RUSI Cyber Sanctions Taskforce: Countering State-Backed Cyber Threats

Introduction

Malicious cyber-enabled activities have become recurring threats in international security. States and their proxies use cyberattacks to disrupt critical services, steal sensitive information and undermine political processes. Alongside state activity, organised criminal groups use ransomware to disrupt and extort businesses and public institutions around the world. In response, sanctions have emerged as one of the principal tools available to governments seeking to expose and disrupt malicious cyber operations and impose costs on the perpetrators.

The US has developed an extensive cyber-related sanctions practice since 2015, applying it against state intelligence officers, criminal groups and the financial and technical enablers that support them. The EU’s cyber sanctions regime, launched in 2019, has been applied in a smaller number of cases, with restrictive measures forming part of the EU’s wider cyber diplomacy toolbox. The UK has followed a similar path, leveraging the cyber sanctions regime adopted after Brexit to attribute malicious activity and to coordinate responses with international partners. Together, these efforts reflect a growing determination by sanctioning jurisdictions to respond to cyber threats not only with law enforcement tools, but also with instruments of economic statecraft.

The effectiveness of these approaches remains contested. Some argue that sanctions have limited direct impact because the individuals targeted often hold no assets in Western jurisdictions and rarely travel abroad. Others note that sanctions can nonetheless disrupt wider ecosystems of enablers, alter adversary behaviour, ‘toxify’ perpetrators and their business models by publicly naming them and forcing their underground networks to distance themselves, and reinforce broader diplomatic narratives. They can also affect the decision-making of private sector intermediaries, such as exchanges or service providers, which may choose to withdraw support from sanctioned actors rather than risk exposure. These debates highlight the importance of understanding what sanctions can and cannot achieve in the cyber context, and how they can be better integrated into national and international strategies.

Against this background and to unpack this evolving threat, the Centre for Finance and Security and the Cyber and Tech teams at RUSI convened the first meeting of the RUSI Cyber Sanctions Taskforce in September 2025. The meeting brought together current and former government officials from the UK, the US and the EU and other EU officials, along with sanctions and cybersecurity researchers and private sector cyber threat experts, to assess the effectiveness of cyber sanctions in countering hostile state activities and to reflect on future policy directions. 

The discussions at this meeting centred on cyber state threats. Looking ahead, the Taskforce will convene a second meeting focused on sanctions targeting cybercriminals, spyware vendors and financial intermediaries facilitating cybercrime.

Methodology

This paper is informed by insights from the first meeting of the RUSI Cyber Sanctions Taskforce, based on the unattributable contributions of participants. To strengthen this evidence-based analysis, it is complemented by official documentation, sanctions designation notices and relevant secondary literature on the use of sanctions in the cyber domain.

Cyber Deterrence in a Multipolar World

The role of sanctions in the cyber domain needs to be understood within the broader framework of deterrence. Unlike in counterterrorism or counter-nuclear proliferation strategies, where deterrence strategies are often built around preventing a single catastrophic act, the cyber threat environment is defined by constant subthreshold activity that rarely threatens to escalate to an existential risk level or an act of war. Instead, malicious operations tend to take the form of repeated intrusions and pre-positioning – the act of infiltrating systems to establish a foothold that enables sabotage at a later stage. Russia and China stand out as the most consistent perpetrators, targeting European and allied systems on a regular basis. These activities frequently remain below the threshold of an overt attack, yet their cumulative effect poses strategic risks that cannot be countered through isolated or reactive measures, particularly when directed against critical national infrastructure (CNI).

Recognition of this threat has encouraged governments to experiment with sanctions as part of a wider menu of countermeasures. One of the most notable developments has been a shift in political appetite for attribution. Countries that had previously avoided such steps are increasingly willing to take the risk of naming specific actors. France issued its first public attribution of cyberattacks to the Russian military intelligence service (GRU) in April 2025. Czechia attributed the malicious activities of cyberespionage actor APT31 to China in May 2025. Singapore, despite its delicate regional position, also attributed operations to Chinese actors in July 2025. These examples show how the public naming of malicious actors is becoming more widely accepted, opening the way for the greater use of sanctions as part of the toolbox for building resilience and signalling boundaries.

Participants in the Taskforce discussion stressed that cyber deterrence is not a stand-alone effort and is most effective when adopted as part of a cross-domain strategy. The goal is not to prevent every hostile operation, which would be unachievable given the deniable and low-level nature of most activity, but to integrate sanctions with diplomatic, law enforcement and intelligence instruments to change the adversary’s behaviour. In practice, this means disrupting hostile operations by making malicious activity less rewarding and more politically or economically costly for adversaries, rather than on achieving comprehensive deterrence. One participant aptly described this ambition as ‘toxification’.

