In a major breakthrough, EU agencies target and dismantle a shadowy hacking group behind dozens of daily cyberattacks on Europe’s infrastructure.
They called themselves NoName057(16), but their work left a name burned into the memory of European cybersecurity teams. Over the past year, the group launched wave after wave of digital assaults across the continent—public transport glitches, electricity grid disruptions, even military-linked data breaches.
Now, their virtual hideouts are empty. Europol and Eurojust say they’ve shut it all down.
A Coordinated Strike Spanning 12 Countries
This wasn’t just a single arrest or a couple of laptops confiscated from a basement.
Between July 14 and 17, law enforcement launched 24 raids across 12 nations—France, Spain, Germany, Poland, Finland, you name it. These weren’t just friendly home visits either. They led to two arrests, including one each in Spain and France, and triggered seven arrest warrants for other suspects—six of whom are reportedly in Russia.
The arrests targeted key members who authorities say coordinated daily DDoS attacks—an average of 73 a day—on critical infrastructure.
One senior EU cyber official who asked not to be named called it “a digital manhunt years in the making.”
Who Are NoName057(16), Really?
These weren’t bored teenagers experimenting with code. The group was organized, consistent, and—according to authorities—ideologically tied to Moscow.
They first showed up during the early months of Russia’s full-scale war in Ukraine. At first, their targets were predictable: Ukrainian power companies, financial networks, telecom lines. But over time, they shifted gears, widening their lens.
That’s when things escalated.
French news outlet France24 reported attacks on power utilities in Germany and public transport systems in Italy. NATO allies, EU institutions, even voting infrastructure—all were on the group’s radar.
Their attacks weren’t always flashy. But they were persistent.
The Group’s Tech Network Was Massive
What shocked even veteran investigators wasn’t just the frequency of attacks—it was how spread out and quietly entrenched their infrastructure had become.
Europol said their operation brought down a massive attack infrastructure tied to more than 100 computer systems across the globe. That includes compromised servers, hijacked VPNs, botnets, and backend systems used to launch denial-of-service waves.
Forensic investigators say they found traces of coordination tools, including secure messaging apps, decentralized cloud scripts, and blockchain wallets likely used to obscure payments for server rentals.
And then there’s the central server cluster—offline now, after months of digital surveillance.
“It wasn’t just about brute-force hacking,” said one cybersecurity analyst from Lithuania involved in the probe. “It was about persistence and political intent.”
A Closer Look at Who Helped
The operation involved a long and diverse list of players. Thirteen nations—including Czechia, Germany, Sweden, the U.S., and Ukraine—contributed resources or intelligence. Some countries helped track the group’s crypto-based financial flows. Others monitored DDoS traffic in real-time. France and Spain coordinated physical surveillance.
Here’s a breakdown of confirmed participants:
| Countries Directly Involved | Key Roles |
|---|---|
| France, Spain | Arrests, server seizures |
| Czechia, Germany | Technical forensics |
| Poland, Finland | Digital traffic monitoring |
| Lithuania, Netherlands | Cyberintelligence tracking |
| Sweden, Switzerland | Infrastructure disruption |
| United States, Ukraine | Real-time alerts, OSINT feeds |
At least two other unnamed NATO nations supported backend monitoring efforts. Several of these countries had previously been hit in attacks linked to NoName057(16).
And while Moscow didn’t respond directly to the allegations, Russian media has framed the bust as “another Western provocation.”
What Made This Group Dangerous
Most cybercrime groups follow the money. Ransomware, card theft, crypto heists. That wasn’t the case here.
NoName057(16) was different. They didn’t demand Bitcoin. They didn’t advertise services on dark web forums. They focused on disruption—pure and simple.
Investigators found multiple indicators of Kremlin-aligned motives:
-
Coordinated timing with Russian military operations in Ukraine
-
Propaganda-laced messaging embedded in attacks
-
Frequent use of Cyrillic-based code and language patterns
One report from Poland’s internal security agency said that on days when Ukrainian cities came under missile fire, allied NATO websites simultaneously saw traffic spikes from coordinated DDoS campaigns.
It was about timing, disruption, and message control.
Bigger Than Just One Group?
There’s growing worry this is just the tip of the iceberg.
Cyber experts from the Netherlands suggest that NoName057(16) was likely part of a broader ecosystem—linked loosely to others like Killnet and XakNet, two pro-Russian hacktivist outfits previously active during the war’s early phases.
Not all of them operate under direct Kremlin control, but many appear aligned with its goals.
What makes that risky? Plausible deniability. Unlike conventional warfare, attribution in cybercrime is murky. States can encourage chaos without ever owning it.
And for European governments trying to protect elections, hospitals, or even airport systems, that’s a scary grey zone.
A Rare Win in a Long Cyber War
It’s easy to miss good news in cybersecurity. Most wins are quiet—patches rolled out, breaches thwarted before anyone notices.
But this time, it’s different. The bust of NoName057(16) marks one of the most significant pro-Russian cyber group takedowns since the start of the Ukraine invasion in 2022.
For Ukraine, which has been on the frontlines of both real and digital warfare, this is validation. For Europe, it’s a reminder that cybersecurity isn’t abstract. It’s physical. It’s personal.
A server crash can stall a hospital. A train delay caused by malware isn’t just annoying—it’s dangerous.
One French official summed it up best: “Cyber war is war. And today, we won a battle.”
