NoName057(16) (also tracked as DDoSIA, Storm-1314, and the broader Russian Crowdsourced DDoS Hacktivism Project) is one of the most prolific Russia-aligned hacktivism clusters in the contemporary publicly-tracked record, a politically-motivated cluster that emerged in March 2022 following Russia's February 24, 2022 invasion of Ukraine and has conducted sustained DDoS operations against NATO-country government infrastructure since. The cluster's defining operational signature is the DDoSIA crowdsourced volunteer-recruitment platform. Volunteer operators ("DDoSIA Project Volunteers") install DDoSIA software clients on their own computers and contribute their bandwidth to coordinated DDoS attacks against cluster-selected targets in exchange for cryptocurrency payments graduated by attack contribution volume.

The DDoSIA model is operationally innovative among Russia-aligned hacktivism operations and distinguishes NoName057(16) from peer Russia-aligned hacktivism operations including Killnet (already covered as killnet.yaml). Western analytical consensus treats NoName057(16) as freelance hacktivism with apparent Russian state tolerance rather than direct state-tasking, consistent with the broader analytical framing applied to Killnet.

• Sustained DDoS operations against NATO-country government infrastructure (particularly active against Lithuanian, Polish, German, Italian, French, Spanish, and Czech government targets)
• Selective operations during Western political events (EU parliament sessions, NATO summits, Ukraine-Russia war policy decisions including Western military aid packages, sanctions announcements, Ukrainian leader visits to Western capitals)
• Less brand-marketing and information-operations activity than Killnet, NoName057(16) operations are more operationally-focused and less narrative-focused The cluster has conducted thousands of DDoS attacks against European-government targets over the 2022-2025 operational lifespan, substantially higher operational tempo than peer Russia-aligned hacktivism operations. Operations are typically coordinated through Telegram-channel target-announcements with same-day or next-day DDoS execution by DDoSIA Project Volunteers. The cluster has received the most operationally significant European-government formal public attribution among Russia- aligned hacktivism operations through the July 16, 2024 Operation Endgame Europol-led coordinated international action. The operation involved Europol coordination with German BKA, Spanish National Police, Polish Police, Lithuanian Cyber Police, Latvian State Police, Estonian Police, Italian Police, Czech NUKIB, Finnish Police, Swiss Federal Office of Police, and FBI.

• Two arrests (one Switzerland, one Italy)
• Identification of approximately 30 additional alleged DDoSIA Project Volunteers across 15 countries.
• Searches conducted in multiple European countries.
• Seizure of NoName057(16) operational infrastructure including DDoSIA servers.
• Disruption of DDoSIA volunteer-recruitment and cryptocurrency- payment infrastructure Operation Endgame represented one of the most operationally consequential counter-Russia-aligned-hacktivism coordinated international actions in the publicly-tracked record. Despite the disruption, NoName057(16) operations have continued through late 2024 and into 2025 with reorganized DDoSIA infrastructure under the same cluster brand identity. The cluster's resilience reflects the broader challenge of disrupting hacktivism operations operating predominantly through crowdsourced volunteer infrastructure, the operational difficulty of attributing distributed volunteer-operators across multiple jurisdictions creates substantial counter-operation complexity. A handful of operational notes: First, the cluster represents the central reference for understanding crowdsourced DDoS hacktivism operational tradecraft. The DDoSIA volunteer-recruitment-and-payment model is operationally innovative and may inform future hacktivism cluster operational models. Defender threat-modeling should account for the crowdsourced volunteer-attacker model as a distinct DDoS threat category, defenders cannot simply attribute and disrupt centralized cluster infrastructure because operational capability is distributed across volunteer- operators. Second, the cluster's operationally-focused targeting tradecraft (particularly the selective operations during Western political events) represents a meaningful operational-doctrine signal. Either explicit Russian-state coordination signal-following or shared political-motivation-driven operational targeting, the pattern of operations timed to specific Western political- decision-cycles is consistent across the operational lifespan. Third, the cluster should be analytically distinguished from Killnet despite similar Russia-aligned hacktivism positioning. Modern vendor consensus tracks NoName057(16) as separate cluster identity with distinct operational structure (DDoSIA volunteer recruitment model vs Killnet multi-subgroup collective structure) and operational focus (concentrated DDoS targeting of European- government infrastructure vs Killnet's broader DDoS-and-doxxing- and-narrative-operations portfolio). Fourth, no formal individual-operator attribution at the named- Russian-national tier has been publicly issued for NoName057(16) core administrators despite the Operation Endgame disruption. The Operation Endgame arrests targeted DDoSIA Project Volunteers rather than NoName057(16) administrators, consistent with the operational pattern where cluster administrators remain in Russia while volunteer-operators are distributed across multiple jurisdictions including some accessible to Western law-enforcement.