Criminal Networks as Instruments of Hybrid Warfare in Europe

Hybrid warfare refers to the blended use of military and non-military tactics by state or non-state actors to destabilize a target state below the threshold of open war. In Europe, hybrid campaigns increasingly involve criminal networks as tools of disruption. Foreign governments – most prominently Russia, but also others like Iran, China, and North Korea – have cultivated a “shadow alliance” with organized crime groups to advance geopolitical goals while retaining plausible deniability. Criminal activities such as smuggling, cybercrime, money laundering, human trafficking, and sabotage are leveraged to weaken European states internally.

State actors exploit criminality in hybrid warfare to undermine societies from within. Rather than relying solely on spies or soldiers, hostile actors recruit or collude with organized crime groups (OCGs) and other criminals as proxies. These criminal proxies engage in a “broad range of criminal activities and tactics”on behalf of foreign powers – including sabotage, arson, cyber-attacks, data theft, smuggling of goods or people, and even contract killings. By outsourcing dirty work to criminals, state sponsors conceal their own hand and sow chaos under the guise of “ordinary” crime. Europol warns that criminal networks are increasingly operating as proxies for hostile state actors in hybrid warfare operations, amplifying the destabilization threat to Europe.

Deniability and Mutual Benefit: The attraction of this alliance is mutual. For state actors, criminals provide ready-made illicit infrastructures – from smuggling routes to hacking tools – and a layer of deniability if operations are exposed. For criminals, alignment with state actors can mean protection from prosecution, access to state resources or intelligence, and new “business” opportunities (e.g. sanction evasion markets or state-directed cyber attacks). As Europol’s Executive Director Catherine De Bolle observed, criminal groups have begun acting as extensions of external hybrid threat actors, intertwining organized crime with foreign subversion. This convergence has given rise to what scholars term a “spook–gangster nexus” in the case of Russia – essentially an underground coalition of spies and gangsters – and a “crime–terror nexus” whereby state-sponsored criminals perpetrate acts of terrorism or sabotage.

Historical Roots: The use of criminals for covert campaigns is not entirely new. During the Cold War, the KGB occasionally enlisted criminals for “active measures,” and Soviet intelligence cultivated ties with mobsters. However, today’s hybrid warfare has greatly expanded this playbook. Modern technology, financial globalization, and transnational crime networks enable states to employ criminals more systematically and across borders. Russia’s full-scale invasion of Ukraine in 2022 was a catalyst for ramping up such tactics; as one analysis notes, “since the 2022 invasion, [Russia’s] nexus of intelligence operatives and criminals has become even more instrumental” in mitigating sanctions and striking Europe clandestinely. Other adversaries have followed similar paths – for instance, Iran’s intelligence services now commission gangs to carry out assassinations and attacks in Europe, adapting methods pioneered by Moscow.

State and non-state aggressors have leveraged virtually every form of serious crime as a weapon. Key vectors include:

Smuggling and Trafficking: Illicit smuggling networks help hostile states bypass sanctions, move funds and goods covertly, and create crises. After 2022, Russia began extensively using sanctions-busting smuggling routes to obtain banned technologies and export sanctioned commodities. Research indicates that in certain sectors, illicit channels now sustain 11–17% of pre-sanctions trade volumes between Russia and the EU (worth €6.5–10 billion annually). Examples include Russian oil. Practical experience shows that, in addition to components for producing conventional weapons, criminal networks can be used to create weapons of mass destruction, in particular chemical weapons.Russian intelligence has been enlisting members of the Russian diaspora in Europe who own businesses to help evade sanctions and funnel dual-use goods to Russia. In October 2024, for example, Spanish police in the Port of Barcelona seized 13 tons of the solvent N-methyl-2-pyrrolidone (NMP). Shipments of NMP to Russia have been banned since the full-scale invasion of Ukraine because the chemical can be used to produce nerve agents or explosive mixtures.

There are indications that NMP is suitable for manufacturing components of intercontinental ballistic missiles and for batteries used in the secretive Russian submarine “Losharik.”

The case centers on the Oleinikov family—Maria and her two children, Irina and Vyacheslav—who run the Cavina Vinoteca wine restaurant in Barcelona as well as a chain of gastropubs in Moscow and St. Petersburg. At the same time, Irina and Vyacheslav oversee a company exporting Spanish wines to Russia—an effective cover for illicit consignments.

Wine was not the only commodity in their trade. The ultimate recipient of the banned chemicals in Russia was Katrosa Reaktiv, a company co-owned by Maria Oleinikova.

Dual-use chemicals

Between 2022 and 2024, Katrosa Reaktiv received at least 36 shipments of prohibited chemicals spanning 15 categories. The primary item was the solvent NMP.

To obscure the true end users, the shipments were routed through front companies in Armenia and Kyrgyzstan. On paper, the cargo was destined for those countries; in practice, it entered Russia via Belarus. One intermediary was the Belarusian firm Vlate Logistic, which has been linked to three of Alexander Lukashenko’s so-called “wallets”—businessmen Alexander Zaitsev, Alexei Oleksin, and Nikolai Vorobey.

