Introduction
On July 16, 2025, Europol revealed the details of Operation Eastwood, a coordinated international strike against one of the most active pro-Russian cybercrime groups, NoName057(016). The announcement promised a major disruption to the group’s activities. In this blog, we explore whether Operation Eastwood had any real impact on NoName057(016), and how the group’s activities may have changed in the aftermath of this takedown.
About NoName057(16)
NoName057(16) is a pro-Russian hacktivist group active since March 2022, best known for large-scale DDoS attacks on government, media, and private-sector websites in Ukraine and countries supporting it. NoName057(16) runs its operations in a way that looks less like a secret hacker group and more like an organized online community. They use Telegram channels to share updates, announce new targets, and encourage followers to join in. The actual cyberattacks are powered by a tool called DDOSIA, which volunteers can install on their computers to automatically flood chosen websites with traffic. To keep people motivated, the group even offers rewards, often in cryptocurrency, to the most active participants. This crowd-sourced model allows them to attack many sites at once without needing a traditional, centralized botnet.
About Operation Eastwood
Operation Eastwood, launched in July 2025 by Europol and Eurojust with support from law enforcement worldwide, dismantled key elements of NoName057(16)’s infrastructure, seizing over 100 servers and arresting core members in France and Spain. Authorities also issued additional arrest warrants and targeted the group’s wider support network, warning more than a thousand volunteers of potential criminal liability for participating in DDOSIA-powered attacks.
Authorities in Poland arrested a suspect believed to be a member of NoName057(16) and searched his apartment.
Noname057(16)’s Reaction
On July 17, 2025, the final day of Operation Eastwood, NoName057(16) posted their first response on their Telegram channel. The statement aimed to reassure members that the operation would not hinder their activities. To underscore this point, they included a list of four German government and police websites they had recently attacked, demonstrating that they were still active.
During the Operation
During the operation (14–17 July), NoName057(16) showed no signs of slowing down. The group continued publishing daily target lists, averaging around 10 targeted sites per day, which is consistent with its usual tempo even before Operation Eastwood. Most attacks focused on government and municipal websites in Italy and Germany, both active participants in the operation. Notably, Italian sites had not been targeted since mid-June, but during and after Eastwood they became a primary focus.
On July 15, a surprising alert appeared, warning users that the group’s Telegram bot might send suspicious messages and urging them not to click any links. Soon after, NoName057(16) accused western intelligence services of sabotage and vowed to recover quickly. The message, however, strongly suggested that by then the special services had already seized control of the group’s bots.
After the Operation
Although NoName057(16) insisted that Operation Eastwood had no effect on their activity, reality told a different story. Immediately after the operation, between July 18 and 22, the group went silent, without any records for attacks nor target lists. The unexpected pause suggested real technical setbacks, forcing them to regroup and restore their systems. In the end, the operation wasn’t devastating, but it was far from the “harmless” disruption they tried to portray.
On July 23, NoName057(16) issued a strongly worded Telegram statement directed at western intelligence agencies and asserting that Operation Eastwood had failed. Adopting a tone of defiance and propaganda, the group portrayed itself as a “cyber army fighting for truth” and announced Operation Time of Retribution, a retaliatory campaign urging supporters to attack the 12 countries involved in Eastwood. The message concluded with nationalist slogans and assurances that the group would emerge “stronger than ever”. That same day, to reinforce its threats, NoName057(16) published new target lists, claiming attacks against 16 sites in Germany, 11 in Italy, and the official website of Interpol.
We analyzed NoName057(16)’s activity between July 23 and August 24 to assess the impact of Operation Eastwood and identify any changes in their behavior. Interestingly, the volume of attacks increased significantly. While in the month before the operation the group published daily lists averaging around 10 targeted sites, during the observation period this rose to an average of 18 sites per day- an 80% increase in the number of DDoS attacks. The graph below shows the change in the number of attacks during the 20-day period before the operation (Jun 24th – July 13th) and after the operation (July 24th – Aug 13th).
Almost half of the attacks targeted German websites, focusing on municipalities, police, public services, and government portals. While not at the same scale, sites in Spain, Belgium, and Italy were also affected, along with additional targets in other countries involved in Operation Eastwood. The graphs below show the distribution of attacks by country and industry.
Many of these strikes had tangible consequences: when we checked the listed sites, most were unavailable, and disruptions even made the headlines in regional media. For example, IT-Daily, a German cybersecurity news outlet, reported that DDoS attacks crippled the Saxony-Anhalt state portal and several regional administrations, causing noticeable operational disruption. Similarly, in Spain, GaliciaPress documented how the municipal website of Vigo was knocked offline in a targeted DDoS attack, bringing its e-government services to a halt for about half an hour before defenses kicked in.
Beyond their DDoS activity, NoName057(16) released 13 separate claims of system intrusions in the weeks following Operation Eastwood. These statements described gaining control over critical infrastructure, including water facilities in Romania and Czechia, boiler and drying systems in Lithuania, and even a Spanish desalination plant, as well as commercial and surveillance platforms. The reports frequently stressed the group’s ability to interfere with operational processes.
A portion of these incidents were linked to operations conducted under Z-Alliance, a pro-Russian/ Iranian hacktivist coalition that brings together multiple groups around shared geopolitical goals, illustrating NoName’s shift from acting alone to participating in coordinated campaigns. This type of collaboration between hacktivist groups is common in cybercrime communities. For example, during the Iran-Israel conflict in June 2025, NoName057(16) actively targeted Israeli websites in support of pro-Iranian and pro-Palestinian hacktivist groups. Following their announcement of Operation “Time of Retribution”, NoName057(16) also introduced new alliances with groups such as Hezi Rash, Red Wolf Cyber, Akatsuki Cyber Team, Cyber Lami, and NullSec Philippines, all hacktivist outfits known for politically motivated attacks. These collaborations likely contributed to the noticeable increase in the volume of attacks during the observed period.
Conclusion
Operation Eastwood delivered a significant, though not decisive, blow to NoName057(16). The seizure of infrastructure, arrests, and disruption of their support network forced the group into a rare period of silence and demonstrated the value of international cooperation against cybercrime. Yet, as the weeks following the operation showed, NoName057(16) was able to regroup, escalate its activities, and leverage new alliances to amplify its reach.
A key limitation remains: the group’s core infrastructure and leadership are based in Russia. Without cooperation from Russian authorities, fully dismantling NoName057(16) is highly unlikely. To date, Moscow has not taken action against pro-Russian hacktivist groups, and their activities often continue without interference.
Eastwood was not a final victory but an important milestone, proving that coordinated law enforcement action can disrupt such actors. Long-term resilience, however, will require sustained monitoring and international coordination against an evolving threat.
Imperva Protects Against DDoS Attacks
Imperva DDoS Protection offers resilient, always-on defense against the large-scale denial-of-service attacks often deployed by groups like NoName057(16). With a globally distributed network of high-capacity scrubbing centers, Imperva can absorb and filter multi-terabit volumetric floods before they ever reach customer infrastructure. Advanced mitigation technologies detect and neutralize sophisticated attack patterns, ensuring that websites and online services remain available even under sustained pressure.
The post Operation Eastwood: Measuring the Real Impact on NoName057(16) appeared first on Blog.