The head of MI5 has warned that Russia is on a mission to ‘generate sustained mayhem on British and European streets.’ He is referring to a string of high-profile sabotage and arson events that have occurred in Europe since the outbreak of the Ukraine war, ranging from the destruction of undersea cable infrastructure in the Baltic Sea to the burning down of Warsaw’s largest shopping mall, and even the petty harassment of pro-Ukraine public figures in Estonia.

When assessing the manifestations of this ‘mayhem,’ a novel modus operandi is apparent: this wave of gray zone warfare is not the work of professional intelligence agents. The real spooks are being forced to operate from Russia, having been largely expelled from their previous postings in European states. Rather, the sabotage is being done by amateurs, many of whom are recruited over social media, and some not even legal adults. And unlike the high ideology of the Cold War era, they do it for love of money, not love of motherland. These tactics adopt a fluidity well suited to the digital age, where saboteurs are recruited, trained, and paid without ever coming into contact with state agents – in fact, some of these saboteurs don’t even know what exactly they’re doing. This new paradigm allows for gray zone warfare that spans borders and continents, reducing costs and expanding recruitment potential across age, profession, and geography.

But there are drawbacks as well. The appeal of gray zone warfare has always been its deniability. Yet as the events outlined below illustrate, deniability is a casualty of the new tactical normal. With more amateur operatives being caught and disclosing the details of their recruitment process, a picture of Russian gray zone warfare has come into greater relief, and it is producing escalating policy responses from Western states. Some examples include:

  • NATO’s ‘Baltic Sentry,’ which seeks to establish an active military presence in the Baltic Sea to protect critical infrastructure from sabotage;
  • The Biden administration’s explicit warnings of severe consequences should Russian intelligence attempt to send exploding packages to North America;
  • Poland launching a €2 billion effort to establish drone defenses along its eastern border;
  • Poland’s ‘Operation Horizon,’ which will deploy approximately 10,000 troops to defend critical infrastructure and other sites.

These represent an attempt to delineate limits on gray zone warfare and create diplomatic and security consequences where before there were none. This is a process that is still in its infancy however, with both offensive and defense actors blindly navigating the uncharted territory of new technological and geopolitical realities.

Baltic Sea Undersea Cable Sabotage

Modus Operandi: State organs enlist a third party that would typically operate in the target maritime space; for example, a captain of a commercial vessel. The third party then drops anchor near the target and proceeds to drag it along the seabed until the cable is severely damaged or cut outright. This tactic is particularly well suited to the Baltic Sea due to its shallow waters and critical undersea cable infrastructure (data and energy).

Upside: Undersea cable sabotage provides three advantages for the offensive party. The first is the low operating cost, which is basically the money needed to enlist the third party. The second is deniability since these gray zone operations do not directly involve any state instruments in performing the sabotage. The possibility of accidental damage to undersea cables represents another layer of deniability, one that is typically invoked by detained crews, and perhaps sincerely since accidental anchor-related damage is a common cause of undersea infrastructure destruction. Finally, damage to undersea infrastructure can create economic impacts for hostile states, costing anywhere between €5 million and €150 million to fix, with repairs taking months if not years to complete.

Downside: There is no easy answer on how to create deterring costs for gray zone cable sabotage. Overreacting risks kinetic conflict; Underreacting invites more sabotage in the future. European states like Finland and Norway have made efforts to hold individual captains and crews to account. There is also a more concerted military strategy to safeguard Baltic infrastructure. In January 2025, NATO announced the ‘Baltic Sentry’ initiative, deploying frigates, patrol aircraft, and maritime drones to monitor critical infrastructure in the area. Notably, the deployment has the power to board, impound, and arrest crews suspected of sabotage. The launch of Baltic Sentry coincided with fewer undersea cable sabotage incidents through 2025. However, there has been a rash of new outages to kick off 2026.