Katrosa Reaktiv’s clients

Several of Katrosa Reaktiv’s customers are closely tied to Russia’s military sector, including:

The State Research Institute GosNIIOKhT, developer of “Novichok” nerve agents; the 18th Central Research Institute of the Defense Ministry, which works with the GRU;
The Research Institute of Applied Acoustics, sanctioned by the United States for procuring chemicals used to produce toxic agents;
NPP Radar MMS, which manufactures missile guidance systems.
Despite the European Union’s stringent restrictions, Russia’s military-industrial complex—working through its intelligence services—continues to find pathways to acquire strategically important substances needed for weapons production. All too often, legitimate enterprises—wine exports, for instance—serve as cover for moving sensitive, prohibited goods.
shipped via “shadow fleet” tankers flying flags of convenience, lumber relabeled through Central Asia, and dual-use electronics funneled through third countries for Russia’s war effort. Human smuggling has likewise been weaponized. In 2021–2022, Belarus (backed by Moscow) orchestrated mass migrant crossings into Poland and Lithuania, working with Middle Eastern and Turkish smuggling gangs to send busloads of migrants to EU borders as a form of pressure. This “weaponization of migration” aimed to destabilize and divide the EU. Europol reports that such state-orchestrated migrant smuggling incidents at the Belarus border reached 150–170 per day at their peak, illustrating the scale of this tactic. Human trafficking rings can also be used to fund proxy groups or sow chaos in targeted societies.
Cybercrime and Cyber Sabotage: Many state-sponsored cyber attacks in Europe blur the line between espionage and organized crime. Ransomware gangs operating from Russia, for example, have conducted crippling attacks on European critical infrastructure and businesses, often with tacit state approval or direction. These gangs profit from extortion while furthering Moscow’s strategic aim of sowing economic turmoil. Europol identifies cyberattacks (especially ransomware) on infrastructure as a top hybrid threat, noting that orchestrated campaigns have hit hospitals, energy grids, and government networks. Digital infrastructure has enabled this partnership: encrypted messaging apps, the dark web, and cryptocurrency allow states and criminal hackers to coordinate anonymously across borders. For instance, EU officials have warned that an encrypted message can now cross into the Union “in less than a second” to order a hit job (such as the assassination of a rival drug dealer) on a regime’s behalf. Criminal hacking expertise also complements state cyber units – North Korean state hackers are notorious for cryptocurrency theft and financial cybercrime (North Korea is even described as “a criminal syndicate with a flag” for its fusion of crime and statecraft). Russia and North Korea’s recent agreements on cyber cooperation raise fears of “a particularly destructive combination” of Pyongyang’s cybercriminal know-how with Moscow’s capabilities.
Financial Crime and Corruption: Illicit finance is the lifeblood of hybrid operations. State actors leverage money laundering networks, illicit trade, and corruption to both fund activities and erode European governance. Russian intelligence and oligarchs, for instance, work hand-in-glove with criminal syndicates to sustain illicit financial flows and evade sanctions. This includes use of shell companies, offshore laundromats, crypto-assets, and underground banking to move money covertly. Europol’s 2025 assessment emphasizes that corruption and money laundering are key enablers that “bridge the gap between the licit and illicit worlds”, allowing criminal networks (and their state benefactors) to infiltrate institutions and “undermine good governance”. A notorious example was the Troika Laundromat uncovered in 2019, which laundered billions from Russia into Europe, allegedly benefitting Kremlin-linked figures and subverting financial systems – a precursor to today’s sanction-evasion schemes. In hybrid warfare, dirty money is used to buy influence (e.g. funding pro-Russian politicians or media), to finance sabotage operations, or simply to create economic dependency. The ease of laundering funds through EU economies (via real estate, luxury goods, crypto, etc.) greatly complicates law enforcement; the Basel Institute notes that Europe still only confiscates about 2% of criminal proceeds, leaving a vast parallel financial underworld intact. Such unchecked illicit finance can bankroll prolonged destabilization campaigns.
Sabotage, Violence and Terrorism: Perhaps the most direct way criminals serve hybrid warfare is by carrying out sabotage and violent acts on European soil at the behest of foreign handlers. Since 2022, Europe has seen a surge in covert attacks – arsons, bomb plots, assassinations, and vandalism – orchestrated by Russian security services using recruited criminals. “Kinetic” hybrid operations documented since 2022 include attempts to derail railway lines carrying Ukraine-bound arms, the torching of telecommunications and energy infrastructure, and the placement of incendiary devices intended to down aircraft. In mid-2023, Polish authorities arrested a spy ring (comprised of Russians, Belarusians, and a Ukrainian) that was plotting to derail trains and destroy hardware bound for Ukraine. In Germany, investigators have foiled or attributed at least two assassination attempts (including a plot to kill the CEO of a major arms manufacturer) and multiple arson bombings since 2022, all traced back to Russian-directed networks. An especially brazen campaign of arson attacks hit Poland and Lithuania in 2023–24: criminals (often unwittingly hired as “contractors”) set fire to a Warsaw shopping mall, an IKEA store in Vilnius, and other public sites. Just this year, prosecutors in Lithuania determined that the GRU (Russian military intelligence) masterminded the IKEA arson, paying two Ukrainian nationals to carry it out. These incidents illustrate how ordinary criminals are turned into agents of sabotage. In many cases the perpetrators are petty criminals or extremists recruited online with promises of quick cash, not fully aware they are working for a foreign spy agency.
Political Interference and Social Disruption: State-linked criminal actors also engage in subtler subversion: intimidation of communities, influence peddling, and incitement of unrest. For example, Chinese triad members and other underworld figures helped operate covert “police stations” in Europe (in Italy, Spain, the Netherlands) which harassed dissidents and spread Beijing’s influence under cover of cultural associations. Russia’s operatives have paid vandals to deface monuments or stage hate crimes to inflame ethnic tensions – as seen in the Baltics, where Russian handlers targeted symbols of Soviet history to provoke discord between Russian-speaking minorities and native populations. In one case, Russian agents in Germany recruited locals to fill car exhaust pipes with foam and leave misleading graffiti blaming climate activists, aiming to stir social conflict. Organized crime networks can also facilitate disinformation efforts – for instance, by selling databases of hacked information or by amplifying propaganda in online criminal forums. All these actions erode public trust and create a climate of fear or polarization, aligning with the aggressor’s strategic intent.

