Responding to Russian Sabotage Financing

Introduction

Sabotage is a key tool of hybrid warfare – and its use is growing. Since 2022, NATO member states have witnessed a marked increase in hybrid operations that have been attributed to Russian military intelligence. There were three times the number of these attacks in 2024 compared with the previous year: the Center for Strategic and International Studies identified 34 incidents of arson or serious sabotage in 2024, compared with 12 in 2023 and just two in 2022. The EU’s ProtectEU strategy and the UK’s National Security Strategy, both published in 2025, emphasise the risks posed by sabotage as part of a broader re-evaluation of the threat landscape. 

Russian sabotage covers a range of activity, from intensive operations such as damaging undersea cables to the barrage of low-level attacks against civilian and military targets. Such low-level attacks – the focus of this paper – are often carried out by ordinary individuals who are recruited via encrypted messaging apps and paid in cryptocurrency.

Financing can be part of both the problem and the solution: it can facilitate sabotage and be a tool of response. This paper is based on discussions held at an expert workshop held in Warsaw in November 2025 which grappled with two central questions: how is finance linked to sabotage, and how can the public and private sectors leverage finance to address the sabotage challenge?

Scope and Methodology

In this paper, ‘sabotage’ refers to deliberate, hostile acts intended to weaken, disrupt or undermine a state’s security, infrastructure or societal cohesion. This work focuses on a specific subset of sabotage: operations targeting predominantly civilian, ‘soft’ infrastructure and carried out by civilians recruited through a contemporary ‘gig-economy’ model. This encompasses both direct actions (such as arson, attempted bombings and reconnaissance) and symbolic actions (including vandalism) that are designed to inflame social tensions or erode trust in public institutions.

Sabotage, in this sense, does not require immediate physical damage: preparatory activities such as photographing infrastructure, collecting information on supply routes or couriering cash and materials are included if they form part of an operational chain in support of hostile intent.

The financing of such activity was first assessed by RUSI’s Centre for Finance and Security (CFS) as an active financial measure at a meeting convened in Brussels in October 2025, and explored in the subsequent workshop report. The expert workshop convened in Warsaw by the CFS and the Polish Institute of International Affairs in November 2025 reinforced the salience of this new form of sabotage, with a specific focus on finance. It gathered representatives of law enforcement, academia and investigative journalism, as well as policy experts. This paper reflects the major themes that were discussed at the November 2025 workshop, without attributing views to individual participants. Unless otherwise indicated, statements in this paper reflect points raised during the discussions. To provide further context and substantiate workshop observations, this paper grounds discussion in both the existing literature and open source material, and makes use of complementary semi-structured expert interviews conducted by the authors with blockchain analytics providers. The authors acknowledge the limitations of the available data, including ambiguity around attribution, legal constraints on disclosure, and gaps in financial information.

Attribution of Sabotage

At the EU level, there is currently no single statutory provision with a comprehensive legal definition that captures both direct and symbolic forms of sabotage. EU legislation in this area tends to refer to sabotage only indirectly; it usually describes situations where essential systems are disrupted or harmed, instead of giving a clear, detailed definition of the term.

However, the legal and political salience of sabotage is changing. The Polish prime minister described the November 2025 attack on the Warsaw–Lublin railway line as ‘an unprecedented act of sabotage’ and, within days, publicly attributed it to Russian intelligence services This reflects a broader trend: states that experience Russian-linked sabotage – particularly NATO’s eastern-flank countries – more often attribute responsibility to Russia, and do so more quickly and explicitly, than many Western European states, where political and legal caution over attribution remains more entrenched.

Effective responses to sabotage – including efforts to counter its financing – depend heavily on how incidents are defined and attributed. Attribution determines which policy, legal and financial tools can be deployed. In recent cases of Russian-linked sabotage, attribution is complicated by the methods employed. Evidence suggests that Russian security services increasingly rely on intermediaries and ‘disposable agents’, many from Ukraine, to execute sabotage tasks. If such incidents are treated purely as the actions of individual Ukrainians, this could fuel anti-Ukrainian sentiment and erode public support for Kyiv – a strategic aim of sabotage operations. This practice also undermines the application of penalties proportionate to the strategic nature of the threat when compared with, for instance, acts of terrorism.

