Europol Dismantles NoName057: What the Takedown of 1,500 DDoS Attacks Means for DORA Information Sharing
1,500 Attacks, Three Years, One Group
Between March 2022 and June 2025, a single pro-Russian hacktivist collective — NoName057(16) — launched more than 1,500 distributed denial-of-service attacks against European targets. The group's target selection was deliberate and politically motivated: Italian banks including Intesa San Paolo, government financial systems across multiple member states, airports, and critical national infrastructure. In January 2025, during Ukrainian President Zelensky's visit to Rome, the group attacked Italian ministries in a coordinated barrage designed for maximum political visibility.
In July 2025, Europol disrupted the operation. Arrests were carried out in France and Spain. Warrants were issued for six Russian nationals. Infrastructure was seized. The operation represented one of the most significant law enforcement actions against hacktivism-as-a-service targeting European financial infrastructure.
The question for compliance officers and CISOs across Europe's financial sector is not whether this group mattered — it clearly did, given the scope and frequency of its attacks. The question is what enabled the takedown, and what that enablement mechanism tells us about the operational value of DORA's least-discussed pillar.
The Attack Pattern: Industrial-Scale Hacktivism
NoName057(16) was not a sophisticated advanced persistent threat. It was an industrial-scale DDoS operation with a clear pattern: identify politically relevant targets, marshal distributed infrastructure, overwhelm web-facing services, and amplify the disruption through social media channels. The attacks were volumetric, not surgical. They aimed for visible disruption — bank websites going offline, government portals becoming unreachable — rather than data exfiltration or persistent access.
This pattern is significant because it represents the most common cyber threat vector facing European financial institutions. While APT groups targeting financial data attract more attention in threat intelligence reports, DDoS-for-disruption campaigns affect more institutions more frequently.
| Metric | NoName057(16) profile |
|---|---|
| Active period | March 2022 - June 2025 (39 months) |
| Total attacks | 1,500+ confirmed |
| Average frequency | ~38 attacks per month |
| Primary targets | Financial institutions, government sites, airports |
| Key financial targets | Intesa San Paolo, Italian government financial systems |
| Geographic focus | Italy, France, Spain, Baltic states, Poland |
| Motivation | Pro-Russian political hacktivism |
| Disruption method | Volumetric DDoS via distributed infrastructure |
| Takedown | Europol, July 2025 — arrests in France and Spain |
The attack volume alone — averaging more than one attack per day over three years — underscores a reality that DORA was designed to address: cyber threats to financial stability are not hypothetical. They are sustained, systematic, and cross-border.
What Enabled the Takedown: Cross-Border Intelligence Flow
Europol's disruption of NoName057(16) was not a single-country investigation. It required intelligence sharing across multiple jurisdictions: attack traffic analysis from national CERTs, victim reporting from financial institutions, infrastructure mapping from telecommunications providers, and coordinated operational planning across law enforcement agencies in at least two countries.
This is precisely the kind of intelligence pipeline that DORA Article 45 envisions for the financial sector. Art. 45(1) states that financial entities "may exchange amongst themselves cyber threat information and intelligence," including "indicators of compromise, tactics, techniques, and procedures, cybersecurity alerts and configuration tools." Art. 45(2) further provides that such sharing arrangements shall "enhance the digital operational resilience of financial entities," particularly by "raising awareness in relation to cyber threats."
The critical insight from the NoName057 takedown is that the intelligence that enabled it flowed through exactly the kind of structures that Article 45 mandates. Financial institutions that reported attacks, CERTs that correlated traffic patterns, and law enforcement agencies that synthesized the intelligence into an operational picture — each played a role that maps directly to DORA's information sharing architecture.
Article 45: The Quiet Superpower
Pillar V — Information Sharing (Art. 45-49) — receives less attention than DORA's testing, incident reporting, or third-party risk management requirements. This is a mistake. Information sharing is the multiplier that makes every other pillar more effective.
Consider the lifecycle of a NoName057 attack against a bank:
Without information sharing: The bank detects a DDoS attack. Its SOC mitigates the traffic. The incident is logged internally. Perhaps reported to the NCA if it crosses the major incident threshold. The intelligence dies with the institution. The next bank hit by the same infrastructure starts from scratch.
With information sharing under Art. 45: The bank detects the attack. Indicators of compromise — source IP ranges, attack signatures, traffic patterns — are shared through a recognized information sharing arrangement. Other financial institutions in the arrangement pre-configure their defenses. The NCA correlates the attack with a known campaign. Law enforcement receives structured intelligence that advances their investigation. The collective defensive posture of the sector improves.
The difference is not marginal. It is the difference between isolated defense and collective resilience.
| DORA Information Sharing element | What it enables | NoName057 relevance |
|---|---|---|
| Art. 45(1): Voluntary sharing of threat intelligence | Sector-wide early warning | Attack signatures shared across victims |
| Art. 45(2): Enhancement of digital resilience | Collective defense improvement | Pre-configured DDoS mitigation at non-attacked institutions |
| Art. 45(3): Sharing within trusted communities | Intelligence quality control | Verified IoCs shared through trusted channels |
| Art. 45(4): NCA notification of arrangements | Regulatory awareness | Supervisors aware of sector threat posture |
| Art. 46: TLP classification | Controlled dissemination | Sensitive operational intelligence protected |
Building an Effective Information Sharing Capability
DORA does not mandate participation in information sharing arrangements — Art. 45 uses "may," not "shall." But the supervisory expectation is clear: institutions that choose not to participate in any threat intelligence sharing will face questions about how they maintain situational awareness of evolving threats.