Not all European states are equally targeted by this hybrid criminal warfare. Recent cases since 2022 show a concentration on certain countries due to their geopolitical stance, internal vulnerabilities, or value as targets:

Frontline Supporters of Ukraine: Countries leading European support for Ukraine have borne the brunt of Russian hybrid attacks. Poland stands out as “the most affected country” with at least 20 distinct incidents of Russian-attributed sabotage and subversion from 2022–2024. Polish infrastructure (rails, logistics hubs) has been repeatedly targeted due to Poland’s role as a major transit route for military aid to Ukraine. Nearly one-third of all recorded arson/sabotage attacks in Europe during 2023–24 occurred in Poland, including high-profile blazes at a Warsaw mall and an attempt to bomb a major railway. Germany and France have also seen numerous incidents (around 11–15 each in the same period). In Germany, the incidents skewed toward more severe plots – e.g. assassination attempts and bombings – reflecting its prominence as Europe’s largest economy and a key Ukraine supporter. France experienced a wave of vandalism and public disturbance in summer 2024, timed with the Paris Olympics, consistent with reports of Russian plans to disrupt the event. Baltic states (especially Estonia and Latvia) emerged as “hotspots of kinetic activity”, though often of a symbolic nature – such as attacks on independence monuments or efforts to stir refugee-related clashes. These countries’ significant Russian-speaking minorities and geopolitical exposure make them prime targets for Kremlin proxies aiming to fracture social cohesion.
States with High Corruption and Organized Crime Presence: Countries that suffer from entrenched corruption or powerful local mafias are inherently more vulnerable to hybrid penetration. In Southeastern Europe and the Western Balkans, for instance, Russian influence has long been intertwined with organized crime and corrupt networks. Serbia, Montenegro, and Bulgaria have seen Russia use criminal intermediaries for covert action, leveraging shared Slavic criminal ties and local corrupt elites to secure influence. (A notable early example was the 2016 coup attempt in Montenegro, in which Russian agents allegedly enlisted Serbian nationalists and mobsters to try to overthrow the government.) Since 2022, the Balkans remain a playground for illicit finance to circumvent EU sanctions and a logistics base for Russian intelligence. Bulgaria – an EU state with a history of Russian-linked crime – was the locus of a Russian spy ring discovered in 2023: six individuals (all Bulgarian expatriates) were convicted in the UK for “outsourced” espionage on behalf of the Kremlin. This ring, run by a fugitive Russian-linked financier, involved document forgers and smugglers, exemplifying the melding of espionage and organized crime. Moldova (though not in the EU) also faced destabilization efforts blending crime and proxy agitation, with reports of Russian-trained operatives (some via Balkan camps) attempting to stir unrest in Chișinău. In general, nations where corruption provides openings – through bribe-able officials or ineffective law enforcement – are easier for foreign criminal proxies to exploit. The EU itself acknowledges that “organised crime infiltrating public institutions” is a growing threat to democracy, as it allows foreign powers to hijack local governance from the inside.
Countries with Diaspora/Dissident Targets: Authoritarian regimes often target exile communities or dissidents abroad by hiring criminals in those host countries. Sweden has become a focal point of Iran’s and Turkey’s illicit activities: Sweden hosts Iranian Arab and Kurdish dissidents, and in 2022–2023 Swedish authorities noted a sharp uptick in Iranian intelligence plots. Notably, Iran has “mimicked Russia’s post-2022 approach” by commissioning narcotics gangs (e.g. Sweden’s Foxtrot network) and even biker gangs (like Hells Angels) to conduct kidnappings and assassinations of Iranian critics on European soil. In one confirmed case, a Dutch-Iranian activist was murdered in the Netherlands in 2015 by hired Dutch criminals linked to Iran’s regime. More recently, Sweden’s security service (Säpo) revealed Iranian operatives recruiting gang leaders to attack Jewish and Israeli targets in Sweden – essentially outsourcing terror to local street gangs in exchange for money or pardons. China, for its part, focuses on silencing dissidents among its diaspora in Europe. It uses community gangsters to harass Uyghur, Tibetan, Hong Kong, or Falun Gong activists, as seen with the clandestine “police stations” case. Countries with large diaspora communities (e.g. UK, France, Germany for Russian and Chinese diasporas; Sweden, Germany for Iranian diaspora) thus find themselves on the front line of state-sponsored organized intimidation.
Strategic Infrastructure Hubs: Certain countries are targeted not for their politics per se, but because they host critical infrastructure that, if disrupted, affects broader European security. For example, undersea data cables and energy pipelines in the North and Baltic Seas have been sabotaged by unknown actors widely suspected to be Russian or allied proxies. Norway’s oil and internet infrastructure, Germany’s railways, and trans-European energy interconnectors have all seen mysterious disruptions since 2022, often in regions accessible by Russian ships or operatives. The Nord Stream gas pipeline explosions (Sept 2022), while officially unsolved, are emblematic of hybrid sabotage on shared infrastructure. Meanwhile, countries with major ports or airports(Belgium, Netherlands, etc.) are exploited for smuggling networks that supply sanctioned goods to Russia or narcotics to Europe – generating illicit profit and strategic diversion. Indeed, law enforcement has flagged ports like Rotterdam and Antwerp as infiltration points where Balkan and Russian mafias collaborate, shielded by corruption, thereby threatening the integrity of supply chains. In summary, any European state hosting vital transport, energy, or communication nodes can become a target of hybrid criminal operations aimed at pan-European disruption.