These dynamics add an additional hybrid-warfare and disinformation layer to sabotage campaigns: operational effects on infrastructure are combined with efforts to fracture social cohesion and weaken political solidarity. The low-level nature of much of the activity – along with the commensurately low-level consequences for the perpetrator – reduces the deterrent effect on individuals who undertake such activities for profit.

Highlighting the conceptual challenges of the threat of sabotage – including definitional ambiguities and the complexities of attribution – is essential. A lack of understanding of these issues continues to hinder evidence-based analysis and impede the design of effective policy responses.

Sabotage as a Threat to NATO: Examples of Sabotage Attacks

The recent surge of incidents, investigations and operational insights discussed by workshop participants indicates that Russian-linked sabotage has evolved into a systematic and geographically targeted threat. While individual incidents may appear low-level or opportunistic, collectively they suggest the emergence of a broader campaign designed to raise the cost of supporting Ukraine, test the red lines of NATO states and erode public trust in Western national security systems. The examples below illustrate both the range of attack types and the diversity of agents involved.

Arson and Attacks on Civilian Infrastructure

Arson remains one of the most frequently observed methods of sabotage. In Poland, authorities have pursued an increasing number of arson-related cases since 2023, with many attempts disrupted before execution. Publicly documented cases include successful attacks on a restaurant in Gdynia, a pallet warehouse near Warsaw and the Marywilska 44 shopping centre in Warsaw. Foiled plots include those against a US-owned paint factory in Wrocław and other storage facilities. Workshop participants noted that Ukrainian and Belarusian nationals frequently appeared among those recruited for these tasks; participants interpreted this as part of Russia’s wider strategy to generate social tension and undermine public support for Ukrainian refugees and migrants.

The most recent example occurred in November 2025, when Polish authorities attributed an explosion on the Warsaw–Lublin railway line – a key route for transporting aid to Ukraine – to actors working with Russian intelligence. Officials reported that two Ukrainian nationals suspected of involvement fled to Belarus, while several others were detained. The incident prompted Poland to close the last Russian consulate remaining on its territory and deploy thousands of soldiers to protect critical infrastructure. Senior military figures publicly warned that hostile actors may view the Christmas period as a favourable window for further operations, and the government announced plans for a public-facing app that would enable citizens to report suspicious activity.

Parcel Bombs and Attacks on Logistics Chains

Several NATO states have confronted plots involving parcel bombs or explosives routed through civilian logistics systems. In Germany, authorities recently disrupted a plot involving three Ukrainian nationals preparing parcel bomb attacks against cargo routes while transporting goods from Germany to Ukraine. Although the attacks were prevented before execution, the case mirrors earlier incidents in the summer of 2024, when packages sent from Lithuania detonated at DHL facilities in Leipzig, Warsaw and Birmingham. As highlighted by workshop participants, these explosions illustrate how seemingly detached, low-scale attacks can have disproportionate systemic effects: following the incidents, cargo operators and aviation authorities implemented enhanced security protocols, altering standard procedures across parts of the logistics and aviation sectors.

Reconnaissance and Vulnerability Testing

A growing number of cases involve reconnaissance, courier roles or other preparatory tasks that test the responsiveness of security authorities. These include: installation of hidden cameras along military and humanitarian supply lines in Poland; surveillance of Ukrainian targets in Germany; coordinated bomb threats across Baltic countries; and multi-year spy networks operating across the UK and continental Europe.

Although such assignments have no immediate physical effect and do not create any immediate disruption, they enable adversaries to map procedures, identify weak points in border and infrastructure security, and gradually recruit individuals into broader networks.

Vandalising Symbolic Sites and Shaping Local Narratives

A distinct strand of activity involves acts of vandalism targeting symbolic sites, municipal property and community infrastructure. Workshop participants emphasised that although these incidents produce limited physical harm, they serve important operational purposes within the broader sabotage ecosystem. Specifically, they inflame social tensions, undermine trust in local authorities and shape narratives that delegitimise support for Ukraine.

