Since the onset of the Ukraine war, Europe has witnessed a disturbing surge in hybrid sabotage operations, from the deliberate damage to undersea cable infrastructure in the Baltic Sea, to the incendiary attack on Warsaw’s largest shopping mall, and even the targeted harassment of pro-Ukraine figures in Estonia. These acts are not isolated incidents; they represent a coordinated campaign of low-intensity disruption that is reshaping Europe’s security architecture.
What sets this new wave of subversive activity apart is its tactical composition. Unlike Cold War-era espionage, where professional intelligence officers operated under diplomatic cover, today’s operations are increasingly outsourced to untrained, low-cost assets. Many of these individuals are amateurs recruited via social media platforms, often driven by financial incentives rather than ideological loyalty. Some are barely adults, others oblivious to the broader geopolitical consequences of their actions. They are the mercenaries of the digital age, remote-controlled actors in a deniable war.
This emerging modus operandi reflects a broader adaptation to the digital ecosystem. In a world where recruitment, training, and payment can occur without physical contact or state attribution, traditional counterintelligence models struggle to keep pace. Russia’s use of such decentralized, expendable assets shows the appeal of gray zone warfare – actions that fall below the threshold of open conflict but still achieve strategic disruption.
However, the deniability that once shielded such operations is increasingly under strain. The arrest and interrogation of amateur operatives across Europe have begun to expose the scaffolding behind these campaigns, implicating Russian intelligence in more direct terms. In response, Western governments are starting to redraw the contours of deterrence in the gray zone.
Initiatives like NATO’s Baltic Sentry – aimed at securing vulnerable maritime infrastructure and the Biden administration’s explicit warnings against Russian-directed mail bomb plots in North America, signal a nascent but evolving counter-strategy. These are attempts to impose diplomatic and kinetic consequences on activities that once operated in a legal and strategic vacuum.
Yet, the rules of engagement in this shadow conflict remain fluid and fragmented. The West is only beginning to define what constitutes a red line in the hybrid warfare arena. Meanwhile, the Kremlin continues to exploit ambiguity, leveraging chaos at low cost while sowing strategic uncertainty.
As the contours of this invisible war sharpen, Europe and its allies must struggle with a key question – how to fight a war that no one officially declares, but everyone increasingly feels.
Baltic Sea Undersea Cable Sabotage
Tactics: State organs enlist a third party that would typically operate in the target maritime space; for example, a captain of a commercial vessel. The third party then drops anchor near the target and proceeds to drag it along the seabed until the cable is severely damaged or cut outright. This tactic is particularly well suited to the Baltic Sea due to its shallow waters and critical undersea cable infrastructure (data and energy).
Benefits: There are three benefits so far as the state sponsor is concerned. The first is the low operating cost, which is basically the money needed to enlist the third party. The second is deniability since these gray zone operations do not directly involve any state instruments in performing the sabotage. The possibility of accidental damage provides another layer of deniability that is often invoked by detained crews, and potentially with all sincerity, since accidental anchor-related damage is a common cause of undersea infrastructure destruction. Third, damage to undersea infrastructure can have major economic impacts, costing anywhere between €5 million and €150 million to fix, with repairs taking months if not years to complete.
Costs: The question of how to create costs is not one that is easily answered, and herein lies the strategic appeal of gray zone warfare in the first place. Doing too much risks kinetic conflict; but doing too little invites more sabotage in the future. Littoral stakeholders have made efforts to hold individual captains and crews to account. There is also a more concerted military strategy to safeguard Baltic infrastructure. In January 2025, NATO announced the ‘Baltic Sentry’ initiative, which will deploy frigates, patrol aircraft, and maritime drones to monitor critical infrastructure in the area. Notably, the deployment will have the power to board, impound, and arrest crews suspected of sabotage.
Notable Incidents
Nord Stream (September 26, 2022): An underseas explosion renders the Nord Stream natural gas pipelines linking Germany and Russia inoperable. In the immediate aftermath of the explosion, fingers are pointed at all sides. Since then, Sweden, Denmark, and Germany have conducted separate investigations into the cause. The first two ended inconclusively, while the German one alleges the possible involvement of Ukrainian divers, trained in Poland.
BCS East-West / C-Lion1 (November 17-18, 2024): Two undersea cables are severely damaged in less than 24 hours, with the China-flagged bulk carrier Yi Peng 3 operating in the area at the time. China allows representatives from Germany, Sweden, Finland, and Denmark to board the ship, though it refuses entry to the Swedish prosecutor leading the investigation. The ensuing report notes that the Yi Peng 3 dragged its anchor for 1.5 days across 180 nautical miles, coinciding with the time of the cable breaks. Yet in the report’s final judgement, while emphasizing that the investigation was hampered by limited access, it declares that there’s no way to conclude either deliberate sabotage or accidental anchor deployment.
Estlink 2 (December 25, 2024): The Estlink 2 electricity connection between Finland and Estonia goes offline, prompting the Finnish authorities to detain the 24-strong crew of the Eagle S – a tanker believed to belong to Russia’s ‘shadow fleet.’ The Eagle S has since been allowed to leave, and three crew members remain detained as the investigation continues. The Estlink 2 is expected to be back online sometime in July.
Latvia-Sweden Cable Damage (January 26, 2025): Latvian government announces damage to a fiber optic cable linking Latvia and Sweden. The Maltese-flagged ship Vezhen is boarded and detained by Swedish authorities before being cleared of sabotage and released in February.