Table: Selected Hybrid Warfare Incidents Involving Criminal Networks (2022–2024)

More on this story: Russian spies – one of the instruments of influence in the Western Balkans

More on this story: Russian intelligence exploits gangs in operations abroad

More on this story: Russian intelligence is leveraging terrorists from international organizations to destabilize European countries.

More on this story: How the Kremlin uses Italian organized crime groups to sponsor pro-Russian forces in Slovakia

The “Spook–Gangster” Nexus: Intelligence Services & Organized Crime

A striking feature of these operations is the close overlap between state intelligence agencies, their proxies, and organized crime groups. In Russia’s case, experts note that “the long-standing adage that Russian intelligence operatives and Russian criminals are ‘the same people’ still applies”. The Kremlin has institutionalized cooperation with mobsters and smugglers, effectively integrating OCGs into its statecraft. This manifests in several ways:

Formal and Informal Integration: Russia has cultivated a “spook-gangster nexus” wherein security services (“spooks”) act in concert with – and sometimes as part of – criminal networks (“gangsters”). Rather than a strict division, officials, spies, oligarchs, and crime bosses operate a blurred ecosystem of illicit enterprise. For example, Russian oligarch Yevgeny Prigozhin (chief of the Wagner Group) embodied this nexus: he combined state authority, mercenaries, and criminal recruits (including prison convicts) to do the Kremlin’s bidding in Ukraine and Africa. The Wagner Group itself grew out of this nexus – initially a “loose confederation of OCGs under Kremlin oversight” (dubbed “Crimintern”) that provided muscle in eastern Ukraine’s 2014 conflict. Organized crime exploits (like smuggling Donbas coal, looting Ukrainian assets, etc.) were intertwined with Russian military operations, with crime groups receiving a cut of profits in exchange for cooperation. The expulsion of many official Russian spies from Europe (after the Skripal poisoning in 2018 and the Ukraine invasion in 2022) further pushed Moscow to lean on criminal operatives as replacements. European agencies observed that following mass diplomat expulsions, Russia began mobilizing civilians, including criminals to carry out its missions – often individuals with no direct formal ties to Russian institutions, enhancing deniability. This indicates a tactical adaptation: by using criminals as “single-use” agents or cut-outs, Russian intelligence can still conduct sabotage and espionage in Europe despite reduced official presence.
Shared Recruitment Pools: Both intelligence services and organized crime draw from overlapping human resources. Many operatives involved in Russia’s recent hybrid plots have criminal backgrounds or connections. A Europol-reviewed study of Russian kinetic incidents (2022–2025) identified 131 perpetrators; **93% were male, ~30 years old on average, and almost all were from post-Soviet countries, often motivated by cash rather than ideology. Crucially, about two-thirds had prior criminal records or histories of violence. Russian spy handlers have recruited from marginal communities: unemployed youth, petty thieves, smugglers, extremists, and even prison inmates. “Moscow often begins with petty criminals — petty thieves, minor drug dealers, or indebted individuals — whose initial role is limited to low-level acts,” then grooms them into more organized networks for larger operations. This mirrors how terrorist groups like ISIS once recruited criminals with the promise of redemption, except now a state is doing the recruiting. The convergence is so deep that in places like Estonia, security services found themselves pursuing the same individuals for both organized crime and espionage threats. In essence, the Kremlin’s spy agencies have become both the patrons and the beneficiaries of Russian organized crime abroad.
Proxy Relationships in Other States: Russia is not unique in this approach. Iran’s intelligence has co-opted criminal gangs for overseas hits, as discussed, effectively mirroring the Russian model in Scandinavia. North Korea’s regime, often called a “Soprano state”, literally runs organized crime operations (like counterfeiting and drug trafficking under its Reconnaissance General Bureau) to finance itself. It recently forged cyber cooperation with Russia, marrying its criminal hacking prowess with Russian state goals. China leverages triads and business crime networks for influence operations, for example using criminal syndicates to monitor dissident diaspora or to acquire embargoed tech via industrial espionage rings. Even Western Balkan governments have been accused of turning a blind eye (or colluding) when it serves their interests. The common thread is opportunism: intelligence agencies will ally with whatever non-state actors (be it militias, extremists, or mafias) can further their aims. Europol cautions that OCGs provide an ideal “fallback option” for states because they come pre-equipped with covert skills, illicit supply chains, and underground contacts. In hybrid warfare, these criminal alliances act as force multipliersfor hostile governments.
Deniability Through Layers: By using cut-outs and criminal middlemen, state actors achieve layered deniability. Russian handlers increasingly recruit and direct agents entirely online – never meeting in person – which makes tracing command-and-control immensely difficult. Payments are made via cryptocurrency or anonymous transfers, and often the immediate “recruiter” of a criminal is not a formal intelligence officer but another already-compromised civilian acting as go-between. This “gig economy of espionage” means many operatives may not even realize for whom they ultimately work; they are told to complete one task for a certain reward, often under some pretext (e.g. vandalize a car to simulate a hate crime, courier a package across a border, etc.). As one former KGB officer reminisced, even in the 1960s the Soviets paid American gang members to paint swastikas on synagogues and hired others to desecrate cemeteries, then used the incidents as propaganda. Today’s tactics are similar in spirit but updated with modern crime-for-hire markets and darkweb recruitment. This multi-layer outsourcing protects the instigating state – if a plot is exposed, it looks like a criminal incident or maybe an extremist action, rather than a state-directed attack. The downside (from the state’s view) is some loss of control or professionalism – indeed Russian officials privately deride their new crop of operatives as “poor man’s saboteurs” – but the trade-off in deniability and quantity of agents appears to be worth I t.

