Trending

NoName057(16): How Russia Gamified DDoS Attacks on Europe With Crypto Rewards

An investigation reveals how NoName057(16) turned DDoS attacks into a cryptocurrency-rewarded 'patriotic game' — with activity increasing after Europol's Operation Eastwood crackdown rather than diminishing.

NoName057(16) has turned DDoS attacks on European governments into a cryptocurrency-rewarded game — and Europol's major crackdown made the group more active, not less.

EUROPE — NoName057(16) has claimed responsibility for waves of DDoS attacks against public institutions and private companies across Europe since Russia's full-scale invasion of Ukraine in 2022. Western intelligence agencies and Europol describe the group as part of Russia's broader hybrid war against countries supporting Kyiv. From late October 2025 to mid-March 2026, the group claimed 1,530 successful operations — approximately 300 per month — against government websites, financial institutions, transport companies, municipalities, and telecoms.

Campaign profile

Threat Intelligence: NoName057(16) DDoS-as-a-Patriotic-Game
Detail	Information
Group	NoName057(16) — pro-Russian hacktivist collective; Europol and Western intel classify as hybrid warfare actor
Activity (Post-Crackdown)	61,666 attack commands from July 2025 to March 2026 — higher than 56,231 in the eight months before Operation Eastwood
Claimed Operations	1,530 successful attacks October 2025 to March 2026 — approximately 300 per month
Primary Targets	Government websites (one-third of targets), financial institutions, transport, municipalities, telecoms
Recruitment	Telegram-based — users install DDoSia software and receive cryptocurrency per confirmed attack contribution
Platforms	DDoSia — available for Windows, Linux, macOS, and Android; installs on phones, computers, and routers
2026 Triggers	Milan-Cortina Winter Olympics, Western military aid to Ukraine, Israel-Iran conflict escalation

The gamification model

Volunteers install DDoSia — simple enough for non-specialists — on personal devices. The software connects to rented control servers, receives attack configurations, and begins sending malicious traffic automatically. Users do not choose targets. Cryptocurrency rewards incentivize participation without requiring any technical skills. DDoSia can be deployed on routers, meaning a single volunteer's home network can contribute multiple attacking nodes simultaneously. Vot Tak independently verified that at least some claimed successful attacks were genuine, with targeted websites confirmed temporarily inaccessible. NoName057(16) operates as part of the same Russian hybrid warfare ecosystem we covered in Germany's formal attribution of Signal phishing attacks on MPs to Russian-linked operatives. All nation-state cyber threat coverage is tracked on The CyberSignal.

Post-Europol resurgence

In July 2025, Europol conducted Operation Eastwood against NoName057(16) infrastructure. The investigation's most significant finding: the crackdown did not reduce activity. Attack commands in the eight months after (61,666) exceeded those before (56,231). The distributed, volunteer-powered model has no single infrastructure hub to take offline.

What to do now

Implement DDoS mitigation via CDN providers capable of absorbing volumetric attack traffic. Maintain heightened DDoS alerting for government entities and financial institutions in NATO member states. Review router firmware and access controls — DDoSia's router installation capability means compromised home network devices of employees could contribute attack traffic. Our primer on the most common cybersecurity threats facing organizations in 2026 provides broader context on the hacktivist and state-sponsored threat landscape.

The CyberSignal Analysis

Signal 01 — Gamification scales hacktivist recruitment beyond technical barriers

The cryptocurrency reward model eliminates the technical skill barrier that previously limited hacktivist participation. DDoSia's cross-platform simplicity means any smartphone owner can become an attack node. The gamification layer adds psychological reinforcement: rewards and community belonging create the same retention mechanics as mobile games.

Signal 02 — Operation Eastwood's failure reveals the limits of infrastructure takedowns

Europol removed specific servers; the volunteers and their devices remained. The operational response to groups like NoName057(16) cannot be primarily infrastructure-focused. It must include the financial flows, the recruitment channels, and legal frameworks for treating DDoS participation as criminal activity in volunteer jurisdictions.

Signal 03 — Geopolitical triggers now reliably activate hybrid attack infrastructure

The documented correlation between geopolitical events and NoName057(16) attack waves confirms this group functions as a responsive hybrid warfare tool. Organizations can anticipate attack surges following specific triggers and pre-position defenses accordingly. The 2026 pivot to attacking Israeli websites during the Iranian conflict reveals the ideological flexibility of the hacktivist-as-proxy model.

Type	Source
Investigation	The Moscow Times: Pro-Russian Hacker Group Gamifies Cyberattacks on Europe
Technical	The Record: UK Warns of Sustained Cyberthreat from Pro-Russian Hacktivists
Background	TVP World: NoName057(16) Gives Crypto for Installing Hacking Software

ShinyHunters Claims 9.4M Amtrak Records via Salesforce — 2.1M Accounts Confirmed on Have I Been Pwned

Massachusetts Fines Fidelity $1.25M for IDOR Breach That Exposed 77,000 Customers' SSNs and Financial Records

Operation Winter SHIELD: The FBI Is Telling You Exactly What to Fix — And Why Most Organizations Still Get Breached

Silver Fox Uses New ABCDoor Backdoor to Target Organizations in Russia and India via Tax Impersonation