Russia’s intelligence services are carrying out an increasingly aggressive campaign of sabotage and subversion across Europe. Whereas dramatic cases involving Russian spies often make headlines, most of this activity is carried out by low-level intelligence operatives, some of them still teenagers. They are hard to trace, easily replaced, and use cheap methods. But together they form an adaptive network whose disruptive actions should not be underestimated, argues Svetlana Satchkova.

A Russian flag at the Embassy of Russia is seen through a bus stop post in Washington, DC on April 15, 2021. Photo: Mandel Ngan / ANP / AFP

Russia has long used sabotage, spying, and cyberattacks against Western countries, but these efforts have grown more aggressive since the war in Ukraine began. They are increasingly felt in civilian life, affecting places like shopping centers, public events, and communication systems. In response, governments across Europe and North America have tightened security and increased surveillance.

Espionage in plain sight

Dramatic cases involving Russian spies, like the group recently sentenced in Britain for plotting to kill investigative journalist Christo Grozev, or the occasional high-profile spy swap, often make headlines. But much of Russia’s intelligence work abroad is, by nature, less visible. In the U.S., low-level operatives frequently pose as academics, journalists, or businesspeople. They attend public events, gather contacts, and quietly assess potential recruits. Many are not trained agents, but rather trusted intermediaries, opportunists, or individuals who have been pressured, paid, or manipulated into cooperating.

In 2023, I attended an event in New York City where prominent journalists spoke about Russia’s slide into authoritarianism. Several attendees - ordinary Americans by their appearance and accent - interrupted the speakers at different intervals, shouting identical lines about the United States being no better than Russia and invoking Edward Snowden, the American whistleblower who fled to Russia and now also has a Russian passport. The hecklers were eventually escorted out, but it was clear they were acting on behalf of the Kremlin. Their efforts didn’t disrupt the event, and instead prompted amused conversations afterward. Still, it was unclear why this particular gathering had been targeted. It was a small event, unlikely to attract public attention. Perhaps the goal was simply to send a message: we were being watched.

Quiet exposures and known cases

Over the past few years, several revealing incidents have come to light. In 2020, a former Russian chef was arrested in Florida after a high-speed chase in a Mustang. He previously worked at Mari Vanna - a well-known Russian restaurant in Washington, DC -  and upon his arrest was revealed to be a spy who had studied radio electronics at a military institute in Russia. He later returned to his native country and was reportedly killed in action in Ukraine.

In 2022, Elena Branson, a dual citizen of Russia and the U.S., was charged with acting as an unregistered foreign agent. She had founded the Russian Center New York in 2012 to promote Russian history and culture, but fled the country before she could be prosecuted. Around the same time, a young woman named Nomma Zarubina - someone with whom I shared several Facebook friends - began appearing at events organized by anti-Kremlin activists in the U.S. and Canada. She took selfies with prominent exiles and later sent them friend requests. Last December, she was arrested by the FBI and charged with making false statements about her ties to the FSB. Her covert activities in the U.S. were reportedly directed from the FSB branch in Tomsk, in Siberia.

Svetlana Satchkova

Journalist en schrijver

Svetlana Satchkova schreef drie Russische romans. Ze groeide op in Moskou en woont tegenwoordig in New York.

Nonviolent in the U.S., violent elsewhere

Modern spying is a long game, built on layers of deniability. Low-level Russian intelligence operatives abroad are numerous, disposable, and easily replaced, but together they form a highly adaptive network. In the U.S., their activities appear to be limited to non-violent operations. A source told me there is an informal understanding between the U.S. and Russia: no violent acts are to be carried out on American soil. That’s reportedly why Christo Grozev now lives in New York. The violence takes place elsewhere - in Europe, and in former Soviet states like Kyrgyzstan and Armenia. Opposition journalists and low-profile dissenters are not just being approached or surveilled; they are being stalked, threatened, followed by drones, kidnapped, poisoned, and even killed.

Independent Russian journalist Elena Kostyuchenko at the Charité hospital in Berlin, December 2022, after her suspected poisoning. Photograph: Elena Kostyuchenko/Instagram

Since the full-scale invasion of Ukraine, Russia’s intelligence services - especially the GRU, its military intelligence agency - have carried out an increasingly aggressive campaign of sabotage and subversion across Europe. A February 2024 report from the Royal United Services Institute (RUSI) in the United Kingdom warned of a mounting threat from the GRU, stating that it was building a covert network of operatives to conduct espionage and sabotage missions across the continent. ‘The GRU is restructuring how it manages the recruitment and training of special forces troops,’ the report noted, ‘and is rebuilding the support apparatus to be able to infiltrate them into European countries.’ Experts and officials say the recent wave of sabotage incidents exemplifies Russia’s strategy of ‘hybrid warfare’, which blends psychological, economic, and political tactics with covert or conventional military force to destabilize its adversaries.

Recent attacks underscore this shift. In May 2024, a shopping center in Warsaw that housed around 1,400 shops and service points was almost completely burned down. Polish authorities later stated they had clear evidence linking the attack to Moscow, citing Poland’s role as a key hub for aid to Ukraine. In response, Poland closed the Russian consulate in Krakow. Other arson attacks have targeted a warehouse in England, a paint factory in Poland, homes in Latvia, and an Ikea store in Lithuania. While these incidents may seem random, European security officials say they are part of a coordinated Russian effort to disrupt arms transfers to Kyiv.