Hostile actors employ criminals as instruments of hybrid warfare. Several strategic goals drive this approach:

Political Influence and Destabilization: The ultimate aim is often to undermine the target nation’s political stability and public order. By fueling crime, corruption and violence, aggressors seek to erode citizens’ trust in government and democratic institutions. For example, a campaign of sabotage or gang violence can make authorities appear impotent, “undermining the democratic norms and values that underpin the West”. Criminal proxies can also directly manipulate politics – through corruption (bribery of officials)or by bolstering extremist groups. Russian-linked crime syndicates have been implicated in illicit party financing and disinformation in Europe to promote pro-Kremlin politicians, thereby shifting policies from within. In the Balkans, organized crime influence on media and elections (often backed by Moscow) has skewed democratic processes. Moreover, transnational crimes like migrant smuggling have been used as geopolitical bargaining chips, as seen when Turkey and Belarus have intentionally opened the floodgates of migrants to pressure the EU on policy concessions.
Economic Damage and Resource Drain: Criminal activities can impose direct economic costs on targeted states. Cybercriminal attacks like ransomware can extort millions from companies and force costly security overhauls. Large-scale smuggling of untaxed goods (cigarettes, drugs, etc.) robs governments of revenue and can flood markets to harm local industries. State-sponsored money laundering operations distort real estate and financial markets (infamous cases like Russian “dirty money” inflating London’s property prices have socio-economic ripple effects). Sabotage of energy infrastructure or logistics (e.g. bombing a rail line or shutting down a pipeline) can disrupt trade and spike prices, hurting the target’s economy. One explicit goal for Russia has been to drive up the cost of supporting Ukraine – e.g., forcing Europe to spend more on security and incident response due to a wave of hybrid disruptions. Europol notes that modern organized crime’s destabilizing effects “spill over into wider society”, potentially affecting foreign investment and economic confidence in vulnerable regions. By straining law enforcement and emergency services with surges in organized crime, adversaries aim to exhaust the state’s resources and attention, a classic war of attrition via internal disorder.
Military and Security Disruption: Using criminal proxies is also a way to directly impede an opponent’s military capabilities and security coordination. During the ongoing Ukraine war, Russian-aligned smugglers have helped acquire embargoed components for Russia’s military (drones, microchips, etc.), weakening the impact of EU sanctions. Simultaneously, criminals have been deployed to sabotage rail shipments, arms depots, and even to spy on or infiltrate military bases in Europe. By “weaponizing illegal immigrants” (as noted in one analysis of Russian tactics) or causing refugee surges, aggressors can also tie down border guards and sow inter-allied tensions. The overall strategic goal is to weaken Europe’s coordinated response – for instance, deterring countries from aiding Ukraine or participating in NATO operations by making them pay a price at home (through sabotage or terror). It is also a form of psychological warfare: a string of mysterious incidents creates paranoia about enemy infiltration everywhere, potentially leading to political backlash or overreach (e.g. crackdowns that then inflame civil liberties debates).
Intelligence Gathering and Covert Access: Organized crime networks offer alternative pathways for espionageand covert action. Criminals can obtain things spies want: forged documents, smuggling routes for personnel or equipment, access to illicit marketplaces, or relationships with corrupt insiders. State intelligence may piggyback on criminal networks’ global logistics – for example, Iranian agents reportedly leveraged a drug gang’s routes to smuggle a bomb into Western Europe in 2018 (a plot foiled in France). In another case, a Moroccan-Belgian criminal gang was hired by Iran to eliminate dissidents in the Netherlands. These examples show states outsourcing espionage tasks (surveillance, covert transport, targeted violence) to those who already operate in the shadows. Cybercriminal forums similarly can serve as hunting grounds for state recruiters seeking hackers or data brokers. Russia’s intelligence has long worked with hackers-for-hire – groups like Cozy Bear or criminal malware authors who suddenly perform nation-directed hacks when “patriotic duty” calls. Also, by observing or penetrating criminal groups, a hostile state can gather intelligence on European security measures, profit from stolen data (which can be used for blackmail), or even use criminals as unwitting informants. Essentially, criminal networks are “eyes and ears” on the ground that can be co-opted by foreign agencies with relative ease, especially in countries where those networks overlap with diaspora from the hostile state.
Maintaining Strategic Depth (Circumventing Direct Confrontation): Using criminals in hybrid warfare allows state actors to hit their adversaries indirectly, reducing the risk of a direct military confrontation with NATO/EU. It keeps conflict in the ambiguous grey zone. For example, if Russia can cause chaos in Poland via hired criminals, it undermines a NATO member without triggering Article 5 collective defense, since a train derailment by “criminal saboteurs” is not formally an armed attack by a state. This indirect approach aligns with Russia’s longstanding doctrine of “active measures” and reflects a cost-benefit strategy: maximum effect for minimal overt engagement. The ability to strike anonymously also has a deterrent effect on Europe – it signals that “we can reach you anywhere” while leaving European leaders struggling to attribute and respond within legal bounds. Meanwhile, the sponsoring state can always publicly deny involvement or dismiss incidents as internal European problems. This ambiguity can stoke conspiracy theories and divisions within the target countries (“enemy within” narratives), furthering the attacker’s propaganda goals.

