Recently, a joint European-led operation combining the efforts of several law enforcement agencies successfully disrupted the activities of a pro-Russian hacktivist group known as NoName057(16).  Dubbed “Operation Eastwood” the collaboration proved highly effective in degrading 100 servers of the group’s worldwide infrastructure that had been used to execute thousands of attacks against Ukraine and its supporters during the Russia-Ukraine conflict that targeted government agencies, media, and private companies.  In addition to dismantling the network, reporting indicates that as a result, seven arrest warrants had been issued and two arrests were made.  This is a significant development given the evolution of NoName057(16) from a politically motivated group to one that quickly expanded the scope and sophistication of its campaigns, making them one of the more prolific hacktivist collectives in the world.

The effort was almost Herculean, requiring streamlined cooperation from numerous stakeholders and partners, providing valuable insight into how such activities can be done in the future. Operation Eastwood involved 19 countries and included key law enforcement entities such as the European Union Agency for Cybersecurity, the Joint Cybercrime Action Taskforce, and Europol’s European Cybercrime Centre. Per its website, Europol served as the central hub coordinating meetings and two operational engagements while also establishing communication channels with private sector partners. It was also instrumental in providing analytic and forensic investigation support throughout the endeavor. Despite multiple moving parts Operation Eastwood proved successful though only very few members of a group composed of an estimated 4,000 members and affiliates were directly identified for arrest.

Still, this international collaboration is noteworthy as it serves as a viable blueprint to not only target politically-driven hacktivists that have evolved during periods of geopolitical conflict, but to any of the more organized cybercriminal gangs in the ransomware and business email compromise (BEC) ecosystems. When looking at the more advanced ransomware and BEC gangs, they operate similarly to NoName057(16) with core members at their centers and an array of affiliates cooperating with them and often using infrastructure that extends across a country’s geographic boundaries to conduct their attacks. Furthermore, since most of members of these criminal enterprises are located globally, any law enforcement engagement will require a multistakeholder approach involving police and legal representatives on board, especially in the absence of a formalized cybercrime treaty, such as the one being developed in the United Nations. Ideally, such a treaty would greatly facilitate the coordination/legal process to operationalize international law enforcement take downs as exhibited by Operation Eastwood. Perhaps more important is the fact that the results of the Europol-led takedown of NoName057(16) invariably send a message to other groups that act with impunity and get on the radar of international law enforcement: their criminal activities can be addressed in a similar, comprehensive and cohesive manner.

Nonetheless, there is an argument to be made that such operations tend to be short lived, and while there are some immediate gains, the fluidity and nebulousness of cybercrime make it almost impossible to eradicate. There is some merit to this position as gangs and individuals will come and go, but that the pervasive nature of the activity coupled with a favorable environment within which to work will ultimately sustain hostile and criminal cyber malfeasance.  Simply, there are too many bad actors to go after, and too many places where they can obfuscate their operations and identities that could raise the question if the juice is worth the squeeze.  And to some extent this is true; threat actors have enjoyed for far too long the ability to leverage the Internet to their advantage and at the expense of lumbering law enforcement hindered by , a tangle of legal restrictions, and varying levels of their own capabilities to root out the criminals in their own domain.

But that’s what makes Operation Eastwood so compelling.  It provides a proof-of-concept that can be replicated if not internationally, then at least on a regional level. An international cybercrime treaty should only accelerate these types of joint endeavors, allowing more governments to get involved, fostering the type of collaboration that can cover more Internet territory in sustained joint operations. This would help tremendously in chipping away at the safe havens criminal groups hide when they are trying to evade and circumvent law enforcement scrutiny, making even the most minor of successes more impactful among the treaty’s signatories.

This constant pressure will ultimately force these criminal entities to seek out certain governments whom they believe will shield them from foreign law enforcement. And this will identify those governments – some we know, some of which we may not be as sure – unwilling to do their part in taking down these criminals. This then affords the opportunity to the international community to use a multi-state platform like the United Nations to apply diplomatic and economic pressure to compel these states’ cooperation in surrendering these criminals for arrest and prosecution. It wouldn’t be the first time that a government did this.  Russia, long suspected of letting cybercriminals operate, arrested members of the REvil ransomware gang at the request of the United States, likely to demonstrate a willingness to cooperate with Washington, to avoid some unpublicized consequence, or to get something that it wanted, or some combination of the three. Multi-state inflicted sanctions could have a similar effect, especially if the governments involved are valuable partners to the offending state’s political/economic interests. While this won’t eliminate these threat actors, it could be just the initiative that causes a meaningful reduction in the more egregious cyber attacks like ransomware that have caused substantial problems for all industries and sectors.

The most dangerous advantage these cybercriminal organizations possess is their structure: they are highly organized, globally connected, and often backed – directly or indirectly – by state actors. Combating them requires more than isolated efforts. It demands sustained, coordinated international action that denies them safe harbor, disrupts their operations, and imposes real consequences on those who support or tolerate them. Only by working together and sharing intelligence, closing jurisdictional gaps, and applying unified pressure can nations shift the balance, forcing these actors into a defensive posture and steadily dismantling the environments that enable them. In short, confronting this global threat requires a truly global response.  And now with Operation Eastwood, there is a plan for them to follow.