A detailed analysis of the hacker group Noname057(16), known as the Russian Cyber Army. The identities of the participants, their methods, and their connections to Russian state structures are revealed.
The hacker groups Russian Cyber Army and Noname057(16) have been operating in parallel since late 2022. Noname057(16) created a project that includes the DDoSia malware, designed to carry out DDoS attacks, in particular against NATO countries. In September 2024, these groups probably merged into one structure. It is assumed that the project is funded by Russian state structures. A feature of their botnet is that it pays rewards to users for the resources provided for attacks. There is a series of attacks that are associated with these groups.
USA. Two individuals – Yulia Pankratova and Denis Degtyarenko – appear on the US sanctions lists, who are associated with Noname057(16). These documents also mention the name Cyber Army of Russia Reborn (CARR). Despite the frequent mention of both names in the context of cyberattacks, the exact relationship between them is still under analysis.
Netherlands. In August 2023, the group carried out DDoS attacks on the websites of several Dutch organizations. In particular, the websites of the ports of Rotterdam, Amsterdam, Den Helder, and Groningen were disrupted, which remained inaccessible for several hours or even days. These attacks were a response to the Dutch plans to purchase Swiss tanks for Ukraine. The internal systems of the ports were not affected – only public websites were attacked.
In total, Noname057(16) carried out DDoS attacks on government and commercial websites in more than 15 countries, including Ukraine, Canada, the Baltic countries, Denmark, Germany, Norway, Poland, Finland, Italy, the Czech Republic, the United Kingdom, and others. The main targets were government institutions, banks, transport companies, media, and other objects. The attacks were politically motivated, as these countries supported Ukraine.
In their interviews published on Telegram, hackers Noname057(16) boast of creating an alliance of pro-Russian hackers called the Holly League, which opposes the “collective West” and the “deep state”. For example, in an interview with Spanish cyber expert Rafa Lopez for Bit Life Media, they quoted Russian poet Alexander Blok: “Millions are with you. We have darkness, darkness, and even more darkness. Try to fight us!”.
Yulia Pankratova also gave an interview to the blog KnightPentest, in which she noted that France was attacked twice: the first time – due to violations of Christian norms during the preparation for the 2024 Olympics, the second time – in support of Pavel Durov.
This group continues to pose a serious threat in cyberspace due to its politically motivated attacks.
Administrators
@nn05716Роль: Administrator Full name: Панкратов Артем Владимирович
@MotherOfBearsРоль: Administrator Full name: Журавлева / Панкратова Юлия Владимировна
@vetal2020Роль: Administrator Full name: Прядка Виталий Виталиевич
@Rabbn1Роль: Administrator Full name: Маскайкін Илья
@simplusertgРоль: Administrator Full name: Осауленко Николай Дмитриевич
@t96_kaРоль: Administrator Full name: Титов Кирилл Андреевич
@tory12345666Роль: Administrator Full name: Дубранова Виктория Эдуардовна
@Timea_RichРоль: Administrator Full name: Крайнов Александр Сергеевич
@sturm_29Роль: Administrator Full name: Смородин Дмитрий Николаевич
@Monaxxx666Роль: Administrator Full name: Шевляков Евгений Иванович
@ArchLinuxrootuserРоль:Administrator Full name: Билялов Мурат Дамирович
The photo above shows a key member of the Russian Cyber Army community / Noname057(16). He, together with his wife — Zhuravlyova / Pankratova Yulia (Telegram nickname — @MotherOfBears) — administers the corresponding group in Telegram. Artem was the founder of several legal entities (1, 2, 3, 4), which had KVEDs related to trade and construction. However, entrepreneurial activity could not help him get rid of debts. Currently, Pankratov is the owner of the company sipconstruct (instagram: inst), which specializes in construction.
On social media, Artem mainly publishes Russian propaganda. Among his posts are also several publications where he talks about the success of the hacking attacks of the NoName057 community. On Telegram, he is subscribed to pro-Russian channels, such as “русская идея”, but at the same time is interested in topics related to emigration and is learning Spanish.
A comment in Spanish was discovered, left in the discussions of the group “Informa Pirata: informazione e notizie”, dedicated to cybersecurity and digital rights. In it, Artem wrote: “Here is the link to the Telegram channel of this group”, attaching a link to the Russian hacking community. This comment appeared during a discussion of the news about the DDoS attack of the NoName057 hackers on the website of the Italian Ministry of Defense. Probably, in this way he tried to advertise his community.
In addition, Artem is subscribed to the group “Canadian returnees”. He is actively trying to advertise his hacking community in various Telegram groups. Here’s what his ad looks like:
Date of birth: 04/23/1984
Known addresses:
Social networks:
Emails:
Phone numbers:
+79945555499
+79271498929
+78452961555
+78452913231
Documents:
Passport: 322320313
TIN (Taxpayer Identification Number): 645116260584
SNIOR (Individual Personal Account Insurance Number): 11225845627
Date of birth: 06.04.1984
Place of residence: Anapa
Known address: Moscow, Klyazminskaya Street, building 7, building 2, apt. 25
Social networks:
E-mail:
Phone numbers:
+79096606594
+79650611488
+79384217931
+79853920040
+79162301826
Documents:
Passport: 4507084340
TIN (Taxpayer Identification Number): 771770724400
SNIOR (Individual personal account insurance number): 14264694170
Vitaliy is originally from Zaporizhia Oblast. His Telegram account has been active since 2021. According to available information, Vitaliy has previously been convicted of theft. In 2019, he visited Moscow.