In Lithuania, prosecutors charged three men – who held either Russian or dual Russian and Estonian citizenship – with pouring red paint over a monument to an anti-Soviet resistance leader. This operation was attributed to Russian military intelligence. France has seen some of the most orchestrated symbolic actions: in Paris, two Moldovan nationals admitted to painting dozens of Stars of David across neighbourhoods at the ‘express demand’ of a foreign handler, with more than a thousand Russian-linked bots subsequently amplifying the images online. Two other incidents involved coffins labelled ‘French soldiers of Ukraine’ being placed at the Eiffel Tower and red-hand graffiti on the Paris Holocaust Memorial. Both incidents were linked by French investigators to networks acting on behalf of Russian military intelligence. Estonia also recorded a plot to commit politically targeted vandalism, where 10 individuals were recruited to damage the cars of the interior minister and a journalist.

A workshop participant noted that in one case, investigators discovered that the perpetrator had prepared a social media post in advance of the attack, framing the damage as evidence of public hostility towards the municipality’s support for Ukraine – a common tactic designed to amplify the political impact of a minor incident. Similar patterns emerged in other countries, where vandalism was coupled with pre-planned propaganda narratives or filmed for dissemination on social media platforms.

Participants stressed that these cases must be understood not as isolated acts of nuisance but as deliberate, low-cost operations that contribute to a wider campaign of cognitive and societal disruption. They offer Russia a means of polarising communities, distracting law enforcement and gradually inflating paranoia over support for Ukraine.

Confirmed Multi-Country Sabotage Networks

One of the clearest confirmations of the transnational nature of these activities came in October 2025, when a Polish court convicted three Ukrainian nationals for their roles in a series of sabotage attacks in Poland and the Baltic states. On the same day, a Lithuanian court sentenced another Ukrainian for the arson attack on an IKEA store in Vilnius. These cases were investigated jointly by Polish and Lithuanian authorities, and both attacks were linked to Russia’s secret services. Prosecutors of the Polish case stated that the defendants had been part of an organised group operating across Poland, Lithuania, Latvia, Ukraine and Russia, with the aim of committing crimes related to sabotage. In another Lithuanian case concerning a plot to send via DHL and DPD improvised explosive-incendiary devices from Vilnius to various European countries, 15 people were investigated by a joint team under Eurojust, involving close cooperation between law enforcement and intelligence authorities in Lithuania, Poland, the UK, Germany, the Netherlands, Latvia, Estonia, the US and Canada. These are among the first publicly documented charges for sabotage networks operating across multiple NATO and EU jurisdictions. Proceedings against additional individuals are ongoing. 

Another notable exposure of a cross-border network is the May 2025 conviction of a Bulgarian spy ring operating out of a guesthouse in Great Yarmouth, in the UK, under the direction of Jan Marsalek, a fugitive tied to Russian intelligence. Five months later, in October 2025, five men were sentenced for carrying out an arson attack on an East London warehouse that stored aid destined for Ukraine. These cases prove that sabotage activities extend beyond Central and Eastern Europe and are increasingly targeting NATO states.

Diverse Executor Profiles

Across all jurisdictions, the profiles of executors of sabotage are challenging initial assumptions. Workshop participants noted that while some security services initially expected perpetrators to be Russian-speakers or migrants from post-Soviet states, cases have involved a far wider spectrum of executors: Ukrainians unaware of the true nature of their tasks; minors targeted through gaming platforms; older individuals with Soviet military backgrounds; economically vulnerable migrants; and people with links to local criminal networks. One case described during the workshop involved a man in his sixties, formerly serving in the Soviet Navy, who became involved in courier activities in the Baltics and was later found with materials connected to an organised crime killing.

Participants also noted that in Poland, many of those detained on sabotage-related charges from 2023 to 2025 were Ukrainian nationals – a development interpreted not as evidence of Ukrainian coordination but as part of a deliberate Russian strategy to exploit the presence of Ukrainian migrants, with the aim of provoking public distrust and political tension. At the same time, Russia has invested heavily in youth mobilisation on its own territory. One workshop participant noted that millions of young people are trained in pro-Kremlin youth organisations such as the Youth Army (Yunarmiya), where sabotage is framed as part of preparation for conflict with NATO. The same participant estimated that, when membership in mass youth movements such as Yunarmiya is considered alongside participation in smaller, more elite, state-directed groups, 10–20% of young Russians may be engaged in some form of organised, state-sponsored activity. This scale of mobilisation raises concerns over the future availability of dramatically more willing and less risk-averse executors.