State-organized crime collaborations serve a multi-pronged strategy: to degrade Europe’s political unity, sap its economic strength, impede its defense posture, gather valuable intelligence, and do all of this while minimizing direct accountability. As Europol succinctly put it, “hybrid threat actors exploit criminal networks for deniability and political or economic gain, while criminals benefit from protection, advanced tools and profit”. It is a symbiotic relationship aimed squarely at the heart of Europe’s security and society.

Digital Infrastructure as a Force Multiplier: The connectivity of the modern world allows state-backed criminals to coordinate and operate across borders with unprecedented ease. The internet and encrypted communications have become the “primary theatre” for criminal operations. This has several implications:

Remote Recruitment & Coordination: Hostile handlers can now recruit agents without ever meeting face-to-face. Russian intelligence, for example, actively scouts for operatives on Telegram and dark-web forums, posing as anonymous “job posters” offering money for small tasks. Ukrainian refugees in Europe have been approached via social media with offers to earn cash by doing seemingly innocuous odd jobs (like photographing a location or spraying graffiti), which then escalate to arson or espionage. The “gig-economy” model of sabotage means instructions, maps, and payments can all be transmitted digitally with encryption, keeping the masterminds far in the shadows. Additionally, coordination of multi-country networks is facilitated by secure group chats, coded language, and cryptocurrency transactions, making it harder for authorities to intercept plots in time. Europol notes this digital shift “enhances security for Moscow while providing greater plausible deniability”, since there are no physical meetings or paper trails to trace back.
Cybercrime Tools and Anonymity: Modern criminals leverage the dark web, malware, and hacking toolkits that can be easily shared or rented online. States can tap into these crimeware services (“crime-as-a-service”) to conduct operations. For instance, ransomware developers offer their malware on underground forums; a state actor could anonymously commission an attack on a European hospital by partnering with such criminals and splitting the ransom profits. Digital markets also allow large-scale trade in illicit data (personal info, passwords) which can fuel targeted phishing or influence campaigns. The anonymity provided by cryptocurrencies and blockchain has been a boon: Russia reportedly trains operatives in using crypto to move funds covertly under sanctions. Iran’s hackers similarly use crypto theft to finance ops. While blockchain transactions are traceable in theory, sophisticated mixers and DeFi platforms can obfuscate money flows. This means a European police investigator might see money flowing to a saboteur but struggle to attribute it to, say, an FSB officer sitting in Moscow. Digital wallets, encrypted messengers, deepfake identities, and even drone technology (as seen in smuggling contraband across borders) all empower relatively small criminal cells to have outsized impact at a state’s behest.
Information Operations & Cyber-Sabotage: Digital infrastructure itself is a target in hybrid war. State-sanctioned criminals engage in cyber sabotage – from hacking power grids to meddling in rail signaling systems. Europe has endured disruptive cyber incidents (like ransomware on a German oil distributor in 2022 and a hospital in France in 2023) that officials tied to state actors piggybacking on criminal malware groups. Furthermore, disinformation often rides on the back of cybercrime – for example, the “Doppelganger” operation in 2022 cloned European news sites to spread false narratives, an influence op likely facilitated by criminal hacking of web domains. Social media manipulation can also involve criminal botnets or troll farms which operate in a legal grey zone. All of this is enabled by the open and free nature of Europe’s digital sphere, which adversaries abuse. The EU’s own new internal security strategy concedes that “hostile foreign states… use crime as a service and criminals as proxies”through online means, taking advantage of Europe’s reliance on third-party digital suppliers and platforms.

Corruption as the Gatekeeper: If digital tech is the engine, corruption is the grease that allows criminal networks to penetrate and function within European states:

Bribery and Infiltration: Corruption provides entry points for foreign criminals to operate. Bribed border guards wave through smuggled weapons; paid-off local police turn a blind eye to trafficking; corrupt officials leak confidential data or even state secrets (as seen in a 2023 Dutch case where an insider stole classified intel, possibly for a foreign client). In the worst cases, organized crime can capture parts of the state – for example, the infamous case of Montenegro’s longtime ruler being linked to cigarette smuggling networks showed how a government itself might align with criminal interests, something Russia could then exploit. Foreign spies often use corruption to neutralize defenses: offering cash or favors to a low-paid guard to access a facility, or to an IT worker to implant malware. This was starkly demonstrated in 2023 when German authorities arrested a Bundeswehr officer alleged to have passed sensitive military info to a contact with ties to Russia, possibly lured by money or ideology. Political corruption is especially dangerous: if politicians are compromised by illicit funds (say, campaign donations from an oligarch’s shell company), they may become de facto agents of influence, pushing agendas favorable to the hostile state from within democratic institutions. Europol’s SOCTA 2025 warns that “organised crime is infiltrating public institutions, manipulating procurement processes and eroding governance”, which directly threatens national security.
Money Laundering Infrastructure: Europe’s financial system, despite anti-money laundering laws, still offers many havens for dirty money – luxury real estate, private investment funds, anonymous trusts, and even “golden passport” schemes. This financial opacity enables hybrid actors to wash and move funds that fuel their operations. It also enables funding of local proxies (e.g. extremist groups, NGOs, media outlets) under innocuous fronts. The Kremlin’s agents have used European banks to channel money to front organizations that stir unrest – uncovered examples include funding to far-right groups, or rubles funneled via cryptocurrency to support anti-Ukraine propaganda events.
Weak Rule of Law as an Invitation: Countries with weaker judicial systems or politicized law enforcement become preferred grounds for hybrid operations. If prosecutions of organized crime or foreign espionage stall due to corruption or fear, the cost of conducting such operations is low for the perpetrators. High-profile assassinations of exiles in Western Europe (e.g. Russia’s hit on Chechen dissidents in Germany, or Iran’s on Dutch soil) at times went initially unpunished, sending a signal of impunity. This changed as awareness grew, but differences remain. For instance, some Balkan states rarely prosecute locals with strong political connections, even if there is evidence of acting as Russian agents, whereas countries like Poland or the Baltics have aggressively rooted out spy networks post-2022, raising the risk for criminals there. Adversaries will gravitate towards environments that tolerate a degree of extralegal activity. Hence, strengthening governance and anti-corruption measures is now seen as integral to countering hybrid threats. The EU’s ProtectEU strategy explicitly calls for rapid implementation of the new EU Anti-Corruption Directive and stresses that “seizing assets and confiscating criminal gains is essential” to deter those who enable foreign interference.