The US Approach to Cyber Sanctions

The US has developed the most extensive and sustained practice of cyber-related sanctions to date. The framework was established in 2015 through Executive Order 13694, authorising measures against individuals and entities engaged in significant malicious cyber activity. This followed a period in which the US government had begun to indict foreign hackers and to signal that cyber operations would be met with tangible consequences. Over the past decade, this framework has been used against a wide spectrum of targets, ranging from intelligence officers and military units to cybercriminal groups and their facilitators.

As highlighted by former US government officials in the Taskforce meeting, a defining characteristic of the US approach has been the emphasis on naming individuals rather than solely focusing on groups or organisations. Groups can dissolve or rebrand, whereas individuals carry persistent identities and networks that can be tracked across time. Designations of specific officers and enablers linked to the Russian GRU and FSB intelligence agencies, Iranian entities, North Korean operatives and crypto infrastructures and Chinese state-linked hackers have provided a foundation for follow-on action and have increased reputational and operational risks for those named.

Equally important has been the sequencing of sanctions alongside other measures. The US has repeatedly sought to pair designations with diplomatic démarches, public technical advisories and criminal indictments. This integrated approach aims to increase the impact of each instrument by amplifying the signal that malicious cyber activity is costly and will be met with a coordinated response. Sanctions that are issued in isolation are understood to have limited effect, but when they form part of a wider campaign, they generate friction across adversary ecosystems and reinforce diplomatic messages to partners and third countries alike.

A point highlighted by several members at the Taskforce meeting was that the effects of these measures have varied according to actor. Russian intelligence operatives have sometimes been praised domestically, which limits the deterrent value of designations. Iranian actors have been more directly constrained, particularly when sanctions limit their access to Western technology and international financial services. North Korean operators have continued to mount attacks and crypto heists, but the combination of sanctions and seizures has made monetisation far more difficult and has forced repeated adaptation. Against Chinese actors, sanctions on individuals have had limited direct effect, but the threat of wider economic measures had some influence in diplomatic negotiations on intellectual property theft in 2015. These examples illustrate how sanctions can alter behaviour and impose costs even without eliminating hostile activity altogether.

Former officials stressed that investment in behavioural analysis has been central to the more successful US cases, such as the disruption of North Korean cyber operations. Without insights into the motivations, vulnerabilities and institutional incentives that drive hostile actors, sanctions risk being blunt instruments that fail to shape behaviour in the intended way.

The US approach demonstrates that cyber sanctions can be a valuable instrument when embedded within a wider campaign and backed by credible enforcement. Their primary value lies not in triggering the immediate cessation of hostile activity but in forcing adversaries to change tactics, accept delays and operate with greater risk.

The EU Experience

The EU created its dedicated cyber sanctions regime in 2019, adding a new framework to its array of restrictive measures. The regime was conceived as part of the EU’s cyber diplomacy toolbox and enables asset freezes and travel bans against individuals and entities deemed responsible for cyber activities that threaten the foreign policy or security of the EU and its member states. Unlike most EU sanctions regimes, which are country-specific, the cyber framework applies globally to state and non-state actors alike.

In principle, this horizontal design gives the EU flexibility to act wherever threats emerge. In practice, the use of the regime has been cautious. Since its adoption, only 17 individuals and four entities have been designated. These include actors linked to Russian, Chinese and North Korean operations, but government officials at the Taskforce meeting acknowledged that the overall number remains modest when compared with geopolitical regimes, such as the Russia framework, which has produced hundreds of listings since 2022. The disparity reflects the relative political ease of mobilising consensus around measures tied to a specific conflict compared to the more abstract and technical challenge of addressing cyber activity.

A few member states have managed to push for EU cyber-related designations, including Germany in October 2020, the Netherlands in June 2024 and Estonia in January 2025. However, the functioning of EU sanctions policymaking is shaped by the requirement for unanimity among all 27 member states. While proposals for listings can be initiated either by member states or by the High Representative, every designation must secure unanimous agreement. Member states are often reluctant or unable to share sensitive intelligence widely, and without detailed open source evidence it can be difficult to persuade sceptical partners. As a result, the listings that do go forward are often the product of painstaking consensus-building and are accompanied by only sparse public justification. This contrasts with the US approach, where indictments often accompany designations and set out timelines, infrastructure and methods used by hostile actors, which the EU rarely publishes.

At the European level, implementation of cyber sanctions has also raised questions on their effectiveness. Data on the freezing of assets under the EU cyber sanctions regime is minimal, with several experts at the Taskforce meeting observing that little evidence has been provided of significant financial disruption. Some participants argued that this reflects a lack of systematic monitoring or transparency. Others pointed to the limits of the EU system, in which attribution remains a member state prerogative and sanctions are often the result of political compromise rather than a coordinated enforcement strategy.

