-Russian hacking scene. Active since 2022, it has conducted DDoS attacks targeting institutions, corporations, and critical infrastructure across Europe and the United States. High-profile Italian victims include Leonardo, the High Council of the Judiciary (CSM) and the Bank of Italy, which experienced major disruptions.

These attacks aim to flood target websites with traffic, rendering them slow or completely inaccessible. They are part of a wider strategy to destabilize Western systems, often aligning with geopolitical tensions related to the war in Ukraine.

Operation Eastwood: dismantling the network

Dubbed Operation Eastwood, the investigation was coordinated by Eurojust and Europol, with Italy’s Rome public prosecutor’s office and postal police playing a leading role.

Key outcomes of the operation:

  • 600 servers deactivated or seized in various countries
  • 5 international arrest warrants issued, including for two top leaders
  • Uncovered a complex web of cryptocurrency payments, Telegram accounts, and remote command infrastructures

A central hub in Russia

Investigations revealed that Noname057(16) follows a structured, hierarchical model:

  • A central command base in Russia directs operations
  • Intermediate servers are used to hide the origin of attacks
  • Thousands of user-contributed computers power the botnet

Participants are often ideologically aligned and receive cryptocurrency rewards for taking part in coordinated cyber offensives.

Recruitment through Telegram

The group used Telegram as a recruitment and operational hub, particularly via the DDosia Project channel:

  • Distributed target lists of Western institutions and companies
  • Offered custom software for new participants
  • Publicly claimed responsibility for successful attacks

In Italy, five people have been identified as active members of the group. Their offices have been searched by authorities to gather further evidence.

A strong signal, but the digital war continues

While Operation Eastwood dealt a major blow to the group’s global network, this is far from the end of the battle. The cyberwarfare landscape continues to evolve, and criminal networks adapt quickly. The case of Noname is just another clear sign that cyberattacks have become geopolitical weapons, not merely tools for profit.

Frequently Asked Questions (FAQ)

  1. Who are the Noname057(16) hackers?
    A pro-Russian cybercriminal group targeting Western institutions.
  2. What is a DDoS attack?
    It floods a website with traffic to slow it down or crash it entirely.
  3. Which Italian entities were attacked?
    The Bank of Italy, Leonardo, and the High Council of the Judiciary.
  4. Who led the investigation?
    Europol, Eurojust, and the Rome public prosecutor’s office.
  5. What was discovered?
    The group’s leadership and infrastructure, including 600 servers.
  6. Are there Italians involved?
    Yes, five individuals are currently under investigation in Italy.
  7. How were new members recruited?
    Through Telegram, with tools and target lists provided.
  8. Were servers based in Italy?
    No, they were distributed globally, with a command hub in Russia.
  9. Why use cryptocurrencies?
    To pay members anonymously and hide financial trails.
  10. Was the group completely dismantled?
    Not entirely, but the operation severely disrupted their activities.

 

3
To top