The Recruitment Model: The ‘Gig-Economy Era’ and the Rise of ‘Disposable Agents’

The methods used to recruit and task saboteurs have shifted from Cold War-era reliance on trained intelligence operatives to a model characterised by remote, freelance and highly deniable assignments: the ‘gig-economy era’ of Russian sabotage. Hostile actors now outsource low-cost tasks to disposable individuals (or ‘agents for a day’) recruited online. Three features of this model stand out.

First, recruitment and coordination have moved to digital platforms. Encrypted messaging apps such as Telegram and Viber, along with ad hoc alternatives, have replaced Cold War models of in-person cultivation. Encrypted messaging services like Telegram remain central, but workshop participants also identified the use of mainstream social media platforms, including Instagram, as well as gaming communities on Twitch, which are particularly used to engage young users. In several undercover interactions via Telegram conducted by workshop participants, recruiters required only a copy of a passport or basic personal details, without any verification, before presenting a list of possible tasks and asking the would-be recruit to choose between them.

Second, the model relies on disposable, one-day actors, predominantly motivated by financial incentives. Payments described by workshop participants ranged from a few hundred to a few thousand euros. Several participants noted that executors often do not receive the promised sums, underscoring the degree of disposability. Some participants stressed the importance of awareness campaigns aimed at potential executors, emphasising that if they were to get involved in these schemes, they would be treated by their recruiters as expendable and would not be protected.

Third, the operational logic mirrors wider gig-economy dynamics. The system-level behaviour emerging from the remote tasking of disposable agents enables a geographically dispersed, fragmented campaign which is highly deniable, easy to scale and cheap to maintain. Workshop participants stressed that even unsuccessful actions can achieve sabotage objectives: they sow fear and confusion in Western societies, drain law-enforcement resources, expose vulnerabilities in infrastructure protection and help hostile actors to test response times and escalatory dynamics. The cumulative effect is greater than the individual impact of each action suggests.

This recruitment model represents an adaptive response to the reduced on-the-ground presence of intelligence officers following the expulsions of Russian diplomats after the full-scale invasion of Ukraine. By embracing a distributed network of disposable agents, Russia has created a cost-effective, deniable and difficult-to-map sabotage ecosystem. For NATO states, the challenge lies in addressing both the operational risks posed by these decentralised attacks and the broader strategic implications of a system deliberately structured to blend criminality, social manipulation and state-directed hybrid warfare.

The Financial Dimension: How Financing Enables Recruitment and Operations

The financial dimension sits at the core of Russia’s contemporary sabotage model. Across all the cases analysed by financial intelligence, law enforcement and blockchain specialists, financial incentives remain the dominant factor driving recruitment. Insights from the workshop and subsequent expert interviews reveal that cryptocurrency – the most common payment method for sabotage – is not a sophisticated technical layer in this ecosystem but the functional backbone enabling an anonymous, cross-border payment system at minimal cost.

Financial Motivation as a Key Driver

According to a former Polish intelligence officer, financial gain is the primary driver in approximately 95% of recruitment cases in Poland. In most documented cases, payment mechanisms were straightforward and transactional. Agents recruited through encrypted messaging apps have been offered explicit payments ranging from a few dollars for graffiti to $400 for installing a camera, and up to $10,000 for serious offences such as murder.

One workshop participant revealed that Ukrainian nationals are often offered about 10% of the amounts paid to recruits in Western Europe. As indicated above, in several cases, saboteurs were not paid at all, underscoring their disposability. Workshop participants also noted that ideological motives sometimes reinforce financial incentives, particularly among actors already consuming extremist or pro-Kremlin content.