Despite these limitations, the regime retains political and strategic value. Some smaller member states view it as a useful means of expressing concern and testing attribution in a way that falls short of issuing a full national statement. The separation between attribution, which remains a member state prerogative, and sanctions, which can be agreed collectively, allows governments to align with partners and signal boundaries while managing domestic political sensitivities. Cases such as France’s first public attribution to Russia and the respective attributions of Czechia and Germany to China illustrate a broader shift in political appetite for naming and sanctioning.

The EU’s experience to date suggests that cyber sanctions serve primarily as a signalling tool rather than as a mechanism of direct disruption. They reinforce diplomatic narratives, enable collective responses and provide a channel for member states to express alignment without individually taking on the political risks of attribution. However, without a larger body of designations and more systematic and transparent enforcement, their impact on adversary behaviour will remain limited.

The UK Position

In a similar way to the US and the EU, the UK has adopted sanctions as a tool to respond to malicious cyber activity, but its practice has been shaped by particular institutional and legal constraints. Since leaving the EU, the UK has developed its own autonomous sanctions framework, under which cyber-related designations have been introduced. These measures sit within a broader strategy that views sanctions not only as a law enforcement mechanism but also as an instrument of foreign and security policy.

Coordination with allies has been a priority for the UK. UK officials at the Taskforce meeting stressed that unilateral sanctions in this field are unlikely to have meaningful impact. The effectiveness of any measures depends on working in step with partners, particularly the US, whose financial reach and enforcement capacity give its actions disproportionate weight. The UK therefore positions itself as a reliable partner willing to move quickly in coordination with allies. The aim is to ensure that measures have the maximum effect on adversaries and send coherent signals to the international community.

The UK has also sought to add weight to its designations by making them more detailed than the bare minimum required. Recent cases attributing activity to the GRU, for example, have included descriptions intended to help the private sector and international partners understand their context. Officials emphasise that the purpose is not only to punish or restrict individuals – many of whom have no assets in or travel plans to the UK – but also to contribute to a wider narrative that shapes the behaviour of adversaries and the decisions of third parties who may be considering whether to provide or receive services to/from those actors.

Taskforce participants highlighted, however, the difficulty of pairing sanctions with criminal indictments. The evidentiary threshold required by the UK’s Crown Prosecution Service to bring charges is high, and in most cases involving foreign intelligence officers or overseas cybercriminals there is little prospect of arrest. This limits the UK’s ability to use criminal proceedings as a complement to sanctions, in contrast again to the US practice of announcing indictments alongside designations. As a result, sanctions are understood in the UK context more as tools of attribution, business disruption and diplomatic signalling than as a pathway to law enforcement action.

The UK has invested in developing public–private partnerships to ensure that information about designations is shared with industry, recognising that companies are often the frontline of defence against malicious cyber operations. These partnerships are also intended to create feedback loops so that officials can better assess the practical impact of designations.

The UK position illustrates both the strengths and limits of sanctions in this domain. On the one hand, designations provide a means of attribution, strengthen coordination with allies and help reinforce broader diplomatic messages. On the other hand, similarly to the EU, the lack and limited scope of enforcement action means that the sanctions’ primary effect risks appearing symbolic.

Behavioural Effects, Assessing Effectiveness and Theories of Change

Malicious cyber activity is persistent, adaptive and often deniable. Participants in the Taskforce turned to discuss how sanctions should therefore be assessed on whether they alter behaviour at the margin, impose friction and increase costs in ways that influence adversary decision-making. This logic aligns with a cross-domain approach in which sanctions complement law enforcement, intelligence, diplomacy and, in some cases, covert or military tools. When embedded in such strategies, they can constrain options, complicate operations and signal boundaries around the most unacceptable conduct, including attacks on CNI or interference in democratic processes.

Public and private sector members of the Taskforce agreed that the effects of sanctions vary across actor types. Foreign intelligence officers are unlikely to be deterred by asset freezes or travel bans, but listings can still serve diplomatic and reputational purposes. Contracted enablers and quasi-commercial entities such as cryptocurrency exchanges and mixers, technology suppliers, data brokers and service providers face greater vulnerability, as sanctions can restrict access to financial services and international networks. Criminal groups are even more exposed as reputational damage caused by designations can toxify their brands, drive affiliates away and force repeated rebranding cycles that erode trust and impose costs. 

The case of the cybercrime group LockBit is illustrative, where exposure and coordinated disruption undermined credibility and fractured its ecosystem. Similarly, financial measures have constrained actors dependent on cryptocurrency. North Korean operators, as explored above, continue to conduct heists but struggle to convert stolen crypto assets into usable funds, demonstrating how sanctions can force continual adaptation and raise risks even without stopping operations outright.

