Crowdsourced Chaos: The Evolution of NoName057(16) and Why DDoS Resilience Matters

What’s happening right now?

According to Bitsight Threat Intelligence, NoName057(16) remains one of the most visible pro-Russian hacktivist groups conducting distributed denial-of-service (DDoS) attacks against countries and organizations perceived as supporting Ukraine. This matters because the risk can extend beyond direct business ties to Ukraine, and the group may also target organizations that do business with vendors, suppliers, partners, or service providers perceived as supporting Ukraine. In other words, even if an organization has no direct connection to Ukraine, its third-party ecosystem may still create exposure.

While coordinated law enforcement activity, including Operation Eastwood in July 2025, disrupted parts of the group’s infrastructure and support network, the threat has not disappeared.

The group continues to leverage a crowdsourced model that is easy to join, scalable, and difficult to fully eliminate. By recruiting supporters through public channels and incentivizing participation, NoName057(16) can rapidly mobilize DDoS campaigns against public-facing services, especially during periods of heightened geopolitical tension or on symbolic dates.

Who is NoName057(16)?

NoName057(16)—also tracked as NoName057, 05716nm, 05716nnm, Nnm05716, NoName, and NoName05716—is a pro-Russian hacktivist group that emerged in March 2022.

The group is primarily known for conducting DDoS attacks using the DDoSia platform to disrupt access to websites and online services. Its operations are politically motivated and focused on defending Russian interests by targeting Western governments, public institutions, critical infrastructure, and organizations perceived as supporting Ukraine.

Previous targets have included Germany and Israel in a joint effort with Muddy Water and CyberAv3ngers, two pro-Iranian groups. During this attack, an estimated 6,000 attack entries were observed across 143 domains. They heavily targeted the telecommunications sector as well. In February 2026, the group targeted Italy and the Milano Cortina Winter Olympics with DDoS attacks. In January through February of 2026, NoName057(16) worked with ServerKillers, another pro-Russia group, to attack government websites in Spain, and other websites associated with the European Union. 

NoName057(16) released the following manifesto on its Telegram channel:

Targeted organizations and locations

Per Bitsight Threat Intelligence reporting, NoName057(16) has been observed targeting: government agencies, national cybersecurity centers, transportation authorities, banks, telecommunications providers, military and defense entities, energy and utility providers, media outlets, election-related websites, and organizations such as NATO.

The group’s geographical targeting has included Ukraine, the Czech Republic, Poland, Lithuania, Latvia, Estonia, Germany, Denmark, Italy, France, Spain, the Netherlands, Sweden, Cyprus, Greenland, Israel, India, Japan, the United States, and the United Kingdom.

Key sectors include government and politics, aerospace and defense, energy and resources, utilities, tourism and hospitality, business services, transportation, banking, and telecommunications.

Threat landscape

NoName057(16) operates within the broader pro-Russian hacktivist ecosystem. Its activity is centered on disruption rather than data theft or long-term intrusion. The goal is often to create public pressure, generate media attention, and signal retaliation against countries viewed as hostile to Russian interests.

The group uses a crowdsourced DDoS platform known as DDoSia, distributed and coordinated through Telegram. Participants are given target lists and instructions, and in some cases are incentivized with cryptocurrency. Bitsight Threat Intelligence tracks NoName057(16)’s use of malware-infected systems, including Bobik, to help generate attack traffic.

Recent NoName057(16) activity

NoName057(16) has claimed or been associated with several notable campaigns, including:

• DDoS attacks against websites connected to the 2024 European Parliamentary Elections.
• Large-scale DDoS activity against Romanian government websites, including the Constitutional Court of Romania and the Ministry of Foreign Affairs.
• A wave of DDoS attacks against UK municipalities, which the group framed as retaliation for the UK’s support of Ukraine.
• Operations such as Operation Eastwood, OpCyprus, and OpDenmark, reflecting the group’s continued focus on countries aligned against Russia.

Tactics, techniques, and procedures

NoName057(16)’s primary tactic is service disruption through DDoS attacks in which the group floods their target with HTTP requests to overwhelm the system. The group uses botnets, volunteer participants, and crowdsourced tools to overwhelm web servers with traffic.

Its typical process includes announcing targets on Telegram or social media, distributing operational instructions through DDoSia, encouraging supporters to participate, and then claiming responsibility publicly for successful disruptions.

Associated tools and malware include DDoSia, Dosia, mySingleMessenger, Bobik, and other DDoS-enabling infrastructure.

Technical details

DDoSia is designed to make participation easy. Users can download or run the tool, receive assigned targets, and contribute traffic to ongoing campaigns. This lowers the technical barrier for participation and allows the group to quickly scale attacks.