Cash and Traditional Payment Methods

Despite the growing reliance on cryptocurrency, cash and conventional financial channels continue to play an important role in sabotage financing. Workshop participants noted that Russian networks strategically blend old and new methods.

Several investigations have uncovered payments routed through ordinary bank accounts, often held by intermediaries who appeared to be engaged in legitimate professions. Cases discussed at the workshop involved cash transported physically across borders, money handled by lawyers or intermediaries, and transfers routed through the bank accounts of European acquaintances in Russia before being withdrawn in the EU.

Payments-in-kind are sometimes also offered. In Lithuania, the 18-year-old convicted of the 2024 IKEA arson attack received a used vehicle but not the promised €10,000. 

These examples illustrate that while cryptocurrency offers speed and remote tasking, cash and payments-in-kind remain a flexible tool for exploiting gaps in cross-border oversight.

Cryptocurrency as a Primary Payment Backbone

Despite public perceptions of crypto as being used primarily because it offers anonymity, experts repeatedly emphasised that its appeal to financing sabotage lies in its low barrier to entry, the absence of know-your-customer (KYC) systems, and deniability through payment layering. The crypto payment chains observed in sabotage cases are simple, individually low-value and generally unsophisticated, but they are effective.

Two Cases of Crypto-Financed Sabotage

Two incidents analysed by workshop participants illustrate the crypto financing of sabotage.

The case of Laken Pavan: In 2024, a Canadian teenager named Laken Pavan was recruited for reconnaissance tasks in Poland and paid roughly $600 in Bitcoin. Forensic analysis showed that the funds originated from a Bitcoin mining pool. Because mining pools aggregate contributions from thousands of miners, they obscure the upstream individual source by design; this complicates attribution, although it is believed that Pavan’s recruiter was a handler from Russia’s Federal Security Services. To cash out the funds, the teenager had to travel from Denmark (where he was staying) to Poland, where there are reportedly over 200 crypto exchange desks.

GRU-directed case: one workshop participant from the blockchain tracing industry noted a case attributed to Russia’s military intelligence agency (GRU), in which three saboteurs in Europe received around $1,000 each in USDT (Tether) from a single broker wallet. Analysts traced all three payments back to the same upstream source, probably a cash-to-crypto broker operating in Ukraine. The reuse of one broker wallet across different operatives suggests a pattern that could enable real-time identification of emerging saboteurs, as long as law enforcement can access the necessary intelligence at the right stage.

Crucially, in both cases, no time-consuming obfuscation techniques such as mixers, tumblers or privacy coins were used. This aligns with broader workshop findings: Russia prioritises speed and ease over enhanced security for its agents; attribution is rendered complex through a system of payment layering and tasking via local handlers; and most payments involve mainstream assets (such as Bitcoin and USDT), with the anonymity coming not from technology but from the informal intermediaries facilitating the flow.

The Role of Informal Cash Services and No-KYC Platforms

Expert interviews highlighted that the most important and most vulnerable nodes in the sabotage financing chain are not the payment chains themselves but the conversion layer where crypto becomes cash.

Over-the-counter (OTC) crypto exchanges – particularly informal, non-regulated cash desks – are a major blind spot. Workshop participants noted the prevalence of such services across Eastern Europe and Central Asia, while investigators have also documented extensive networks operating in major Western cities, including Miami, Washington, New York, Montreal and London. According to a workshop participant, 15 such operators were identified on a single street in Toronto. These services often handle tens of millions of dollars in short periods, operate openly on platforms such as Instagram, and require minimal to no documentation to use their services. Workshop participants have observed money mules offloading tens of thousands of dollars in broad daylight, with no verification of their identities or the origin of the funds.

Responding to Sabotage: Institutional and Operational Gaps and Challenges

Advancing a response to Russian sabotage in Europe requires addressing a range of institutional and operation gaps that limit the effectiveness of existing legal, financial and security tools in responding to sabotage in general, and its financing in particular.

Conceptual and Legal Gaps

The tools available to EU member states to counter Russian-linked sabotage – including criminal codes and counterterrorist financing (CTF) frameworks – remain ill-suited to the nature of the threat. The primary reason for this is that sabotage itself is not fully conceptualised in law and policy. There is no shared legal definition of sabotage across NATO or EU member states, nor is there a coherent EU-wide legal framework for responding to it. As a result, authorities lack a common basis for recognising, prioritising and responding to sabotage as a strategic threat rather than a collection of isolated criminal acts.