In sum, digital infrastructure provides the global reach and anonymity that allow state-criminal collaborations to thrive, while corruption provides the local access and impunity that allow them to burrow into target societies. European security experts conclude that tackling hybrid warfare requires tackling these enablers: closing the digital loopholes (through stronger cyber defenses, platform regulation, cryptocurrency oversight) and closing the corruption loopholes (through transparency, tougher AML enforcement, and cultural changes in governance).

Recognizing the severity of this “crime-hybrid” threat, European governments and institutions have started mounting a multi-level response since 2022. Key efforts include:

1. Strategic Recognition and Policy Frameworks: The first step has been officially acknowledging the nexus of organized crime and hybrid warfare in strategy documents and threat assessments. Europol’s SOCTA 2025 (Serious and Organised Crime Threat Assessment) for the first time highlights that “criminal organizations are no longer just a public safety threat, but are increasingly undermining European institutions and society” – even serving as “proxies for hostile state actors in hybrid operations.”. This sea-change in analysis, echoed by national agencies like the Dutch NCTV, has informed a new European Internal Security Strategy (2025) known as “ProtectEU.” Unveiled by the European Commission in April 2025, ProtectEU explicitly prioritizes resilience against hybrid threats, calling out the need to “protect critical infrastructure, reinforce cybersecurity, and combat crime-as-a-service” used by foreign adversaries. It notes that “hostile states… use crime as a service and criminals as proxies” to infiltrate and disrupt, and it advocates a “whole-of-society” approach to counter this. The strategy includes plans to overhaul Europol’s mandate to become a more operational force against transnational crime and espionage, enhance intelligence sharing among countries, and integrate efforts against organized crime with those against state threats. At NATO, although traditionally focused on military threats, there’s growing emphasis on hybrid defense and resilience (e.g., protecting undersea cables, countering cyber-attacks, etc.), which inherently involves clamping down on illicit networks that could aid enemy operationsi .

2. Law Enforcement Operations and Coordination: On the ground, European law enforcement has ramped up joint operations to bust spy-crime networks. Many recent successes illustrate this collaborative approach:

In Poland, a major bust in 2023 dismantled the aforementioned Russian spy ring targeting railways; authorities revealed it was uncovered through coordinated intelligence work and led to multiple arrests of foreign agents and corrupt insiders.
In the UK, a long-running investigation (involving MI5 and police) culminated in 2023 with the arrest of five Bulgarians spying for Russia, who were prosecuted under espionage laws – notably one of the first times a purely espionage case linked to organized crime was brought to a UK court. They each received hefty prison sentences (~8–11 years), sending a message that such hybrid agents will face severe penalties.
Baltic states and Germany have foiled numerous plots (arsons, sabotage) by using surveillance and tip-offs; for instance, Lithuanian prosecutors in 2024 publicly attributed a series of arson attacks to the Russian GRU, indicting the caught perpetrators for terrorism rather than just arson. This framing legally acknowledges the political intent behind the crime.
Europol has created specialized analysis projects to track state-threat actors in conjunction with organized crime. There are likely classified Europol/intel fusion cells focusing on the “shadow alliance” networks, ensuring information on suspects (e.g. dual-use smugglers or known proxy recruiters) is shared across borders. The European Multidisciplinary Platform Against Criminal Threats (EMPACT) has also started to incorporate hybrid threat scenarios into its priority plans, which traditionally target areas like drug trafficking or human smuggling. By bridging counterintelligence with organized crime policing, Europe is breaking silos that previously let state proxies slip through the cracks.