Notable Incidents

  • Nord Stream (September 26, 2022): An underseas explosion renders the Nord Stream natural gas pipelines linking Germany and Russia inoperable. In the immediate aftermath of the explosion, fingers are pointed at all sides. Since then, Sweden, Denmark, and Germany have conducted separate investigations into the cause. The first two ended inconclusively, while the German one alleges the possible involvement of Ukrainian divers, trained in Poland.
  • BCS East-West / C-Lion1 (November 17-18, 2024): Two undersea cables are severely damaged in less than 24 hours, with the China-flagged bulk carrier Yi Peng 3 operating in the area at the time. China allows representatives from Germany, Sweden, Finland, and Denmark to board the ship, though it refuses entry to the Swedish prosecutor leading the investigation. The ensuing report notes that the Yi Peng 3 dragged its anchor for 1.5 days across 180 nautical miles, coinciding with the time of the cable breaks. Yet in the report’s final judgement, while emphasizing that the investigation was hampered by limited access, it declares that there’s no way to conclude either deliberate sabotage or accidental anchor deployment.
  • Estlink 2 (December 25, 2024): The Estlink 2 electricity connection between Finland and Estonia goes offline, prompting the Finnish authorities to detain the 24-strong crew of the Eagle S – a tanker believed to belong to Russia’s ‘shadow fleet.’ The Eagle S has since been allowed to leave, and three crew members remain detained as the investigation continues. The Estlink 2 is expected to be back online sometime in July.
  • Latvia-Sweden Cable Damage (January 26, 2025): Latvian government announces damage to a fiber optic cable linking Latvia and Sweden. The Maltese-flagged ship Vezhen is boarded and detained by Swedish authorities before being cleared of sabotage and released in February.
  • HelsinkiTallinn Telecom Link (December 31, 2025): Finnish police seize the St. Vincent and Grenadines-flagged Fitburg cargo vessel after a telecom outage between Finland and Estonia. The seizure is later lifted and the ship allowed to depart.
  • Sventoji-Liepaja Arelion Link (January 2, 2026): Latvian police board and investigate a ship docked in Liepaja following reported damage to a Latvia-Lithuania telecom line owned by Sweden’s Arelion. No evidence of sabotage is found.

Europe Arson and Espionage

Modus Operandi: Similar to the Baltic Sea MO, state organs enlist the help of either criminal elements, ideologically aligned supporters, or desperate people to execute acts of sabotage and vandalism that fuel the perception of discord and insecurity in Western societies. As per reporting from the Guardian, recent campaigns have utilized online recruitment to source new ‘freelance’ saboteurs, resulting in less targeted and less professional operations.

Upside: Low costs for recruitment, which happens either in-person or entirely online using apps like Telegram. Low diplomatic costs, since operators tend to be motivated individuals rather than state agents, meaning that they can be abandoned by their handlers upon capture. And highly deniable in that it often strains credulity that acts of petty vandalism and arson could link back to the Kremlin in the absence of any arrests. The campaign has achieved some major successes, notably the burning down of the Marywilska mall in Poland.

Downside: Amateurish and desperate operators tend not to remain quiet under questioning. Faced with years if not decades in jail, they’re far more inclined to spill the details of their handlers’ operating manual, and in doing so they shrink the ‘gray zone’ of plausible deniability.