Attribution and Enforcement Challenges

Persistent attribution challenges further complicate the picture, particularly when operations are outsourced to intermediaries or so-called ‘disposable agents’. In practice, this often results in low-level operatives being prosecuted only for isolated, immediately visible offences, such as arson or vandalism, rather than for their role in a broader sabotage operation. Responses therefore often fail to reflect the strategic intent, escalation potential and cumulative impact of the sabotage activity.

Take, for example, the case of an individual who sets fire to a paint factory located near a refinery, which in turn is located by a major river. This individual may be charged solely with a minor arson offence, even though the location and intended target significantly increase the risk of escalation, environmental contamination and systemic damage – including pollution of the river – if the fire were to spread. These dynamics also constrain authorities from applying existing legal instruments – including CTF tools – systematically, including to the financial dimension of the attack. As a result, relatively small penalties imposed on recruits fail to create a deterrent effect and do little to communicate to the wider public the potentially severe consequences of engaging in ‘gig-economy’ sabotage activities. 

Structural Constraints in Applying Financial Intelligence to Sabotage 

Beyond sabotage-specific legal and attribution challenges, there are longstanding structural barriers which are equally relevant to Russian-linked sabotage, and which have been highlighted by the CFS’s work on EU internal security. These challenges are systemic rather than sabotage-specific, and recur across organised crime, terrorism and state-sponsored hybrid threats.

The first barrier is that responses remain highly fragmented. Cross-border threats are still too often addressed through siloed institutional structures, with internal security, foreign policy and financial authorities operating on parallel tracks rather than through integrated approaches. As CFS research has shown, however, criminal and hostile-state actors ‘often use the same financial techniques across different crime types, offering opportunities for synergy and efficiency in response design’. 

The second barrier is a persistent ‘speed gap’ between the pace at which money moves and the time required to mobilise legal and operational responses. Financial investigations are inherently lengthy, and existing tools for cross-border cooperation often operate on timelines that are out of step with modern financial flows, especially those enabled by alternative financial systems such as cryptocurrencies and stablecoins. Financial investigations are also resource-intensive, and in some cases, introducing a financial analysis into active investigative process is perceived as delaying operational progress. However, neglecting financial intelligence systematically deprives the authorities of critical insights about networks, facilitators and escalation pathways.

This gap is further exacerbated by the multilingual nature of contemporary sabotage financing. Workshop participants noted that OTC services and recruitment channels operate across multiple languages and scripts. Where investigative capacity is limited to a narrow set of languages, detection is delayed and illicit financial activity can persist largely unchecked.

Finally, information-sharing barriers – both between the public and private sectors and within governments – continue to limit the effective use of financial data. In recent years, the EU has strengthened public–private partnerships, notably through the Europol Financial Intelligence Public Private Partnership (EFIPPP) platform. The new EU Anti-Money Laundering Package also extends private-to-private information sharing. In practice, however, implementation across member states remains uneven: sensitive material held by intelligence agencies does not always flow to sanctions teams, law enforcement units or foreign ministries in ways that enable coherent financial responses. In many member states, public–private cooperation remains minimal and is not viewed as a strategic tool against financial crime, despite the provision of a new framework for private–private collaboration under Article 75 of the Sixth Anti-Money Laundering Directive (AMLD6).

Weak Platform Accountability as an Enabling Factor

Platform accountability remains weak, particularly in relation to Telegram, which is the primary digital tool for recruitment, tasking, payment coordination and propaganda around Russian-financed sabotage. Unlike platforms such as Facebook or X, which have been subject to sustained regulatory scrutiny and penalties, Telegram has historically incurred few compliance costs, despite its hosting criminal networks, disinformation operations and recruitment channels for sabotage. Although Telegram recently designated Brussels as the location of its EU legal representative under the Digital Services Act – and therefore falls under Belgian regulatory oversight – it reports only 41 million monthly average users in the EU. Experts estimate the real figure to be closer to 75 million, which would classify Telegram as a very large online platform (VLOP) subject to far more extensive risk management, transparency and audit obligations. Ensuring the accuracy of this self-reporting is therefore essential, as correct classification would strengthen oversight mechanisms directly relevant to identifying and disrupting sabotage-related recruitment channels.