As explored above, attribution underpins both the legitimacy and the impact of sanctions, yet it remains politically sensitive, technically complex and unevenly practised. Recent moves by France, Czechia and Germany underscore that credible attribution is essential to ensure sanctions are not only symbolic but also actionable for partners and industry. Taskforce members also highlighted that attribution and sanctions also function as political signals, shaping the behaviour of third parties as much as that of the direct targets. Publicly naming actors demonstrates international coordination to disrupt these ecosystems and often prompts service providers or intermediaries to disengage from listed individuals. Such indirect effects can complicate adversary operations by narrowing their options.

Timing and sequencing further influence effectiveness. Former officials in the Taskforce meeting noted that sanctions announced long after an incident – as is often the case in the EU, given its operation methods – risk being detached from the behaviour they are meant to address, whereas rapid, coordinated measures generate stronger cumulative effects. Pairing designations with diplomatic démarches, criminal indictments and asset seizures maximises impact on cyber threat actors. Sustained campaigns of rolling designations and enforcement make it harder for hostile actors to re-establish stable operating environments, although this requires investment in intelligence, analytic capacity and international cooperation to maintain momentum.

Assessing effectiveness ultimately depends on clarity of purpose. If the objective is to protect CNI, deter electoral interference or constrain ransomware, then sanctions should be designed and measured with those aims in mind. Evidence already points to both disruptive and symbolic impacts: North Korean operators facing cash-out difficulties, Iranian actors blocked from technologies and financial services, ransomware groups forced into damaging rebrands and adversaries publicly stigmatised in ways that reinforce attribution and allied solidarity. However, data gaps, particularly in the EU, make systematic evaluation difficult. Without more transparent monitoring of whether assets are frozen, or services withdrawn, sanctions risk being dismissed as symbolic gestures. Across all jurisdictions, the key is matching measures to intended behavioural effects, ensuring credible attribution and integrating sanctions into comprehensive strategies to make malicious cyber activity slower, riskier and more costly.

Future Directions and Policy Priorities

The development of cyber sanctions by the US, the EU and the UK over the past decade demonstrates that these measures are now a recognised element of statecraft in the cyber domain for responding to both criminal and state-based malicious cyber activity. Yet the evidence also highlights their shortcomings, such as the limited number of designations compared with the scale of activity, the insufficient focus on targeting enabling infrastructure, such as financial and technical intermediaries, and the lack of reliable data on whether measures disrupt operations in practice. Several priorities emerge for policymakers seeking to strengthen the effectiveness of sanctions in this space.

Greater clarity of purpose is essential. Cyber sanctions are often announced without a clear articulation of the behaviours they are intended to change. Governments should specify the explicit goals of sanctions to enable more precise targeting and a clearer assessment of the outcomes.

Cyber sanctions need to be better integrated into cross-domain strategies. The most effective cases to date have been those in which cyber sanctions were paired with diplomatic statements, indictments, seizures or covert disruption. The sequencing of measures within comprehensive strategies reinforces deterrence and maximises impact.

More attention should be given to targeting enablers rather than only perpetrators. Threat actors engaged in malicious cyber operations often remain beyond the direct reach of sanctions. Enhancing the targeting of the enabling ecosystem, such as cryptocurrency exchanges, technology suppliers and service providers, can create wider disruption and shape the behaviour of intermediaries who are more responsive to pressure.

Transparency and communication are critical. Public indictments and technical advisories accompanying sanctions increase their value by providing information that the private sector can use to adjust its defences. The EU in particular faces a challenge in this area, as sparse designation notices limit the ability of external actors to support enforcement or understand the rationale for measures.

International coordination must remain a priority. Cyber operations are inherently transnational, and unilateral sanctions risk being circumvented. Coordinated announcements by the US, the EU, the UK and other partners send stronger signals and complicate adversary adaptation.

Effectiveness should be monitored systematically. There is currently little consistent data on whether sanctions result in frozen assets, reduced operational activity or deterrence of specific behaviours. Developing methodologies for measuring both direct and indirect impacts would help policymakers refine strategies and demonstrate accountability.

Sanctions are now an established part of cyber deterrence in the US, the EU and the UK. The insights of the RUSI Cyber Sanctions Taskforce underline that sanctions will not deter all malicious cyber activity. What they can do is complicate operations, raise costs, disrupt enabling infrastructure and signal collective resolve. Used strategically, sanctions can reinforce diplomatic and security objectives and contribute to shaping the rules of behaviour in the cyber domain. The task ahead is to refine their application so that they achieve more than symbolic outcomes and play a meaningful role in cyber deterrence.