Notable Incidents

  • Poland Amateur Spy Ring (November, 2023): Poland charges 16 foreigners with espionage for a variety of activities since January 2023, including intelligence-gathering around seaports and military facilities, monitoring trains entering Ukraine, and conducting propaganda campaigns. All 16 had been recruited over Telegram; all were paid via crypto; and several received laptops, phones, housing, and/or vehicles.
  • Estonia Vandalism (December 8, 2023): Cars belonging to the Estonian Minister of the Interior and a journalist are vandalized, with attacks allegedly planned for other outspoken critics of Russia’s invasion of Ukraine. Seven people were convicted over the incident, with pro-Russia activist Allan Hantsom receiving a six and a half year sentence. The group is alleged to have been operating at the behest of GRU, which offered a €10,000 payment for the operation, split between the participants.
  • Poland Paint Factory Aborted Arson (January, 2024): Pro-Russia Ukrainian ‘Sergei S’ is recruited on Telegram and paid to set fire to a paint factory in Poland. He is subsequently apprehended trying to leave the country and, despite ultimately not going through with the attack, is sentenced to eight years in prison.
  • East London Warehouse Fire (March 20, 2024): Two storage units of supplies meant for Ukraine are intentionally set on fire in London, resulting in over £1 in damages. Five men are sentenced in the attack, the two ringleaders for a combined 29 years. One of the ringleaders, a petty criminal, claims to have been recruited online by the Wagner Group. The former mercenary group has reportedly become directly involved in European sabotage since being absorbed by the Russian state.
  • Warsaw Hardware Store Arson (April 14, 2024): A large hardware store burns down in Warsaw, causing an estimated €840,000 in damage. Poland later charges Belarusian ‘Stepan K’ with arson, alleging that he was working at the behest of Russian intelligence. If convicted, Stepan faces up to 10 years in prison.
  • Vilnius IKEA Arson (May 9, 2024): An IKEA is burned down in a suspected arson case in Vilnius, Lithuania. The authorities charged Ukrainian teenager Daniil Bardadim with terrorism. Bardadim is alleged to have been offered an old BMW and $11,000 in cash by a group linked to GRU, though prosecutors note that the suspect did not seem to harbor any pro-Russia views.
  • Marywilska Shopping Center Arson (May 12, 2024): A massive fire destroys the Marywilska 44 shopping center in Warsaw. The Polish authorities conclude that the fire was set by an organized criminal group working at the behest of Russian intelligence and conducting operations in several EU countries. They allege that the attack was linked to the Vilnius IKEA fire, with Daniil Bardadim named as a suspect here as well, along with four other co-conspirators, including Oleksander V., an alleged Russia-based handler. The incident continues to feed into wider geopolitical tensions, with Poland recently ordering that Russia close its Krakow consulate citing evidence of Russian intelligence involvement in the Marywilska fire.
  • DHL Package Explosions (July, 2024): Three separate package explosions occur in routing facilities in Leipzig, Birmingham, and near Warsaw over the course of three days, all involving packages sent from Lithuania. Each package ignites a magnesium-based fire that would presumably down a plane if detonated mid-flight. The operation is ultimately judged to be a dry run for shipments to Canada and the United States, and once this intelligence is shared with the Americans, the Biden administration reaches out directly to the Kremlin, warning of a major escalation in the event of a trans-Atlantic detonation. Poland subsequently arrests four people connected to the plot, as well as a suspected agent in Alexander Bezrukavyi, who was extradited from Bosnia. Reporting from the Guardian suggests the possibility that some if not all of the people involved in the plot thought they were simply doing typical courier work.
  • Second Package Plot (May, 2025): Germany arrests three Ukrainian nationals, accusing them of plotting to detonate packages in transit after being recruited by Russian intelligence. The incident is notable because it suggests that the election of Donald Trump has not produced a lull in Russia’s gray warfare campaign.
  • Blohm+Voss Shipyards Sabotage (2025): A 37-year-old Romanian citizen and 54-year-old Greek citizen are arrested on suspicion of intentionally sabotaging German corvettes by dumping gravel into the engines. The incident took place at the Blohm Voss shipyards in Hamburg and is notable for several reasons. For one, it is a rare example of traditional sabotage in that, if undetected, these acts would have caused millions in damage and impacted the readiness of the German Navy. Two, it illustrates the security risks facing shipyards and other critical military facilities. Both men were sub-contractors, and it will be telling to learn what the motivations were, whether ideological or financial. And three, the multi-level policing coordination on display was impressive, involving cooperation between the German, Greek, and Romanian authorities across different jurisdictions.

Europe Drone Incursions

Modus Operandi: State operators or enlisted third parties operate drones in the vicinity of strategic sites, including energy infrastructure, defense industrial nodes, military bases, and airports.

Upside: There are hard benefits to be gleaned from the incursions. Drones allow for insights into the day-to-day workings of military and critical infrastructure. But perhaps more importantly, the incursions help delineate what is possible in a rapidly evolving strategic landscape: which drone platforms are able to be detected and interdicted, and what the current state of readiness is at sensitive sites across Europe. Economic damage is also significant when a few hours of halted air traffic means hundreds of millions in lost revenue. There is also the soft benefit of threat amplification, with widespread drone sightings projecting a sense of ubiquitous menace that obscures conventional economic and military power asymmetries.

Downside: Once discovered, drone flights trigger a process of defensive consolidation that either nullifies future incursions or makes them far riskier. This is evident in the sum effect of the incidents outlined below, which has been to underscore the importance of drone defense in the EU’s push for strategic autonomy.

Notable Incidents

  • RAF Lakenheath, RAF Mildenhall, and RAF Feltwell (November 2024): Drones are detected over the course of three days across several RAF airbases. Uncertainty continues to surround this incident, but it’s hardly exceptional: a recent government report found 250 drone incidents across UK sites in 2025, double the 2024 number.
  • Volkel & Kleine-Brogel Airbases (November 3, 2025): Drones are sighted over the Dutch and Belgian airbases for three consecutive nights in what the Belgian defense minister described as “a clear mission targeting [the base].”
  • Poland Mass Drone Incursion (September 9-10, 2025): Nineteen drones are detected violating Polish airspace on its eastern border. Poland interdicts the drones and invokes NATO’s Article 4. Russia denies any involvement.
  • European Airport Wave (September-October, 2025): Drone overflights cause disruptions in Copenhagen, Munich, Aalborg (northern Denmark), Esbjerg (western Denmark), and Sonderborg (southeastern Denmark). Denmark’s deputy prime minister attributes the incursions to a ‘professional actor.’
  • Île Longue Submarine Base (December 4, 2025): Five unidentified drones are detected flying over a nuclear submarine base in northwest France. The French government does not attribute blame to any party in the incident.