Over 3,700 Devices Targeted – NoName057(16) Hackers Strike in 13-Month Rampage

July 24, 2025: An extensive campaign led by the pro-Russian hacktivist collective “NoName057(16)” has targeted over 3,700 unique hosts across Europe, as revealed by newly published data from threat intelligence researchers at the Insikt Group.

The campaign, spanning from July 1, 2024, to July 14, 2025, has primarily focused on government and public-sector entities in countries opposing Russia’s invasion of Ukraine.

High-Powered DDoS Campaign Driven by Volunteer Network

NoName057(16) first surfaced in the aftermath of Russia’s full-scale Ukraine invasion in 2022 and has since become a notable digital weapon for Kremlin-aligned interests.

The group operates a robust distributed denial-of-service (DDoS) platform called “DDoSia,” which enlists volunteers via Telegram.

These participants receive tools and target lists, executing attacks that flood websites and digital services with illegitimate traffic, overwhelming and often disabling them.

Insikt Group’s analysis reveals an average of 50 new victims per day, with peaks reaching as many as 91.

Ukrainian targets comprised nearly 30% of these attacks, followed by France (6.1%), Italy (5.4%), and Sweden (5.3%). Notably, U.S.-based entities remained largely untouched.

The most affected sectors included government and public services (41.1%), transportation and logistics (12.4%), and technology, media, and communications (10.2%).

Advanced Multi-Tier Infrastructure Exposed

Beneath this activist-driven campaign lies a sophisticated, multi-layered technical infrastructure designed to ensure operational continuity and evade disruption.

DDoSia’s architecture relies on “Tier 1” command-and-control (C2) servers, which rotate on average every nine days.

These servers serve as the sole connection point to more securely protected “Tier 2” C2 servers, which utilize advanced access control lists (ACLs) to restrict upstream traffic and maintain uninterrupted command channels.

Technical forensics show the DDoSia client operates in two main steps: first, it registers and authenticates with the C2 using a unique “User Hash” and “Client ID.” The client sends encrypted system data to the C2, masking its activities as legitimate web traffic.

Once validated, it retrieves a list of encrypted attack targets, containing precise instructions for targeting hosts. Randomized request elements are embedded to defeat simple filtering by defenders.

Law Enforcement Response and Persistent Geopolitical Threat

Attempts to disrupt NoName057 (16) culminated in Operation Eastwood (July 14–17, 2025), which involved coordinated arrests and raids across six European countries.

The group, however, remains defiant, vowing to continue its digital operations on Telegram.

As DDoS and other hybrid attacks increasingly shape the European threat landscape, organizations in NATO-aligned nations are urged to strengthen layered defenses, invest in threat intelligence, and maintain up-to-date incident response capabilities.

For now, the cyber conflict remains as relentless as ever, blurring the lines between state and non-state aggression in the digital age.