Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Redazione RHC : 11 December 2025 09:34
What we wrote in the article ” Patriotic Code: from DDoSia and NoName057(16) to CISM, the algorithm that shapes youth for Putin ” on Red Hot Cyber on July 23rd is now fully consistent with the information made public by the United States Department of Justice .
Back in July we described how DDoSia worked and the role of NoName057(16) in recruiting volunteers for DDoS attacks via Telegram, highlighting how behind what appeared to be an activity of ” patriotic cyber-volunteering ” there was a centralized coordination and infrastructure attributable to figures linked to the CISM , a pro-Russian government body. Today’s documents and accusations confirm that these tools and networks were used to support Russian geopolitical interests, hitting critical infrastructures and strategic targets around the world.
The correspondence between our investigative observations and the official indictments demonstrates that the logic of centralized coordination and the connection with Russian institutions were concrete elements, not hypotheses.
The U.S. Department of Justice yesterday announced two new indictments against Victoria Eduardovna Dubranova , 33, also known by the nicknames Vika, Tory, and SovaSonya, for her role in cyberattacks and computer intrusions targeting critical infrastructure in support of Russian geopolitical interests.
Dubranova, who was extradited to the United States on the first count related to the CyberArmyofRussia_Reborn (CARR) group, was also formally charged today for her actions in support of NoName057(16) (NoName) . She has pleaded not guilty on both counts; the trial for NoName is scheduled for February 3, 2026, while the trial for CARR is scheduled to begin on April 7, 2026.
“Today’s actions demonstrate the Department’s commitment to countering malicious Russian cyber activity, whether conducted directly by state actors or their criminal proxies, aimed at advancing Russia’s geopolitical interests,” said Assistant Attorney General for Homeland Security John A. Eisenberg. “We remain steadfast in defending the essential services, including the food and water systems that Americans rely on every day, and holding accountable those who seek to undermine them.”
According to the charges, the Russian government financially supported both organizations, allowing them access to cybercriminal services, including subscriptions to DDoS-for-hire platforms. CARR, also known as Z-Pentest , was founded, funded, and directed by the GRU and has claimed responsibility for hundreds of attacks globally, targeting critical U.S. infrastructure, public water systems, meat processing plants, and even election sites.
NoName057(16), on the other hand, operated through a crowd-hacking system called DDoSia , distributed via Telegram to volunteers recruited around the world. Users were incentivized with cryptocurrency payments based on the number of DDoS attacks performed, following daily leaderboards published by the group. Victims included government agencies, financial institutions, and strategic infrastructure such as ports and public railways.
Red Hot Cyber had already observed the functioning of DDoSia and the infrastructure of NoName057(16) in February 2025, describing an ecosystem that, while appearing to be a voluntary activity, showed clear elements of centralized coordination. Analysis of the DDoSia client revealed hidden C2 servers, which issued encrypted commands to users and coordinated simultaneous attacks, confirming an organizational logic beyond simple “voluntary” participation.
The investigations of Operation Eastwood , conducted by Europol, led to the dismantling of over 100 servers in five European countries and the arrest of several individuals in France and Spain. The investigation also highlighted the role of key figures such as Maxim Nikolaevich Lupin , director general of the CISM (Centre for the Study and Monitoring of the Youth Environment) , and Mikhail Yevgenyevich Burlakov , associate professor and deputy director of the same centre.
The CISM, while officially committed to youth protection and the prevention of harmful content, has documented ties to the infrastructure used by NoName057(16). Burlakov is credited with designing the DDoS client and managing the servers used for the attacks, while Lupin managed the strategic direction of operations. Internal documents and OSINT evidence show an overlap between youth re-education activities and cyber attack tools, raising questions about the boundary between social control and cyber operations.
The charges against Dubranova include conspiracy to damage protected computers, computer fraud, and aggravated identity theft, with maximum sentences of up to 27 years in prison for CARR-related actions and up to five years for NoName. In parallel, the U.S. State Department is offering rewards of up to $10 million for information on individuals linked to NoName and up to $2 million for information on CARR.
According to U.S. agencies, pro-Russian hacktivist groups like CARR and NoName are exploiting poorly secured remote connections to infiltrate critical infrastructure systems, causing significant physical and operational impacts. The FBI, CISA, NSA, and other agencies have reaffirmed their determination to identify and neutralize these actors, emphasizing the importance of protecting essential services such as water, energy, and transportation.
Redazione