Crime & Justice
International operation hits Kremlin-aligned hacktivists as cyberthreat lingers
A global crackdown on pro-Russian hacktivists seized more than 100 servers, yet researchers say that ideology and volunteer networks keep NoName057(16) a persistent cyberthreat.
![Europol and Eurojust announced on July 16 that they had dismantled the pro-Russian hacker group NoName057(16). [Koen van Weel/ANP/AFP]](/gc6/images/2025/08/01/51363-hackers_1-370_237.webp)
By Kontur |
When hundreds of websites across Europe flickered offline in coordinated waves of digital traffic, authorities suspected another of Moscow's online proxies was at work.
Two months later, the group behind many of those disruptions -- NoName057(16), a volunteer "cyber army" aligned with Russian interests -- faced an unprecedented crackdown.
In mid-July, law enforcement from 12 nations, backed by the United States, dismantled more than 100 servers and issued international arrest warrants, marking what analysts call a landmark strike against hybrid cyber warfare. Yet even this success, they say, is only one battle in a long campaign to keep hostile hacktivist networks at bay.
A network under fire
NoName057(16) has been active since 2022, claiming over 1,500 attacks against Ukraine and NATO countries, often using basic tools to overwhelm public-facing websites. The group mobilized around 4,000 users who supported their operations, according to Eurojust, an EU judicial coordination agency.
![A map highlighting Russia, among other countries, is displayed on a screen at the Australian Center for Cyber Cooperation May 3, 2024. [Sina Schuldt /DPA/AFP]](/gc6/images/2025/08/01/51362-hackers_2-370_237.webp)
German authorities reported 14 waves of cyber disruptions targeting over 250 companies and institutions, while Switzerland and the Netherlands confirmed strikes timed with political events, including the Peace Summit for Ukraine and the NATO summit.
In May 2025, the group briefly knocked several UK government websites offline, boasting online that the attacks punished "Russophobic" states.
Between July 14 and 17, 2025, Operation Eastwood brought together cybercrime units from 12 countries to execute simultaneous takedowns.
They disabled over 100 servers worldwide, arrested suspects in France and Spain and issued seven arrest warrants (six for Russian nationals), proving that joint operations can deliver a heavy blow to Kremlin-linked cyber networks.
How Moscow's proxies operate
Europol describes NoName057(16) as a loose network of Russian-speaking sympathizers using platforms like a Distributed Denial of Service (DDoS) attack toolkit to knock sites offline.
"Operating without formal leadership or sophisticated technical skills, they are motivated by ideology and rewards," Europol said in a statement.
Gamified recruitment tactics promise volunteers digital status or small cryptocurrency rewards, reinforcing a sense of belonging to a cause.
Analysts at the US Center for Strategic and International Studies (CSIS) described the takedown as "a dramatic success and a global pushback against Russia's hybrid warfare operations." But groups like NoName057(16) are designed to survive disruption, they said.
"This success is likely to be temporary -- one round in an ongoing match that can only be definitively won by intensive cooperation among allies," wrote Julia Dickson, a research associate, and Emily Harding, director of the Intelligence, National Security, and Technology Program and vice president of the Defense and Security Department at CSIS.
Rafa López, security engineer at Check Point, a cybersecurity solution company, said that while the group's DDoS capacity has diminished, it is moving toward more-advanced tactics such as system breaches and data theft.
"The group remains active and has built a vast network of affiliates, with thousands of volunteers across various platforms, including online gaming and hacktivist forums," he told Computer Weekly earlier in July.
Dickson and Harding called Europol's Joint Cybercrime Action Taskforce in The Hague a model for effective international cyber defense, noting that its structure -- embedding cyber liaison officers from 20 countries to work side by side -- allows investigators to share intelligence in real time, coordinate operations across borders and build the trust needed to dismantle complex, fast-moving cybercrime networks.
The wider hacktivist ecosystem
NoName057(16) is part of a wider constellation of Kremlin-aligned "patriotic hacktivist" groups that have emerged since Russia's full-scale invasion of Ukraine in 2022.
Collectives such as Killnet, XakNet and CyberArmyofRussia_Reborn operate on similar lines: loosely organized, fueled by nationalist rhetoric and often recruiting volunteers through open Telegram channels. This structure allows Moscow to amplify cyber pressure on adversaries while maintaining plausible deniability.
Intelligence reporting indicates that some of these groups occasionally receive target lists or technical assistance from Russian security services, blurring the line between grassroots activism and state-sponsored operations.
CSIS said that hacktivist collectives are "a key piece of Moscow's complex network of cyber actors… conducting operations that support Moscow's strategic goals while providing a layer of plausible deniability."
Even major law enforcement actions appear to have limited long-term impact. Recorded Future reported that between July 2024 and July 2025, NoName057(16) launched 3,776 unique attacks, averaging 50 targets per day.
Operation Eastwood shows that coordinated international action can dismantle hostile cyber infrastructure and identify perpetrators, but hybrid warfare in cyberspace is far from over, say analysts.
"As Russian hybrid tactics become more aggressive and global, so too must the response," Dickson and Harding wrote.