An in-depth probe into Russian sabotage, espionage, cyberattacks, and disinformation on EU soil since 2022—the hybrid warfare campaign targeting Poland, Germany, Czechia, the Baltics, and the UK.
In Depth Reports, Mary Anderson, Alf Chart, Nick Quart, Sara Lindholm ,Tomasz Nel , Marta Costa
In the dead of night on April 27, 2024, flames erupted at the Diehl Defence munitions facility in southern Germany, lighting up the sky above Bavaria with an eerie glow. Just a few weeks later, a massive fire tore through a crowded shopping center in the heart of Warsaw, sending plumes of black smoke over the Polish capital. At first, both incidents were treated as unfortunate but unrelated accidents—an industrial malfunction here, perhaps negligence there. But as investigators dug deeper, a darker thread began to emerge.
European intelligence officials soon identified disturbing similarities: the use of accelerants, evidence of premeditated intrusion, digital footprints leading to foreign servers, and—most tellingly—ties to known Russian operatives. What once appeared coincidental now looked alarmingly coordinated.
Since Russia launched its full-scale invasion of Ukraine in February 2022, Europe has not only supported Kyiv with weapons and aid—it has also become an increasingly direct target of the Kremlin’s wrath. But this is not a conventional military confrontation. Instead, it is a shadow war: a sprawling, multi-front campaign conducted without declarations, fought not with uniformed soldiers but with saboteurs, cyberhackers, fake journalists, and online recruits. This war does not follow the Geneva Conventions—it thrives on ambiguity, deniability, and disorientation.
From Berlin to Bucharest, from Tallinn to London, a pattern has crystallized. Trains delayed by cyberattacks. Military supply depots mysteriously damaged. Deepfake videos attempting to undermine public trust. Pro-Russian protests organized via encrypted messaging apps. Thousands of social media accounts parroting Kremlin propaganda under the guise of grassroots outrage. This is hybrid warfare in its most evolved form—a strategy aimed not just at disrupting logistics, but at eroding morale, sowing division, and shaking the democratic pillars that bind Europe together.
“What we’re witnessing is a full-spectrum destabilization campaign,” says a senior EU security official who requested anonymity. “It’s psychological, informational, physical—and it’s targeting our societies from within.”
These hybrid operations are not random acts of violence or opportunistic propaganda. They are calculated, coordinated, and calibrated to test Europe’s defenses—both physical and psychological. The overarching objective is clear: undermine Western unity, weaken NATO, exhaust support for Ukraine, and ultimately redraw the political map of Europe without firing a single shot on official borders.
This investigation follows the smoke trails from sabotage sites, decodes the algorithms behind disinformation networks, and pieces together the puzzle of a new kind of warfare—one where the frontlines are hidden, and the weapons are sometimes words, sometimes wires, sometimes fire.
The Rise of a Shadow Conflict
What was once the domain of spies and Cold War intrigue has become a central axis in modern European security: covert sabotage executed by civilians acting as proxies, coordinated from afar by a hostile power. The Kremlin’s war on Ukraine has spilled far beyond the trenches of Bakhmut and the skies over Kharkiv—its reach now extending into European cities through laptops, drones, and coded messages.
In a confidential 2024 briefing, the European Union Agency for Cybersecurity (ENISA) characterized the unfolding events as a “sustained hybrid assault” on European infrastructure. The report cited alarming patterns of attacks targeting military depots, energy grids, and public transit systems. Between January and June 2024, over 30 attempted acts of sabotage were reported across five EU countries—most of them prevented in the final hours due to intelligence cooperation.
Among the most chilling examples were two foiled plots in Germany in May 2024, where individuals attempted to infiltrate military logistics hubs supplying arms to Ukraine. German counterintelligence later revealed the operatives were recruited online through fringe Telegram channels, paid in Monero (a hard-to-trace cryptocurrency), and received GPS data for their targets via burner phones.
“These people are disposable,” said a senior German federal prosecutor familiar with the investigation. “They are online recruits for a campaign of sabotage in Europe. Many don’t even know who they’re working for. They think it’s just a job—or an act of protest. It’s much more than that.”
Court documents obtained by InDepthReports show these actors are often young, unemployed men or ideological sympathizers groomed over time in encrypted forums. Some are lured by money, others by the illusion of fighting Western imperialism. A small number are directly managed by Russian handlers; most are used as layers of plausible deniability.
In early 2025, a report by the UK Ministry of Defence provided further confirmation: Russia’s GRU (Main Intelligence Directorate) was orchestrating these acts through cut-outs and low-level proxies across Europe. British intelligence responded by expelling at least 14 suspected Russian spies, many of whom were operating under diplomatic cover in London, Edinburgh, and Brussels.
Security officials in Poland and the Czech Republic confirmed similar trends: attempted sabotage of railway control systems, drone surveillance of ammunition depots, and even attempted recruitment of maintenance workers inside power stations.
This is not espionage in the traditional sense. It is systemic, kinetic, and deeply asymmetrical. And it is growing bolder.
Disinformation with a Digital Mask
As arsonists target depots and hackers breach logistics chains, a parallel offensive wages war on truth itself. The Kremlin’s hybrid strategy relies not just on physical destruction—but on narrative control. That battle is being fought on screens, in inboxes, and across social feeds.
Dubbed the “Doppelgänger” campaign, a massive disinformation effort emerged in mid-2023, first exposed by EU digital watchdogs. The operation employed sophisticated spoofing techniques to clone trusted media outlets, including The Washington Post, Le Monde, Die Welt, and Der Spiegel. These fake websites carried manipulated stories—some simply altered headlines, others entirely fabricated articles—designed to sow confusion, undermine public trust in Ukraine, and portray NATO as an aggressor.
