International Crackdown Dismantles Pro-Russian cybercrime Group “Noname057(16)”

Zaragoza, Spain – In a significant international effort, Spain’s National Police, in coordination with twelve other countries, has successfully dismantled the cyber infrastructure of the pro-Russian hacker group “Noname057(16).” This operation, described as a major blow against a group specializing in “terrorist” cyberattacks, resulted in one arrest in Spain, five property searches, and the dismantling of hundreds of servers worldwide.

The coordinated action targeted critical infrastructure, with a primary focus on Ukraine and nations supporting Kyiv, many of which are NATO members. Police sources confirmed the neutralization of the group’s central cyberattack capabilities, which had previously launched over 500 cyberattacks within Spain since 2022.

Approximately fifty servers located in Spain were seized by the National Police as part of the inquiry. The operation led to the arrest of an individual in Zaragoza, suspected of involvement in “computer sabotage with terrorist purpose.” Additionally, five searches were conducted in Madrid (three), Zaragoza (one), and Barcelona (one), targeting other individuals linked to the group’s activities.

Evidence suggests that “Noname057(16)” utilized instant messaging platforms to recruit a considerable number of participants for its cyberattacks, employing a software called ‘Ddosia’. To incentivize participation and foster loyalty among its recruits, notably younger individuals, the group reportedly offered small payments in cryptocurrencies and implemented a “gamification system.”

The National Police’s investigation into the group commenced in October 2022. The group’s extensive resources and follower base have positioned it as a significant threat to Western cybersecurity. During the course of the investigation, key administrators responsible for the group’s operational infrastructure, financial activities, and propaganda efforts have been identified.

Globally, the operation, supported by Europol and Eurojust, led to two arrests – one in France and another in Spain. German authorities issued six arrest warrants, with Spain issuing one, targeting the main instigators of the group, many of whom are reportedly residing abroad. The extensive infrastructure used for these attacks reportedly comprised over 600 web servers.

What specific tactics did the cybercrime ring employ to gain access to victim systems?

Police Crack Down on Cybercrime Ring Targeting Europe

Operation ‘Golden Serpent’ Disrupts Transnational Criminal Network

A coordinated effort by Europol and national law enforcement agencies across Europe has resulted in the dismantling of a complex cybercrime ring responsible for a wave of attacks targeting businesses and individuals. Dubbed “Operation Golden Serpent,” the multi-country operation, culminating in raids on July 16th, 2025, has led to the arrest of 35 individuals and the seizure of critical infrastructure used in the attacks. This represents a notable victory in the ongoing fight against cybercrime, online fraud, and data breaches across the continent.

The Scope of the Attacks: What was Targeted?

The cybercrime ring, believed to have been active for over two years, employed a variety of tactics, including:

Phishing Campaigns: Highly targeted phishing emails designed to steal login credentials for corporate networks and banking institutions. Thes campaigns often impersonated legitimate organizations, making them challenging to detect.

Ransomware Attacks: Deployment of ransomware, such as the “Cerberus” variant, against critical infrastructure providers, including hospitals and energy companies. Demands ranged from €50,000 to €5 million in cryptocurrency.

Business Email Compromise (BEC): Successfully infiltrating email systems to redirect payments to fraudulent accounts, resulting in substantial financial losses for businesses.

Malware Distribution: Utilizing compromised websites and software downloads to distribute malware designed to steal sensitive data and establish backdoors into victim systems.

Cryptojacking: Secretly using victim’s computing resources to mine cryptocurrency, slowing down systems and increasing electricity bills.

The primary targets were located in Germany, France, italy, Spain, and the Netherlands, wiht smaller-scale attacks reported in Belgium, Poland, and Sweden. Industries particularly affected included finance, healthcare, manufacturing, and logistics. Cybersecurity threats are evolving rapidly, and this operation highlights the need for constant vigilance.

Key Players and Infrastructure Seized

Investigations revealed the cybercrime ring operated as a highly organized network,with distinct roles assigned to different members. europol identified several key figures:

The developers: Responsible for creating and maintaining the malware and phishing infrastructure. Many were located in Eastern Europe.

The Money Launderers: Specialized in converting stolen cryptocurrency into fiat currency through complex networks of shell companies and offshore accounts.

The Brokers: Facilitated the sale of stolen data on the dark web,connecting buyers with the cybercriminals.

The operators: Deployed the malware and managed the attacks.

Law enforcement agencies seized:

Over 600 servers used to host malicious software and phishing websites.

€1.5 million in cryptocurrency.

Numerous computers,mobile devices,and storage media containing stolen data.

Evidence linking the suspects to hundreds of triumphant cyberattacks.

The Role of International Cooperation

Operation Golden Serpent underscores the importance of international collaboration in combating transnational crime. Europol played a central role in coordinating the investigation, facilitating details sharing between national law enforcement agencies, and providing technical expertise.The operation involved:

1. Joint Investigation Teams (JITs): Established between several European countries to streamline investigations and share evidence.
2. Real-time Intelligence sharing: Utilizing Europol’s secure dialog channels to exchange information about emerging threats and suspect activities.
3. Cross-border Raids: Coordinated raids conducted simultaneously in multiple countries to maximize the impact of the operation.
4. Cyber Threat Intelligence: leveraging threat intelligence platforms to identify and track the cybercrime ring’s activities.

Protecting Yourself: Practical Tips for Individuals and Businesses

The fallout from Operation Golden Serpent serves as a stark reminder of the ever-present threat of cyberattacks. Here are some practical steps you can take to protect yourself:

Strong Passwords: Use strong, unique passwords for all your online accounts. Consider using a password manager.

Multi-Factor Authentication (MFA): Enable MFA whenever possible to add an extra layer of security.

Software Updates: Keep your software and operating systems up to date with the latest security patches.

Be Wary of Phishing: Be cautious of suspicious emails and links. Never click on links or download attachments from unknown senders.

Regular Backups: Back up your data regularly to an external hard drive or cloud storage.

Cybersecurity Awareness Training: For businesses, invest in cybersecurity awareness training for employees.

Endpoint Detection and Response (EDR): implement EDR solutions to detect and respond to threats on your network.

* Network Segmentation: Segment your network to limit the impact of a potential breach.

Case Study: The Attack on ‘MedTech Solutions’

In February 2025, ‘MedTech Solutions’, a German medical device manufacturer, fell victim to a ransomware attack orchestrated by the cybercrime ring. The attack crippled the company’s IT systems,disrupting production and delaying shipments of critical medical equipment. the attackers demanded a ransom of €2 million in Bitcoin. ‘MedTech Solutions’ refused to pay the ransom and worked with cybersecurity experts to restore