Taken together, these structural barriers – institutional fragmentation, the speed gap, weak social media platform accountability and persistent information-sharing constraints – help to explain why, even where legal and policy tools exist on paper, their deployment against sabotage remains limited.

Operational Gaps Specific to Sabotage Financing via Crypto

Workshop participants discussed the overall operational gaps in combating the financing of criminal activity. The authors’ interviews provided further insight into the nature of those gaps, specifically identifying several weaknesses that are particularly salient for sabotage financing.

Upstream attribution remains the biggest blind spot: authorities typically identify handler wallets or payment channels only after arrests, making proactive tracking of financing chains nearly impossible. This is especially problematic in a model that relies on small, fast and geographically dispersed payments.

There is a persistently poor link between the activities of law enforcement and those of the private sector: different actors hold different pieces of the puzzle. Private-sector firms generate technical insights into on-chain and transactional activity, while law enforcement possesses operational intelligence on networks and individuals. In the absence of standardised channels for information exchange and clear mandates for cooperation, these complementary insights remain siloed. Investigative journalists help to connect these pieces, but they lack the mandate and resources to do so systematically.

Crypto operators fail to enforce basic KYC requirements: many exchanges and cash desks operate with minimal customer identification or transaction monitoring. Workshop participants stressed that more robust enforcement of existing KYC standards would significantly constrain saboteurs and their handlers.

Significant regulatory attention must be paid to OTC exchanges and cash desks: mapping cash desks is exceptionally labour-intensive. Investigators must physically visit each OTC location to record the wallet addresses used. The sheer number of such services worldwide and the fact that operators can easily change their wallet addresses with just a few clicks make comprehensive mapping effectively impossible. This raises the broader question of whether regulatory intervention is needed to require cash desks to maintain fixed or otherwise auditable wallet identifiers in order to support investigations. 

Together, these operational gaps create a permissive and highly flexible environment for crypto-based layering and rapid cash-out options, reinforcing the financial backbone of contemporary Russian sabotage operations.

Why These Gaps Enable Sabotage

The combined effect of conceptual, structural and operational gaps gives hostile actors a wide margin of manoeuvre. The absence of a shared legal framework and a clear policy understanding of sabotage limits the use of existing CTF and financial crime tools. A fragmented institutional framework, slow investigative mechanisms and uneven information sharing hinder the development of an effective financial response. At the operational level, weak enforcement of KYC requirements and limited oversight of informal cash and crypto services provide practical channels for paying disposable agents with minimal perceived risk of timely detection – a reality reflected in the consistently low use of mixers, privacy coins or other obfuscation tools in the cases examined.

Many of the tools required to counter sabotage financing already exist in the counter terrorist financing toolbox, but they are not deployed in a way that matches the speed, flexibility and deniability of the threat. Closing these gaps is essential if NATO and EU member states are to move from reactive disruption of individual plots to proactive, systemic pressure on the financial infrastructure that underpins the ‘gig-economy’ model of Russian sabotage.

Recommendations 

Hybrid, multidimensional warfare cannot be countered with a single instrument. Russian-linked sabotage demands a cross-agency and cross-border response that focuses on closing structural gaps and shifting from reactive investigation to proactive disruption. 

The workshop and wider research undertaken for this paper underscore the urgent need to improve the current approach to addressing the link between finance and sabotage. The following recommendations draw on these insights and suggest responses that directly address the current challenge of the financing of sabotage, covering improvements to the multiple domains that sabotage exploits – from cognitive resilience and social media platform accountability to financial intelligence and cooperation mechanisms. 

Without a holistic approach, it will be increasingly difficult to generate meaningful impact against threats that are decentralised, adaptive and embedded across civilian and digital environments.

