Russia’s Crime-Terror Nexus: How the GRU Weaponized Criminal Networks for Sabotage in Europe

From Intelligence Officers to Disposable Agents

Between February 2022 and February 2026, European authorities documented at least 151 sabotage incidents linked to Russian intelligence services. The tally, compiled jointly by the International Centre for Counter-Terrorism and GLOBSEC, represents only cases where completed investigations allow confident attribution. The actual number is almost certainly higher. Germany alone recorded 320 suspected sabotage attempts in 2025.

What makes this campaign structurally distinct from previous Russian intelligence operations is not the volume of attacks. It is the operational model. After European governments expelled over 600 Russian intelligence operatives from embassies across the continent starting in 2018, Moscow lost its traditional infrastructure for conducting clandestine operations on European soil. The GRU adapted by outsourcing sabotage to criminal networks, petty offenders, and economically vulnerable individuals recruited through encrypted messaging platforms. The result is a state-directed terrorism campaign executed by people who often do not know they are working for Russia.

The Operational Architecture

European security agencies attribute the campaign primarily to GRU Unit 29155, a specialized military intelligence unit responsible for assassinations, coups, and sabotage operations abroad since at least 2008. Unit 29155 gained international attention after the 2018 Novichok poisoning of Sergei Skripal in Salisbury, England. The unit operates under the GRU’s Service for Special Activities, overseen by deputy GRU head Andrei Averyanov, who also coordinates Russia’s Africa Corps operations following the restructuring of the Wagner Group.

The ICCT-GLOBSEC database identified 131 individuals involved in the 151 documented incidents. At least 35 had criminal backgrounds. The typical recruit was a man in his 30s, often from a post-Soviet state, Russian-speaking, and living in precarious economic conditions. Recruitment occurred through Telegram and similar encrypted platforms, as well as through kinship and friendship networks that created small, resilient cells capable of acting locally while crossing borders to obscure attribution.

The financial incentives were minimal by intelligence standards but meaningful to the recruits. Payments ranged from a few hundred euros for vandalism or graffiti to larger sums for arson attacks on critical infrastructure. Compensation was typically delivered through cryptocurrency or untraceable methods. The recruits were, in intelligence terminology, “disposable agents” designed for single use: execute one task, collect payment, disappear. If caught, the trail leads to a petty criminal, not to Moscow.

Target Selection and Geographic Distribution

The ICCT-GLOBSEC data reveals a clear pattern in target selection. Poland recorded the highest number of incidents overall. France saw a sharp rise, reaching 20 confirmed cases. Lithuania and Germany each registered 15 incidents, the United Kingdom 12, and Estonia 11. The researchers concluded that support for Ukraine was the single most important factor shaping which countries were targeted. Poland, France, Germany, and the United Kingdom together accounted for more than half of all identified incidents. The Baltic states, which Russia considers part of its “near abroad,” represented nearly one-fifth of all recorded cases.

Target categories break down into several clusters. Roughly 27 percent of attacks targeted transportation infrastructure, including railway lines used for shipping military equipment to Ukraine. Another 27 percent targeted government facilities, including military bases involved in training Ukrainian forces. Twenty-one percent hit critical infrastructure such as undersea cables, energy systems, and communications networks. The remainder targeted commercial and industrial sites, including defense manufacturers and logistics facilities.

The geographic distribution also reveals an interesting gap: relatively few incidents occurred in Scandinavian countries despite their substantial support for Ukraine. The ICCT-GLOBSEC researchers hypothesized that Russia may have subcontracted some Scandinavian operations to Iran, which has its own crime-terror assets capable of operating in Northern Europe.

Case Studies: The Network in Action

Several incidents illustrate how the GRU’s criminal proxy model operates across borders.

In September 2024, a GRU-orchestrated network attempted two arson attacks in Lithuania targeting a manufacturer of military equipment destined for Ukraine. The first attempt was carried out by a Spanish citizen and a dual Spanish-Colombian citizen. The second involved a Russian and a Belarusian citizen who had traveled from Spain but failed to ignite the equipment. A Cuban citizen was dispatched separately to assess the damage. The perpetrators were linked to a broader Colombian network that had carried out similar arson attacks in Poland, the Czech Republic, and Romania. The operational chain spanned four countries, used five nationalities, and connected to a Colombian intermediary based in Spain.

In November 2025, a suspected sabotage attack struck sections of railway on the Warsaw-Lublin corridor near Mika, Poland, a route used for transporting goods to Ukraine. Polish authorities said the suspects chose their target carefully: a viaduct positioned before a curve in the track where a derailment could have killed dozens. Poland launched Operation Horizon in response, deploying up to 10,000 military personnel to protect rail corridors, logistics hubs, and critical sites.

In the United Kingdom, a 2024 arson plot targeted a Ukrainian-linked warehouse complex in east London. Three men were convicted under the National Security Act for setting fire to the facility, which had been involved in supplying protective equipment to Ukraine. Investigators traced the operation back to Russian intelligence. The UK case demonstrated that the criminal proxy model could function in Western European countries with sophisticated counterintelligence capabilities, not only in the Baltic states or Eastern Europe where Russian-speaking networks are more established.

A separate campaign involved self-igniting parcels shipped through commercial logistics networks. In 2024, packages containing flammable magnesium compounds, shipped from Lithuania via the Ukrainian courier service Nova Poshta, ignited at DHL warehouses in Germany, Poland, and Britain. In October 2025, Polish and Romanian authorities thwarted a similar Russian plot to send incendiary parcels intended to detonate at logistics facilities in Bucharest. The use of commercial courier services as delivery mechanisms for sabotage devices represents an exploitation of civilian infrastructure that mirrors the sabotage patterns observed in other domains of hybrid warfare.

