NoName057(16): Pro-Russian Hacktivist Group

Mode of Operations

NoName057(16) primarily operates as a crowdsourced DDoS network rather than a traditional closed hacking group. Its core infrastructure revolves around DDoSia, a custom attack tool distributed to volunteers through Telegram channels and GitHub-hosted repositories.

Once installed, DDoSia automatically receives target lists from the group’s infrastructure and generates large volumes of network traffic intended to overwhelm websites and services. This allows participants with limited technical expertise to take part in coordinated attacks.

Telegram serves as the group’s central coordination platform. The channels are used to:

• Announce targets and campaigns
• Claim responsibility for attacks
• Share propaganda and threats
• Recruit participants
• Provide technical instructions and educational content

A defining feature of the group’s model is its use of gamification. Participants are encouraged through leaderboards, rankings, badges, and financial-style incentives tied to attack participation. This system helps the group maintain engagement and scale operations beyond a small core membership.

Operationally, the attack cycle is relatively simple:

1. Administrators select politically symbolic targets.
2. Target information is distributed through Telegram and DDoSia infrastructure.
3. Volunteers launch attacks using the DDoSia software.
4. The group publicizes claimed successes on Telegram.

The practical impact of these operations is usually temporary disruption rather than long-term system compromise. However, the propaganda and reputational effects are central to the group’s strategy.

Early Attacks and Expansion

The group’s earliest claimed operations in 2022 focused on Ukrainian news and media websites. As its visibility increased, NoName057(16) expanded its campaigns to foreign governments, infrastructure providers, financial institutions, and private companies.

One of the group’s most notable early large-scale campaigns occurred during the 2023 G20 Summit in India. Under the banner #OpIndia, NoName057(16) collaborated with other hacktivist groups in approximately 2,450 cyberattacks, many involving DDoS activity. Targets included:

• Government digital infrastructure
• Financial and banking systems
• Energy and oil sector organizations
• Non-profit organizations
• Educational institutions
• Telecommunications and manufacturing companies

The group has also claimed responsibility for alleged data leaks and attacks against businesses and public-sector entities in multiple countries.

Position in the Hacktivist Landscape

NoName057(16) represents a newer generation of politically motivated hacktivist operations that combine relatively simple attack techniques with highly effective online mobilization. Unlike more technically sophisticated cybercriminal or state-sponsored groups focused on espionage or destructive malware, NoName057(16) relies heavily on public visibility, mass participation, and information warfare tactics.

Its influence comes less from technical sophistication and more from its ability to coordinate large numbers of volunteers, amplify propaganda through Telegram, and repeatedly disrupt politically symbolic targets.

Ukrainian Government and Utility Websites:

After targeting news servers, they expanded their targets to include Ukrainian government, utility, armament, transportation, and postal websites. These attacks began to become more political in mid-June.

Ukrainian News Servers:

In early June 2022, NoName057(16) targeted Ukrainian news servers. This was one of their first attacks and marked the beginning of their operations.

Danish Financial Sector:

In Denmark, NoName057(16) disrupted services across the financial sector. Several Danish banks, including Jyske Bank and Sydbank, were crippled by a distributed denial of service attack.

2023 Czech Presidential Candidates:

In January 2023, NoName057(16) began to target the websites of 2023 Czech presidential candidates. This marked a shift in their operations as they started targeting political figures.

Canadian Government Websites:

On September 13, 2023, the NoName057(16) group launched a DDoS attack on many Canadian and Quebec government websites. This was one of their most recent and impactful attacks.

Dutch Ports, Public Transport, and Municipal Services:

In 2023 and 2025, NoName057(16) carried out or claimed several attacks against Dutch organizations. Earlier incidents affected Dutch ports and public transport-related services, while in June 2025 the group claimed DDoS attacks against Dutch municipalities and organizations connected to the NATO Summit in The Hague. Dutch authorities confirmed DDoS activity linked to municipalities and summit-related organizations, while essential services in The Hague were reportedly not affected.

German Companies, Public Institutions, and Critical Infrastructure:

From November 2023 onward, Germany recorded 14 attack waves attributed to NoName057(16), affecting roughly 250 companies and institutions. Reported targets included defense companies, electricity providers, transport operators, public institutions, and government agencies. German authorities stated that the purpose of these attacks was to gain media attention and influence political or social decision-making in Germany.

Ukrainian Peace Summit in Switzerland:

In June 2024, NoName057(16) was linked to disruption attempts around the Ukrainian Peace Summit at Bürgenstock, Switzerland. The targeting aligned with the group’s usual pattern of attacking high-profile diplomatic events connected to Ukraine and Western support for Kyiv.

UK Local Councils and Public-Sector Websites:

In May 2025, NoName057(16) claimed DDoS attacks against several UK websites over a three-day period. Reported targets included local councils, the Association of Police and Crime Commissioners, and National Highways. Some sites experienced temporary disruption, although several organizations reported limited or no operational impact.

NATO Summit in the Netherlands:

In June 2025, during the NATO Summit in The Hague, NoName057(16) claimed attacks against Dutch websites connected to the event. Targets reportedly included the NATO Regional Representation in the Netherlands and several municipalities and provinces, including Den Bosch, Delft, and The Hague.

Operation Eastwood Law-Enforcement Disruption:

In July 2025, Europol and Eurojust coordinated Operation Eastwood against NoName057(16). The operation disrupted more than 100 computer systems connected to the group’s attack infrastructure and took a major part of its central server infrastructure offline. Authorities linked the group to repeated DDoS attacks against Ukraine and supporting countries, including many EU and NATO member states.

Cloud DDoS Protection Service can help mitigate advanced DDoS attacks with behavioral-based detection for network-layer and application-layer threats, automatic real-time signature creation, flexible deployment options, and protection against sophisticated Web DDoS attacks.

Bot Manager protects web applications, mobile apps, and APIs from automated threats by distinguishing between legitimate users, good bots, and malicious bot activity such as credential stuffing, scraping, fraud, and other forms of automated abuse.

DefensePro X provides automated, AI-powered DDoS protection for network- and application-layer attacks, helping organizations defend against known and emerging threats in real time.

Cloud WAF provides enterprise-grade, continuously adaptive web application and API protection against OWASP Top 10 threats, zero-day attacks, vulnerability exploits, and malicious web traffic.

Cyber Controller helps consolidate DDoS defenses into a single management console, improving visibility, analytics, and protection across Radware’s DDoS security environment.