These attacks generally do not rely on exploiting traditional software vulnerabilities. Instead, they attempt to exhaust the availability of websites, portals, and online services through traffic volume. The impact can include website outages, degraded public services, reputational damage, customer disruption, and increased operational burden for security and IT teams.

Vulnerability management and resilience suggestions

Bitsight Threat Intelligence recommends that organizations prioritize DDoS resilience for critical public-facing services, especially if they operate in targeted regions or sectors. This includes validating DDoS protection coverage, reviewing Content Delivery Network (CDN) and web application firewall configurations, ensuring incident response (IR) teams have DDoS playbooks prepared in the event of an attack, and monitoring for early warning signs.

Because DDoS attacks are focused on availability, patching alone is not enough. Organizations need layered defenses, traffic monitoring, tested escalation paths with service providers, and clear communication plans for outages or degraded service.

Strategic implications

For senior leaders, the key takeaway is that NoName057(16) is not just a technical threat. The group’s campaigns can disrupt public trust, interrupt critical services, and create reputational pressure during politically tense periods.

Organizations in government, transportation, energy, utilities, financial services, telecommunications, defense, and other public-facing sectors should treat DDoS resilience as a business continuity issue, not only a security issue.

Conclusion

NoName057(16) represents a persistent and highly visible DDoS threat. Even after law enforcement disruption, the group’s crowdsourced model, public recruitment, and geopolitical motivation allow it to remain active and adaptable.

Its attacks create large-scale operational disruption. For organizations in targeted sectors or regions, proactive monitoring, external attack surface visibility, third-party risk awareness, dark web intelligence, and tested DDoS response plans are essential.

How Bitsight can help

1. Real-time threat intelligence

Bitsight Threat Intelligence provides visibility into activity across sources such as Telegram, deep and dark web forums, paste sites, GitHub, code repositories, and other open and closed sources. This helps identify early signs of campaigns involving groups like NoName057(16), including target announcements, DDoSia-related chatter, recruitment activity, and infrastructure indicators.

2. Dark web intelligence for supply chains

Bitsight offers Dark Web Intelligence for Supply Chains, which helps organizations detect, prioritize, and respond to threats across their third-party vendor ecosystem before they disrupt business operations.

This capability brings together real-time intelligence from the deep, dark, and open web and maps it directly to an organization’s suppliers, partners, and vendor exposures. For a threat like NoName057(16), this helps teams understand whether vendors or critical third-party services are being discussed, targeted, or potentially compromised.

Bitsight helps security, GRC, TPRM, and SOC teams answer three important questions:

• What could happen? By mapping third-party exposures to active attacker tactics, techniques, and procedures.
• What is happening? By detecting breach indicators and threat activity across suppliers and partners earlier than public disclosures or vendor notifications.
• Where should we act first? By using AI-powered prioritization, including Dynamic Vulnerability Exploitability (DVE) scoring, to identify which vendor weaknesses pose the most immediate business risk.

This gives organizations earlier warning, better context, and a clearer view of which third-party risks could impact operations during disruptive campaigns.

3. External Attack Surface Monitoring

Bitsight continuously maps an organization’s external digital footprint, including internet-facing assets, shadow IT, exposed services, and third- or fourth-party infrastructure dependencies. This visibility helps security teams identify systems that may be vulnerable to disruption and prioritize resilience efforts before they are targeted.

For DDoS-focused threats, this means understanding which public-facing assets matter most, where traffic dependencies exist, and which systems require stronger protection or response planning.

4. Bitsight Beacon^TM and compromised device visibility

Threat actors are increasingly targeting the supply chain to create a larger blast radius. Because ransom payments are down, threat actors are increasing the pressure by going after critical vendors. This is where Bitsight Beacon, our Supply Chain Exposure Management solution, provides insight into potential compromises and vulnerabilities throughout vendor ecosystems. Bitsight Beacon alerts security and risk teams when there are signs that a vendor or supplier may be exposed, actively compromised, or already breached, often before the vendor publicly discloses the issue. This insight helps teams better manage their supply chain risk.

5. Risk prioritization and security ratings

Bitsight helps organizations prioritize cyber risk by benchmarking security performance, exposure, and vulnerability posture over time and against industry peers. When threat intelligence indicates elevated targeting of a region, sector, or organization type, security teams can use Bitsight insights to focus mitigation efforts where they matter most.

This helps move the conversation from “we may be at risk” to “these are the assets, vendors, and exposures we should address first.”

The bottom line

NoName057(16) demonstrates how politically motivated groups can use scalable tactics to create real operational disruption. Bitsight helps organizations move from reactive response to proactive resilience by combining real-time threat intelligence, dark web visibility, third-party risk insights, External Attack Surface Monitoring, supply chain telemetry, security ratings, and expert analysis. Talk to our team to learn more.