Why Criminal Proxies Work

The shift to criminal proxies offers Russia several operational advantages that traditional intelligence networks cannot match.

Plausible deniability scales with distance from the state. When a GRU officer conducts an operation and is caught, attribution is immediate and politically costly. When a Colombian petty criminal recruited through Telegram sets fire to a Lithuanian warehouse, the chain of attribution extends through multiple intermediaries, jurisdictions, and legal systems. Even when investigators trace the operation back to Russian intelligence, the evidentiary standard required for formal diplomatic consequences is significantly higher.

The recruitment pool is effectively unlimited. Economically vulnerable individuals in Moldova, Serbia, Bulgaria, and increasingly Latin America represent a labor market that Russian intelligence can access at minimal cost. S&P Global estimated that the sabotage campaign caused hundreds of millions of euros in physical damage between 2022 and 2025, while the per-operation cost to Russia was often measured in hundreds of euros. This asymmetry in cost and effect is the defining feature of the model.

Disposable agents are replaceable in ways intelligence officers are not. Training a GRU officer takes years. Recruiting a criminal proxy through Telegram takes days. When European authorities arrest one network, another can be assembled from the same recruitment pool using the same methods. Oscar Jonsson’s Russian Hybrid Warfare documents how Moscow has systematized this approach into a repeatable operational framework that survives the loss of individual agents or cells.

The model exploits Europe’s structural openness. Free movement within the Schengen Area, the accessibility of encrypted communications, and the fragmentation of European law enforcement across national jurisdictions all favor the attacker. A saboteur recruited in Moldova can travel through multiple EU countries before executing an operation in Lithuania or Poland, with each border crossing complicating the investigative trail. The broader pattern of Russia recruiting foreign nationals for its operations extends beyond Europe’s borders.

Europe’s Response Gap

European counter-sabotage efforts remain largely reactive and nationally fragmented. GLOBSEC’s January 2026 analysis concluded that Europe still lacks credible hybrid deterrence. Incidents of sabotage, cyberattacks, and information operations are still treated more often as isolated crimes than as elements of a coherent Russian doctrine. The failure to establish clear deterrence thresholds for hybrid warfare has created a strategic vacuum that Russia continues to exploit.

There have been meaningful responses. Poland’s Operation Horizon deployed thousands of military personnel to protect infrastructure. The EU imposed Foreign Information Manipulation and Interference sanctions in January 2026. The UK used its National Security Act to prosecute the London warehouse arson. Murray and Mansoor’s Hybrid Warfare: Fighting Complex Opponents argues that successful responses to blended campaigns require sustained institutional commitment, a pattern that European democracies have historically struggled to maintain across election cycles.

But the overall approach remains defensive. Counter-sabotage responses are coordinated nationally rather than across the EU, and multinational prevention measures have proven too costly and resource-intensive to replicate at scale. As long as sabotage operations remain cheap for Russia and expensive for Europe to prevent, the incentive structure favors continued escalation. Singer and Brooking’s LikeWar details how information operations amplify the psychological impact of even minor physical attacks, making each incident more effective at eroding public confidence than the material damage alone would suggest.

The Campaign Is the Strategy

The critical analytical error in assessing Russia’s sabotage operations is treating each incident as a separate event. The Russian sabotage campaign across Europe is not a collection of random attacks. It is a coordinated strategy with clear objectives: degrade NATO’s ability to supply Ukraine, increase the domestic political cost of supporting Kyiv, and demonstrate that European security can be penetrated at will below the Article 5 threshold.

The GRU’s crime-terror nexus represents an institutional adaptation to strategic constraints. Deprived of traditional intelligence infrastructure, Moscow built a new operational model that is cheaper, more deniable, and more resilient than its predecessor. The model draws on Russia’s long history of subversion and espionage, but applies these capabilities through a fundamentally different delivery mechanism.

The question facing European security planners is not whether Russia will continue these operations. It is whether the current defensive posture can impose sufficient costs to alter Moscow’s risk calculus, or whether the campaign will continue to expand as Russia tests the limits of what Europe will tolerate.

Sources and Further Reading

The ICCT-GLOBSEC joint database, updated in February 2026, provides the most comprehensive open-source accounting of Russia-linked sabotage incidents across Europe, including perpetrator profiles, recruitment methods, and geographic distribution. CSIS published a database and analysis of Russia’s active measures documenting how the GRU’s organizational structure drives the sabotage campaign. The Atlantic Council’s analysis of Russia’s shadow war against Europe examines Poland’s Operation Horizon and the broader challenge of defending infrastructure against state-sponsored sabotage. CISA’s joint advisory with the FBI and NSA provides technical details on GRU Unit 29155’s cyber operations, including the WhisperGate malware campaign. S&P Global’s risk assessment of Russia-directed sabotage projects continued escalation in 2026 with increased activity expected as European defense investment expands.

The Resistance Hub Staff

Articles published under The Resistance Hub Staff byline reflect a collaborative process that combines open-source research, human analysis, and AI-assisted drafting. Structured prompts and defined editorial theses guide the use of AI, but all content is reviewed, edited, and finalized by human editors with subject-matter expertise in irregular warfare, resistance studies, and critical infrastructure security. Reader contributions are also published under this byline, and identified in the article.

Editorial Policy →