Europe Arson and Espionage Campaign
Tactics: Echoing the playbook used in the Baltic Sea sabotage operations, state-linked actors in this campaign rely on proxy operatives – criminals, ideological sympathizers, or financially desperate individuals – to carry out acts of arson, vandalism, and low-level sabotage. Increasingly, these recruits are sourced through online platforms such as Telegram, leading to an uptick in amateur and ad-hoc operations. The goal is psychological as much as material: to foment disorder, erode public trust, and stretch internal security resources across Europe.
Benefits: Three strategic advantages make this campaign attractive to state sponsors:
—Low-cost recruitment via online or offline methods, often with payments made in cryptocurrency and promises of material rewards (e.g., vehicles, housing).
—Low diplomatic fallout, as operatives are not official agents and can be disowned if caught.
—High deniability, as small-scale acts of sabotage rarely attract immediate geopolitical scrutiny, and absent clear evidence, linking them to a state sponsor remains speculative.
Costs: The same factors that make these operations cheap also introduce vulnerabilities. Amateur operatives are more prone to capture and more likely to confess under pressure, revealing operational details that degrade the effectiveness and secrecy of the overall campaign. With every arrest, the ‘gray zone’ narrows, increasing the political cost of continued sabotage.
Notable Incidents
Poland Amateur Spy Ring (November 2023):
16 foreigners are charged with espionage, accused of surveilling ports, military assets, and trains entering Ukraine, and spreading pro-Russian propaganda. All were recruited via Telegram, paid in crypto, and some received logistical support including housing and vehicles.
Estonia Vandalism (December 8, 2023):
Cars belonging to Estonia’s Interior Minister and a journalist are vandalized. Seven are convicted, including activist Allan Hantsom (sentenced to 6.5 years). The group allegedly acted under GRU direction, with a €10,000 bounty for the operation.
Poland Paint Factory Aborted Arson (January 2024):
Ukrainian national ‘Sergei S’ is caught attempting to flee after failing to ignite a Polish paint factory. Despite not completing the mission, he is sentenced to 8 years. He was allegedly recruited and paid via Telegram.
Warsaw Hardware Store Arson (April 14, 2024):
A large-scale arson at a Warsaw hardware store causes €840,000 in damage. Belarusian suspect ‘Stepan K’ is charged, accused of acting on behalf of Russian intelligence.
Vilnius IKEA Arson (May 9, 2024):
A fire guts the IKEA store in Vilnius, Lithuania. Ukrainian teenager Daniil Bardadim is arrested and charged with terrorism. Prosecutors allege GRU-linked agents promised him an old BMW and $11,000 in cash.
Marywilska Shopping Center Arson (May 12, 2024):
One of the largest fires in Poland’s recent history destroys the Marywilska 44 shopping complex. Authorities allege it was carried out by an organized criminal group linked to Russian intelligence. The incident is reportedly connected to the Vilnius IKEA case, with Bardadim and four others—including suspected Russia-based handler Oleksander V.—named as conspirators. In response, Poland orders Russia to shut its Krakow consulate.
DHL Package Explosions & Ongoing Parcel Sabotage Campaign
Tactics: The campaign leverages international shipping logistics to introduce high-risk sabotage operations capable of inflicting significant economic and psychological damage. Using seemingly innocuous packages sent via legitimate courier networks, operatives attempt to plant incendiary or explosive devices – specifically magnesium-based compounds designed to ignite mid-flight. The approach exploits both the scale and anonymity of global freight systems, while placing the burden of security on already overextended logistical chains.
Benefits:
Deniability: Packages originate from non-Russian territories (e.g., Lithuania), obscuring attribution.
Global reach: Access to commercial shipping networks allows the threat to span continents, with minimal physical footprint from operators.
Escalation pressure: The mere threat of a successful trans-Atlantic incident (e.g., a mid-air explosion over North America) serves as a high-leverage geopolitical tool, compelling direct backchannel warnings and diplomatic engagement.
Costs:
High strategic risk: Any successful attack resulting in loss of life or aircraft would risk immediate and severe international backlash.
Operational exposure: Once patterns are detected, the physical and digital forensics of parcel shipments—origin data, courier logs, chemical residue—make it easier to trace perpetrators and state affiliations.
Intelligence blowback: As in past sabotage cases, operators often prove unaware of the operation’s true intent, making them prone to confession upon capture and further exposing network structures.
Notable Incidents
DHL Package Explosions (July 2024):
Three packages ignite magnesium-based fires at DHL routing centers in Leipzig, Birmingham, and near Warsaw over a span of 72 hours. All originated in Lithuania and were designed to simulate in-flight ignition, likely to test feasibility for future intercontinental attacks. Intelligence indicates the operation was a dry run for trans-Atlantic sabotage, prompting the Biden administration to issue a direct warning to Moscow. Poland later arrests four suspects, including alleged operative Alexander Bezrukavyi, extradited from Bosnia. Reports suggest some participants were unaware of the packages’ contents, believing they were performing routine courier services.
Second Package Plot (May 2025):
Germany arrests three Ukrainian nationals, charging them with conspiracy to execute parcel-based attacks similar to the 2024 DHL plot. German authorities allege the trio was recruited by Russian intelligence. The operation is especially notable in the context of the 2024 U.S. presidential election, indicating that the election of Donald Trump did not produce any discernible reduction in Russia’s gray zone activities against NATO countries.