For CISOs building or evaluating their information sharing capability, the NoName057 case offers a practical framework:
Layer 1 — Automated indicator sharing. IoCs from DDoS attacks (source IPs, traffic signatures, attack timing) can be shared in near-real-time through STIX/TAXII protocols. This is the minimum viable capability. Most financial sector ISACs provide this.
Layer 2 — Contextual threat intelligence. Beyond raw indicators, share and consume analysis of attack campaigns: who is conducting them, why, what targets they prioritize, how their tactics evolve. NoName057's shift from government targets to financial institutions in early 2023 was a pattern that contextual intelligence could have surfaced months before individual banks experienced attacks.
Layer 3 — Operational coordination. During sustained campaigns, real-time coordination between targeted institutions — sharing mitigation techniques that work, infrastructure that is being rotated by attackers, timing patterns — significantly reduces individual response times. Art. 45(2)'s reference to "cybersecurity alerts" encompasses this operational layer.
Layer 4 — Strategic reporting. Aggregated threat landscape assessments that inform board-level risk decisions and regulatory reporting. Art. 14's requirement for management body communication on ICT risk benefits directly from sector-level threat intelligence.
The TLP Framework: Art. 46 in Practice
Art. 46 addresses the protection of information shared under Art. 45 arrangements. The Traffic Light Protocol (TLP) is the industry standard for classification:
| TLP level | Sharing scope | DORA application |
|---|---|---|
| TLP:RED | Named recipients only | Active investigation intelligence, zero-day indicators |
| TLP:AMBER | Organization-internal + need-to-know partners | Campaign-specific IoCs shared within trusted community |
| TLP:GREEN | Community-wide sharing | General threat advisories, mitigation guidance |
| TLP:WHITE (TLP:CLEAR) | Unrestricted | Published threat reports, public advisories |
The NoName057 investigation illustrates why TLP discipline matters. During the active investigation phase, operational intelligence about the group's infrastructure needed TLP:RED handling — premature disclosure could have warned the group and compromised the takedown. After the arrests, the same intelligence could be reclassified to TLP:GREEN or TLP:CLEAR for broad dissemination.
Financial entities participating in information sharing arrangements under Art. 45 must implement TLP-compliant handling procedures. This includes technical controls (access restrictions based on TLP level), training (analysts must understand classification obligations), and audit trails (demonstrating that sensitive intelligence was handled appropriately).
The Incident Reporting Connection: Art. 17-23
Information sharing and incident reporting are complementary, not identical. Art. 17-23 govern the mandatory reporting of major ICT-related incidents to competent authorities. Art. 45-49 govern the voluntary sharing of threat intelligence between financial entities.
In the NoName057 context:
- A bank experiencing a DDoS attack that disrupts customer-facing services for several hours would likely classify this as a major incident under Art. 18 criteria and report it to the NCA under Art. 19.
- The same bank could simultaneously share attack indicators with its information sharing community under Art. 45.
- The NCA receiving the Art. 19 report and the intelligence from the Art. 45 arrangement can correlate them — building the aggregated picture that ultimately enabled Europol's operation.
This dual-channel approach — mandatory reporting upward to supervisors plus voluntary sharing laterally to peers — creates the intelligence density needed to identify and disrupt sustained campaigns.
Implications for Financial Institutions
The NoName057 takedown carries four practical implications for DORA compliance:
1. Pillar V is not optional in practice. While Art. 45 uses permissive language, the supervisory expectation — reinforced by Art. 5's governance obligations and Art. 14's board reporting requirements — is that institutions maintain adequate threat intelligence capabilities. Choosing to operate in isolation is a defensible position only if the institution can demonstrate alternative means of maintaining situational awareness.
2. Information sharing arrangements need structure. Ad hoc intelligence sharing — a CISO forwarding an email to a peer — does not satisfy Art. 45's framework. Formal arrangements with agreed protocols, classification standards, legal frameworks, and operational procedures are required.
3. Threat intelligence must inform risk assessment. Art. 6's ICT risk management framework must be "updated regularly" (Art. 6(5)) in light of evolving threats. Intelligence about sustained hacktivist campaigns targeting your sector is directly relevant to risk assessment updates. An institution that was aware of the NoName057 campaign but did not factor it into its DDoS risk assessment has a framework gap.
4. Board awareness of the threat landscape. Art. 14(2) requires the management body to be informed about ICT risk. A sustained, multi-year campaign of 1,500+ attacks against European financial institutions is material information for board reporting. The NoName057 case should appear in quarterly board threat briefings.
The Broader Lesson: Collective Resilience
DORA's five pillars are not independent requirements to be satisfied in isolation. They form an integrated framework where each pillar strengthens the others. The NoName057 case demonstrates this integration:
- Pillar I (ICT Risk Management): The campaign's existence should have been reflected in institutional risk assessments.
- Pillar II (Incident Management): Individual attacks, when severe enough, triggered incident reporting obligations.
- Pillar III (Testing): DDoS resilience testing should have been prioritized given the active threat environment.
- Pillar IV (Third-Party Risk): Institutions relying on third-party DDoS mitigation services needed assurance those services could handle the NoName057 attack patterns.
- Pillar V (Information Sharing): The intelligence pipeline that ultimately enabled the takedown.
The takedown of NoName057(16) is not just a law enforcement success story. It is a validation of the intelligence architecture that DORA's Pillar V envisions — and a reminder that information sharing, often the last pillar institutions address, may be the one that determines whether threats are endured or eliminated.
This analysis reflects the Europol operation against NoName057(16) as reported in July 2025, and DORA Regulation (EU) 2022/2554 Articles 45-49 on information sharing arrangements.