Define and Conceptualise Sabotage to Enable Response Mechanisms

• Adopt a shared operational definition of sabotage across EU and NATO states that captures both physical and symbolic acts, including arson, parcel bombs, reconnaissance, couriering and politically motivated vandalism.
   
• Explicitly incorporate financial dimensions (such as payments, facilitation and logistics) into legal definitions to enable use of CTF tools against sabotage actions where appropriate.
   
• Develop guidance on attribution thresholds to prevent incidents from being misattributed to individuals’ nationalities and to avoid fuelling societal tension.

Strengthen Inter-Agency and Cross-Border Coordination

• Create joint analytical teams that link internal security agencies, financial intelligence units (FIUs), sanctions teams and foreign ministries, in order to address fragmentation.
   
• Expand bilateral and regional coordination mechanisms – modelled on the style of the joint Polish–Lithuanian investigation teams mentioned earlier – for sabotage cases that span multiple jurisdictions.
   
• Enhance NATO–EU information channels on hybrid threats to enable rapid exchange of operational leads linked to sabotage financing.

Enhance Public–Private Collaboration

• Deepen structured engagement between FIUs and private-sector analytical teams, including blockchain analytics firms and regulated virtual asset service providers.
   
• Use existing mechanisms (such as EFIPPP and Article 75 of AMLD6) to enable controlled private–private sharing on high-risk patterns and typologies.
   
• Promote secure, standardised channels for voluntary reporting of suspicious activity related to recruitment, payments and illicit wallets.

Upscale Financial Intelligence and Bridge the ‘Speed Gap’

• Invest in FIU and law enforcement analytical capacity, including language capabilities, blockchain literacy and enhancing the use of open source intelligence.
   
• Develop rapid-response workflows for wallet freezes, cross-border requests and data access from exchanges so that responses match the speed of crypto-enabled payments.
   
• Create a multilingual monitoring capability that reflects the multilingual nature of OTC advertisements, Telegram recruitment and cross-border crypto flows.
   
• Ensure that financial intelligence is integrated from the start of sabotage investigations, not added late in the process.

Target Compliance Gaps in Sabotage Financing Flows

• Prioritise enforcement of basic KYC and customer due diligence requirements for small exchanges and cash-to-crypto services.
   
• Map and monitor high-risk OTC providers, focusing on hubs in Eastern Europe, Central Asia, the Caucasus and diaspora-dense urban centres (such as Warsaw, London, Berlin, Cyprus and Hong Kong).
   
• Introduce risk-based obligations for OTCs, including the use of fixed or auditable wallet identifiers.
   
• Support partner countries (especially Ukraine) in enforcing KYC rules against brokers and desk operators who are frequently implicated in sabotage payments.

Improve Social Media Platform Accountability

• Enforce existing transparency and cooperation duties, especially under the EU Digital Services Act – including auditing Telegram’s EU user numbers and ensuring reporting obligations apply when crossing the VLOP threshold.
   
• Require meaningful investigative data cooperation from social media platforms, including the timely sharing of relevant metadata (such as IP addresses, device identifiers and linked wallet addresses) with law enforcement both as response to lawful requests and, where appropriate, through proactive detection and referral mechanisms for recruitment and tasking channels linked to sabotage.

Raise Awareness to Build Societal Resilience

• Launch public communication campaigns to explain how recruitment works, why individuals are targeted and the consequences of cooperation, including the penalties proportionate to terrorist threats.
   
• Target awareness campaigns at the groups most frequently exploited by recruiters – recent migrants, diaspora communities and teenagers – and deploy them in locations and online environments where recruitment and cash-out activities are most likely to occur, including around cash desks and on exchange platforms.
   
• Introduce reward or whistleblower schemes for reporting recruitment attempts or suspicious financial offers.

Europe faces a rising threat from sabotage that leverages social media, cryptocurrencies and a supply of disposable agents who are willing to take on a range of disruptive tasks in return for payment. While tools for addressing this threat exist within the arsenal of the EU and other Western countries, the deployment and coordination of responses do not adequately address the scale of the problem. Engaging more systematically with the financing of sabotage in Europe should be one avenue of response that is more urgently prioritised by the security authorities and private sector.