DDoS Campaigns Against Italian Financial Infrastructure: NoName057, Geopolitics, and DORA's Information Sharing Response

The Intelligence That Led to the Takedown

The dismantling of the NoName057(16) operation in July 2025 by Europol, in coordination with law enforcement agencies in France and Spain, demonstrated the operational value of the intelligence-sharing ecosystem that DORA's Pillar V was designed to strengthen.

Europol Operation PowerOFF. In July 2025, Europol announced the takedown of DDoSia infrastructure and the arrest of suspects in France and Spain linked to the NoName057(16) operation. Six Russian nationals were identified as wanted in connection with the campaign. The operation was the culmination of a multi-year intelligence effort that aggregated attack pattern data, attribution evidence, and infrastructure mapping across multiple countries.

The intelligence chain. The successful takedown depended on a chain of intelligence sharing that directly parallels DORA Art. 45-49's information sharing provisions:

• Incident reporting aggregation: Individual financial institutions' reports of DDoS attacks — including timing, targeting patterns, attack infrastructure indicators, and traffic signatures — were aggregated by national CERTs and sector-specific threat intelligence centers. Under DORA Art. 17-23, these incident reports follow standardized classification criteria, making aggregation and pattern detection more effective.

• Cross-institutional pattern detection: The identification of NoName057(16) as a coordinated campaign — rather than isolated attacks — required pattern analysis across multiple institutions and multiple countries. Art. 45's information sharing arrangements enabled this cross-institutional intelligence to flow between financial entities, sector CERTs, and law enforcement.

• Attribution and infrastructure mapping: The progression from "we are experiencing DDoS attacks" to "the DDoS attacks are orchestrated by NoName057(16) using DDoSia, recruited via Telegram, and operationally linked to Russian-aligned geopolitical objectives" required sophisticated attribution that combined financial sector intelligence with broader cybersecurity research.

The Italian financial sector's response. Italian financial institutions, coordinated through the Italian Banking Association (ABI) and the Italian national CERT, developed collaborative DDoS mitigation strategies including shared threat intelligence on DDoSia attack patterns, coordinated activation of anti-DDoS services, and mutual aid during particularly intense attack periods. This collaborative defense is a practical implementation of DORA Art. 45's vision of financial entities sharing cyber threat information to enhance collective resilience.

The geopolitical dimension. The NoName057(16) campaign highlighted a category of ICT-related risk that DORA's framers anticipated but that many financial institutions had not prioritized: geopolitically motivated cyber operations targeting financial infrastructure. Unlike financially motivated cybercrime (ransomware, data theft), hacktivist DDoS campaigns are motivated by political objectives and follow geopolitical event calendars rather than financial opportunity calendars. This distinction has implications for threat modeling, incident classification, and resilience testing — all areas where DORA provides the framework for a more structured response.

Geopolitics Meets Financial Infrastructure

Between March 2022 and July 2025, the pro-Russian hacktivist group known as NoName057(16) conducted a sustained campaign of distributed denial-of-service (DDoS) attacks against European financial infrastructure, with Italian institutions being among the most frequently targeted. According to Europol's operation summary and press reporting, the group launched more than 1,500 DDoS attacks across European targets during this period, with a particular intensity against Italian banks, financial market infrastructure, and government services connected to financial operations.

The group's targeting was explicitly geopolitical. According to publicly available Telegram channels operated by NoName057(16) and analysis by cybersecurity firms including Radware and Cloudflare, the attacks were coordinated in response to political events: Italian government statements supporting Ukraine, European Council votes on sanctions, and diplomatic visits. In January 2025 — coinciding with the earliest days of DORA's applicability — Italian government ministries were attacked during a visit by Ukrainian President Zelensky to Rome. The message was clear: geopolitical alignment carries cyber consequences, and financial infrastructure is a preferred target.

The specific Italian financial institutions targeted included Intesa Sanpaolo and other major banks, along with payment infrastructure and financial regulatory bodies. The attacks used the group's custom DDoS tool, DDoSia, which recruited volunteer participants through Telegram channels — a crowd-sourced attack model that made the campaign resilient to traditional takedown approaches.

While DDoS attacks typically do not result in data compromise (they overwhelm services with traffic rather than exfiltrating data), their impact on financial services is significant: customers cannot access online banking, payment processing is disrupted, and the institution's operational resources are diverted to mitigation. For DORA purposes, DDoS attacks against financial institutions qualify as ICT-related incidents requiring classification under Art. 17-18 and, if major, reporting under Art. 19.

The campaign's duration — more than three years — and its intensity — 1,500+ attacks — made it the most sustained hacktivist campaign against European financial infrastructure in the DORA era, and a definitive test of DORA's Pillar V information sharing provisions.

DORA's Pillar V in Action

The NoName057(16) campaign and its ultimate takedown provide the most comprehensive real-world demonstration of DORA Pillar V (Art. 45-49) information sharing provisions in operational practice.