His interests include gardening and marijuana. In Telegram, Vitaliy is a member of groups such as @baraholkabkm (Flea Market of the Autonomous Community: Kushugum, Balabyne, Maloekaterynivka) and @otgKushugum. It is also likely that Vitaliy owned or still owns a Chevrolet Lacetti.
Date of birth: 29.03.1996
Known address: Zaporizhia region, Zaporizhia district, Malokaterinivka settlement
Social networks:
E-mail:
A teenager from Russia, probably from Mordovia. He shows interest in supporting the Russian military and hacktivism. His interests also include the Russian Navy, fundraising (likely for the needs of the Russian military), malware, and conducting DDoS attacks. His Telegram account was registered in April 2023.
Date of birth: 27.04.2006
Teaching:
As of December 2023, he was a student in grade 11
Educational institution: Lyceum of the Elnykovsky Municipal District
Achievements: Prize winner in history in the 2023-2024 academic year
Known address:
village of Mord. Maskkinski Vysilky, Zarichna st., building 33, apt. 2
Social networks:
E-mail:
Phone number:
Osaulenko considers his work extremely dangerous, claiming that “everything could end at any second.” However, as it turned out, this “dangerous” activity is related to work in state construction at the FSUE “Main Military Construction Administration for Special Objects.” This organization is engaged in the construction of special and often classified facilities, such as military bases, underground bunkers, strategic infrastructure, and other facilities with a high level of secrecy. Like other members, Osaulenko is part of the channel’s administration.
This account, from which he administers the DDoSia Project group, has belonged to him since 2024. Osaulenko is interested in network intelligence, doxing, penetration testing, and deanonymization. In addition, he is probably a member of hacker communities and reads the “Vaccination from Sex” group. There is also an assumption that he has a wife and child.
Date of birth: 14.09.1989
Known address: Росія, Республіка Мордовія, Зубово-Полянський район, с. Тарханська Потьма, вул. Лісна, буд. 58
Social networks:
E-mail:
Основна: [email protected] (пруф)
Phone numbers:
Documents:
Passport: 8909133283
TIN (Taxpayer Identification Number): 130802586462
SNIOR (Individual Personal Account Insurance Number): 14642127949
Vehicle:
Car brand: ВАЗ/Lada 2170/Priora
License plate: К930ЕУ13
VIN: XTA21703080082160
Professional activity:
Work in 2019: Moscow branch of the FSUE “Main Military Construction Directorate for Special Facilities”
He has close ties to the DDoSia and Noname057(16) projects, and turned out to be a Russian “oppositionist” who in 2021 provided financial support to the Anti-Corruption Fund (FBK) headed by Navalny. This is Titov Kirill Andreyevich, who uses the nickname @t96_ka. He holds the position of administrator of the Telegram channel, which collects educational resources related to hacker attacks, including materials for the ddosiaproject.
Until 2021, Titov worked as an operator of electronic computers and computing machines at the BUZ of the Lyskinskaya District Hospital.
Date of birth: 05/22/1996
Known address: Voronezh region, Lysky city, Sechenov st., building 45, apt. 1
Social networks:
E-mail:
Phone numbers:
Documents:
Passport: 2016954088
TIN (Taxpayer Identification Number): 365205093629
Date of birth: 12.08.1991
Social networks:
E-mail:
Telegram:
TG id: 6634849144
Nicknames: @viktorya_design, @tory12345666
Famous nicknames:
sovasonyasouls
viktorya_design
The nickname @Timea_Rich is probably a Russian military man. The owner of this Telegram profile is probably Alexander Krainov, currently residing in Ivanovo, Ivanovo Oblast, Russia. Krainov served in the Russian Airborne Forces, in particular, in the 31st Separate Airborne Assault Brigade.
It is likely that Krainov is the owner of the cybersports media cyberivanovo, since his email is tied to the cyberivanovo.bitrix24.ru account. His probable IP address 80.70.96.55 is associated with the city of Kineshma, and his probable IP in the city of Ivanovo is 78.111.152.229.
Date of birth: 10.12.1988
Social networks:
E-mail:
Phone numbers:
+79203465882
Telegram:
Bank card:
Number: 4584432849775797 (validity period: до 31.11.2028)
Online activity:
Russian Cyber Army and Noname057(16) are aggressive pro-Russian hacking groups that use the Ddosia tool to carry out large-scale cyberattacks. Russian Cyber Army emerged in the wake of Russia’s aggression against Ukraine and has since been actively targeting both government and private organizations that oppose Russia. Their methods include DDoS attacks, website hacking, and the targeted distribution of pro-Russian propaganda.
Noname057(16), the developers of Ddosia, are focused on attacks against government agencies and private companies in Lithuania, Poland, Italy, and other countries that are critical of Russia. The group actively recruits new members via Telegram, promising financial rewards for participating in attacks. They also have close ties to other pro-Russian hacking groups, such as Killnet and XakNet, which allows them to scale up their attacks.