3. Legal and Regulatory Measures: European states are updating their laws to better address this hybrid challenge:

Foreign Interference Laws: Several countries (France, Germany, the UK, etc.) are introducing or strengthening laws against foreign interference that criminalize activities done on behalf of a foreign power to coerce or corrupt domestic institutions. These laws can cover acts like those of criminal proxies, even if they don’t neatly fit treason or espionage definitions. For example, the UK’s new National Security Act (2023) created a register for foreign influence arrangements and harsher sentences for those acting under foreign direction, which would apply to, say, a gang member paid by a foreign agent to commit sabotage.
Anti-Money Laundering (AML) and Sanctions Enforcement: The EU is accelerating efforts to crack down on illicit financial flows. The upcoming EU Anti-Money Laundering Authority (AMLA), set to be operational by 2026, will coordinate high-profile cases and enforce standards. The EU has also expanded its sanctions regime to include cyber attackers and disinformation spreaders, which by extension can include some criminal groups. For instance, in 2023 the EU sanctioned several individuals and entities involved in ransomware attacks linked to Russian intelligence. Freezing their assets and cutting off their financing globally makes it harder for them to operate. The EU has likewise tightened customs checks and export controls to detect sanction circumvention (e.g. scrutinizing abnormal trade surges through Central Asia, as analysts recommended using AI to flag “suspicious spikes in exports to Russia’s neighbors” that indicate re-export schemes). This “follow the money”approach aims to starve hybrid operations of resources.
Critical Infrastructure Protection: New regulations like the NIS2 Directive (on network and information security) and the Critical Entities Resilience (CER) Directive have been adopted, requiring member states and companies to harden defenses in energy, transport, finance, and health sectors. This indirectly counters hybrid tactics by making sabotage (physical or cyber) more difficult and by mandating contingency plans. The EU is also establishing rapid response teams for hybrid threats – including cyber teams that can be dispatched to a member state under attack (something trialed after the Ukraine power grid hacks, now being formalized).
Targeting Corruption: Recognizing corruption’s role, the EU has put forth a Anti-Corruption Directive and related measures (mentioned in ProtectEU) urging members to strengthen anti-graft bodies, protect whistleblowers, and harmonize the criminalization of corrupt acts. If passed, this would facilitate cross-border investigations (so a bribe that crosses borders can be pursued by joint teams) and reduce safe havens. Some countries, like Bulgaria and Malta, have come under heavy EU pressure to reform their judiciaries and banking oversight, precisely because their weaknesses are seen as opening for hybrid meddling.

Expulsions and Sanctions on Intelligence Officers: Since 2022, over 400 Russian intelligence officers operating under diplomatic cover in Europe have been expelled. This not only directly reduces espionage but forces Russia to rely on riskier criminal proxies who are easier to catch. Countries are also more aggressively barring entry to known organized crime figures linked to adversaries (e.g. issuing travel bans against certain Russian oligarchs, Chechen warlords, or Serbian mob bosses known to collaborate with Russian intelligence).
Surveillance of Key Nodes: Security services have increased surveillance on sectors where criminal and state interests intersect – for example, monitoring private Russian businessmen in Europe who might be funneling money to proxies, or surveilling far-right extremist circles for sudden contacts with suspected foreign agents. NATO and EU are investing in monitoring critical undersea infrastructure with drones and patrols to deter tampering by “mystery” vessels.
Military-Civil Cooperation: In some cases, militaries are getting involved in domestic resilience. For instance, after sabotage threats, countries like Norway and the UK had their navies assist in guarding pipelines and cables. France’s preparations for the 2024 Olympics included military cyber units helping civilian authorities to prevent possible hybrid disruptions. Such civil-military fusion is key in a hybrid war environment where threats cut across traditional jurisdictions.

5. Capacity Building and Public Awareness: For instance, Europol and national cyber agencies share indicators of compromise from state-backed cybercriminal attacks so that companies can beef up defenses. Anti-corruption NGOs and investigative journalists (like Bellingcat and OCCRP) are being quietly supported as they expose criminal networks tied to foreign regimes, thus shining light on shadowy alliances and reducing their freedom to operate. Notably, consortiums of journalists have uncovered schemes like the *“Pegasus” spyware abuses and Wagner Group operations in Africa, which indirectly help European authorities build cases against those networks.

Criminal networks have become entrenched in the playbooks of hybrid warfare against Europe. By leveraging illicit actors – from hackers and smugglers to hitmen – adversarial states can strike at Europe’s cohesion and security in insidious ways, all while feigning innocence. The period from 2022 onward has demonstrated the reality of this threat: sabotage campaigns on European soil directed by Moscow, assassination plots in Western cities traced to Tehran, clandestine “policing” of diaspora by Beijing’s criminal contacts, and more. These actions exploit our open societies and systemic vulnerabilities (whether a corrupt official or an insecure network) to achieve what overt military aggression cannot.

Yet, Europe is neither blind nor helpless in the face of this challenge. Awareness has sharpened, and a holistic counter-hybrid strategy is taking shape – one that targets the “shadow alliance” between state and organized crime. This involves not just reactive law enforcement, but proactive resilience: cleaning up corruption, tightening financial oversight, fortifying cyber defenses, and building international coalitions to hold perpetrators accountable. Crucially, it requires blurring the lines back – i.e., integrating efforts across intelligence, defense, and criminal justice – to mirror the adversary’s integrated approach. As Europol’s Catherine De Bolle noted, this is “not just a law enforcement challenge; it is a direct threat to our economy, our societies, and our future”. Safeguarding Europe therefore means treating organized crime and hostile state activity as a unified menace to be confronted with unity and resolve. The fight against the mafia and the fight against foreign aggression have converged. By addressing both together, Europe can disrupt the dark webs that seek to ensnare it, and in doing so, protect the rule of law and stability of its nations.

Russian intelligence has been enlisting members of the Russian diaspora in Europe who own businesses to help evade sanctions and funnel dual-use goods to Russia. In October 2024, for example, Spanish police in the Port of Barcelona seized 13 tons of the solvent N-methyl-2-pyrrolidone (NMP). Shipments of NMP to Russia have been banned since the full-scale invasion of Ukraine because the chemical can be used to produce nerve agents or explosive mixtures.