In many of these cases, Russia uses local recruits to carry out attacks, making attribution more difficult and creating the illusion of domestic discontent. In Germany, one of Ukraine’s main and most consistent supporters, German-Russian nationals Dieter S. and Alexander J., were arrested for plotting bomb and arson attacks on military facilities. Their targets included sites used by U.S. forces, such as the Grafenwoehr Army base in Bavaria, where Ukrainian soldiers are trained to operate U.S. Abrams tanks. They were convicted of working for a Russian secret service. German authorities had also exposed a sophisticated hacking operation carried out by Russian military intelligence, which breached the email systems of the Social Democratic Party’s headquarters - the main party in the country’s ruling coalition. The hacking campaign also compromised German firms in the defense and aerospace sectors. In addition, early last year, the U.S. intelligence discovered that the Russian government planned to assassinate Armin Papperger, the chief executive of Rheinmetall, a powerful German arms manufacturer that has been producing artillery shells and military vehicles for Ukraine. Germany’s security services were warned by the U.S. and then able to foil the plot.

Russia’s sabotage efforts extend to critical infrastructure across Europe, including transportation networks, railways, and energy systems. One specific tactic has involved sending incendiary devices disguised as commercial parcels via cargo services like DHL. These self-igniting packages are intended to catch fire during transit to targets in the EU and the U.K. Notably, such attacks have not occurred in countries seen as friendly to Moscow, such as Serbia and Hungary, raising the likelihood that they are being intentionally spared.

General view of a fire in one of the biggest shopping centers in Warsaw, Poland, 12 May 2024. Nearly 100% of Marywilska 44 was destroyed in the fire. Photo: Leszek Szymanski / ANP / EPA

Recruiting minors in Ukraine

Inside Ukraine, Russia has recruited locals, including teenagers, to carry out acts of sabotage. Among them is a 15-year-old boy from Kharkiv, identified to the press as V., who faces years in prison for planting a homemade explosive device near the city’s police department. In November 2024, he was contacted through a Telegram channel and promised money to build and place the bomb; he narrowly escaped death when it detonated. In another case, a teenager was killed after being unknowingly turned into a suicide bomber by Russian agents. Daniil B., who has recently been arrested in Poland for his involvement in the 2024 fire in the shopping center in Warsaw, was born in 2006. 

Ukrainian investigators say Russia has recruited hundreds of minors for sabotage and terrorist acts since the full-scale invasion began, using platforms like TikTok, Telegram, and Discord to reach them. In response, Ukrainian authorities have launched a nationwide high school program to teach students how to avoid falling victim to such recruitment. Speaking to The New York Times, Roksolana Yavorska-Isaienko, a spokesperson for Ukraine’s Security Service in the Lviv region, said Russia’s use of teenagers marks a shift toward more indiscriminate attacks, targeting military enlistment offices and train stations. She likened the tactic to the use of teenage suicide bombers in Afghanistan, Pakistan, and elsewhere.

Undersea vulnerabilities and cyber escalation

Russia’s operations aren’t limited to land. Since 2022, suspected sabotage of undersea infrastructure in the Baltic Sea has targeted telecom, power, and gas lines connecting countries like Sweden, Finland, Germany, Latvia, and Estonia. At least six such incidents have been reported, and 11 undersea cables have been severed since 2023. These attacks take advantage of the vulnerability of shallow waters in the Baltic and Gulf of Finland, where cables can be damaged with something as simple as a ship’s anchor. In one case, a vessel dragged its anchor for 100 kilometers, cutting multiple lines. While some of these disruptions may be accidental, others - such as those involving a Chinese-flagged tanker - have raised suspicions of coordinated sabotage. The methods are cheap and easy to carry out, but the consequences are serious. Damaged infrastructure can lead to energy price spikes, communication blackouts, and growing public anxiety, all of which can contribute to political instability. In response, the EU and NATO have stepped up surveillance, deploying drones and naval patrols, and investing in spare cables and specialized repair ships. Still, legal and logistical challenges remain, especially in international waters, where suspicious vessels often avoid accountability under the protection of their flag states.

In addition to physical sabotage, Russia has intensified its cyber operations against Western companies supporting Ukraine. The state-linked hacking group known as Fancy Bear has expanded its focus to include logistics firms and technology companies involved in delivering aid, according to a cyber threat advisory released recently by the U.S. and ten allied countries. The advisory reports that a wide range of targets have come under attack, including defense contractors, transportation hubs, maritime companies, air traffic control systems, and IT service providers. The hackers have used various tactics, such as brute-force attacks to crack passwords, spear-phishing campaigns to steal login credentials and install malware, and the exploitation of vulnerabilities in widely used software like Microsoft Outlook. Organizations in countries including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the U.S. have all been targeted. Russia has also attempted GPS jamming, aiming to disrupt civil aviation in parts of Europe.

Russia’s use of low-level operatives and hard-to-trace tactics makes its network difficult to detect but still highly disruptive. Most of this activity happens out of public view, but it puts pressure on security agencies and highlights deeper weaknesses in the system. In response, Western governments are starting to look past isolated incidents to better understand and counter the larger strategy behind them.