Art. 45 — Information Sharing Arrangements

Art. 45(1) states that financial entities "may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing enhances the digital operational resilience of financial entities." The Italian financial sector's response to NoName057(16) is a textbook implementation:

• Indicators of compromise (IOCs): DDoSia infrastructure IP addresses, Telegram recruitment channels, attack traffic signatures, and command-and-control indicators were shared across financial entities through formal and informal channels.
• Tactics, techniques, and procedures (TTPs): The NoName057(16) operational pattern — event-driven targeting, Telegram-based recruitment, DDoSia tool deployment, multi-vector DDoS approaches — was documented and shared to enable predictive defense (anticipating attacks based on geopolitical event calendars).
• Configuration tools: Anti-DDoS configurations, traffic filtering rules, and mitigation strategies were shared between institutions to improve the speed and effectiveness of response across the sector.

Art. 17-23 — Incident Classification and Pattern Detection

Each DDoS attack against an Italian financial institution was an ICT-related incident under Art. 17. The standardized classification criteria — including duration, service impact, geographic scope, and client impact — enabled consistent categorization across institutions. When these standardized incident reports were aggregated, the pattern of a coordinated campaign became visible far faster than it would have under inconsistent, institution-specific classification schemes.

For attacks that met the major incident threshold (Art. 18), NCA notification under Art. 19 created a regulatory information flow that complemented the inter-institutional intelligence sharing. NCAs receiving multiple major incident notifications from different financial entities, all describing similar DDoS patterns, could rapidly identify the systemic nature of the campaign and coordinate with law enforcement.

Art. 45(2) — TLP Classification

Art. 45(2) references the use of Traffic Light Protocol (TLP) for classifying shared information. The Italian financial sector's threat intelligence sharing used TLP classifications to manage the sensitivity of different intelligence elements — allowing broad sharing of DDoSia IOCs (TLP:GREEN) while restricting attribution details and law enforcement operational information (TLP:AMBER or TLP:RED) to authorized recipients.

The Enforcement Outcome

The July 2025 Europol takedown demonstrated the ultimate value proposition of DORA Pillar V: information sharing that starts with individual incident reports, aggregates into campaign intelligence, enables attribution, and culminates in law enforcement action that eliminates the threat. This intelligence-to-enforcement pipeline is exactly what DORA Art. 45-49 was designed to support.

Takedown, Arrests, and the Information Sharing Value Proposition

The dismantling of NoName057(16)'s infrastructure in July 2025 represented a successful outcome of the intelligence-to-enforcement pipeline that DORA's Pillar V is designed to enable.

Operational Results

• Infrastructure seized: Europol's Operation PowerOFF dismantled the DDoSia attack infrastructure, removing the platform's ability to launch coordinated DDoS attacks against European targets.
• Arrests: Suspects were arrested in France and Spain — two of the countries where the attacks had been most intensive.
• Wanted notices: Six Russian nationals were identified as wanted in connection with the campaign, establishing a deterrence baseline for future hacktivist operations targeting financial infrastructure.
• Cross-border coordination: The operation involved law enforcement from multiple EU member states, coordinated through Europol's European Cybercrime Centre (EC3), demonstrating the cross-border cooperation that DORA's information sharing framework supports.

The Three-Year Intelligence Accumulation

The successful takedown after three years of sustained attacks underscores a critical point about information sharing effectiveness: the value of shared intelligence compounds over time. Individual DDoS incident reports, aggregated across institutions and over time, created a pattern picture that enabled attribution, infrastructure mapping, and ultimately operational planning for law enforcement action.

In DORA terms, this means that Art. 45 information sharing arrangements are not valuable only during an active incident — they are most valuable when maintained consistently over time, building the collective intelligence picture that enables both predictive defense and law enforcement action.

Implications for Financial Sector Resilience

1. Geopolitical threat modeling is necessary. The NoName057(16) campaign demonstrated that financial institutions must include geopolitically motivated cyber operations in their threat models. DORA Art. 5-6 ICT risk management frameworks should explicitly address hacktivist DDoS as a risk category, with threat assessment linked to geopolitical event calendars.

2. DDoS resilience is a DORA requirement. While DDoS mitigation is well-understood technically, DORA Art. 9 protection and prevention requirements and Art. 24-25 resilience testing requirements mean that DDoS resilience must be tested, documented, and validated — not just assumed based on the availability of anti-DDoS services.

3. Information sharing creates enforcement outcomes. The progression from individual incident reports to Europol takedown validates DORA's thesis that information sharing is not just defensive — it enables offensive law enforcement action that eliminates threats at the source.

4. Sustained campaigns require sustained intelligence sharing. A three-year campaign cannot be addressed by ad-hoc intelligence exchanges. DORA Art. 45's formal information sharing arrangements — with governance, confidentiality protections, and sustained operational commitment — are necessary for campaigns of this duration and complexity.

5. Cross-sector coordination amplifies effectiveness. The NoName057(16) campaign targeted both financial institutions and government services. Effective intelligence sharing extended beyond the financial sector CERT to include government cybersecurity agencies, demonstrating that DORA's information sharing arrangements are most effective when connected to broader national and European cybersecurity frameworks.