Visitors to these websites often couldn’t tell the difference at first glance: identical logos, typography, and even embedded bylines that redirected to real journalists. But the content was poisoned.
A comprehensive 2024 study by the European Centre for Digital Media Integrity tracked more than 150 of these cloned domains, most hosted on Russian or Belarusian servers, routed through proxy registrars in Seychelles, Kazakhstan, and even Iceland. The campaign expanded beyond websites to include deepfake videos of Western leaders, manipulated protest footage, and fake NATO documents claiming Western plans to occupy parts of Ukraine or Moldova.
Social media—especially Facebook, Telegram, and X (formerly Twitter)—acted as force multipliers. Despite promises of better moderation, the platforms struggled to contain the surge. Posts linking to fake news often remained active for hours or days, long enough to generate thousands of shares and millions of impressions.
“Disinformation is cheaper than missiles but just as destructive to democracies,” said Kateryna Holub, a Ukrainian digital analyst who collaborates with the EU Disinfo Lab. “You don’t need tanks to break a society’s resolve you just need doubt.”
In Poland, a fake news campaign falsely claimed that Ukrainian refugees were receiving more government support than Polish citizens—fueling anti-refugee protests in early 2024. In Slovakia, a forged story alleging that NATO was storing nuclear weapons in civilian hospitals sparked a parliamentary crisis. None of it was real—but much of it was believed.
These stories don’t aim to win arguments. They aim to paralyze public debate, erode institutional credibility, and fracture consensus on supporting Ukraine. By the time the lies are debunked, the damage is done.
Railways, Airports, and Chaos: The Cyber Frontline
Behind the veil of traditional conflict lies another battlefield—a digital front where critical infrastructure is under near-constant siege. In this new war, malware replaces missiles, and logistics become the prime targets.
Since early 2023, cyberattacks have paralyzed rail networks in Poland, disrupted air traffic databases in Germany, and disabled signaling systems in Lithuania, temporarily halting troop and equipment movements essential to NATO operations in Eastern Europe. One attack in particular, executed in late 2023, caused a major logistical failure within the German Bundeswehr. For 48 hours, critical military transport units carrying tanks and fuel to Ukraine were immobilized.
A technical report published on arXiv, the scientific preprint repository, conducted forensic analysis of the attack vectors. It revealed that the malicious code used bore distinctive digital signatures associated with “Sandworm”—a notorious GRU cyber unit responsible for blackouts in Ukraine (2015), the NotPetya ransomware outbreak (2017), and other high-profile operations across the West. The malware, dubbed RailHammer, used obfuscated SSH backdoors and was deployed via a supply-chain compromise targeting third-party IT contractors working with national railway agencies.
A senior NATO cyber defense official, speaking under condition of anonymity, offered this stark assessment:
“We’re seeing clear GRU fingerprints. The goal is not just disruption—it’s fear, fatigue, and fragmentation. These are precision strikes aimed at the arteries of Europe’s military and civilian mobility.”
Unlike traditional military sabotage, cyberattacks leave no smoking ruins. But their psychological and economic toll can be immense—paralyzing commerce, delaying aid, and sowing mistrust in public institutions. And they’re nearly impossible to attribute with legal certainty, giving Moscow further cover for plausible deniability.
Proxy Wars on Home Soil: When Civilians Become Weapons
The hybrid war doesn’t stop at cables and code—it reaches into European neighborhoods, classrooms, and job markets, converting ordinary people into unwitting participants in a vast, covert campaign.
European democracies, by their very nature—open, pluralistic, and digitally connected—have become vulnerable terrain for low-cost, high-impact operations. Intelligence agencies across the continent are increasingly alarmed by how quickly the Kremlin has adapted its tactics to exploit these conditions.
In Czechia and Slovakia, joint counterintelligence operations revealed that dozens of young men—mostly unemployed or socially alienated—had been recruited via online gaming platforms and encrypted Telegram channels. They were offered payments in cryptocurrency to photograph weapons shipments, report train schedules, or tamper with electrical boxes near military storage sites. In some cases, the recruits didn’t know the end use of their actions.
In a striking 2024 case, Polish authorities arrested two nationals who were caught attempting to plant GPS trackers on NATO fuel trucks. Surveillance footage revealed they had received detailed instructions via an anonymized email account hosted on the dark web.
The Polish Internal Security Agency (ABW) later confirmed that the pair had been recruited through a job advertisement disguised as a logistics “monitoring” role—an example of covert militarization of civilian labor.
“This is warfare outsourced to civilians,” said a senior Czech intelligence official. “The Kremlin understands it can wage war without uniformed troops—just disposable actors, disinformation, and cash transfers.”
The cost of such operations is minimal. Their political and psychological impact, however, is profound.
Fracturing the West: From Unity to Anxiety
At its core, Russia’s shadow war is psychological. It is not simply about destroying supply chains or corrupting information—it is about planting a seed of doubt and dread. The ultimate objective is to convince Europeans that no place is safe, and no institution is truly secure.
This strategy was laid bare in a leaked internal memo from Russia’s Security Council, obtained by GIJN partners. The document, circulated among Kremlin advisors in early 2024, outlined a plan to “extend the conflict horizontally”—to bring the war into the daily consciousness of ordinary Europeans through sabotage, information overload, and civil unrest.
From staged refugee clashes in Hungary to false-flag cyberattacks in the Netherlands, the signs are clear: the war is being waged as much in perception as in policy.
“This is not just about Ukraine,” explains Dr. Elena Davos, a security analyst at King’s College London.
“It’s about turning European unity into European anxiety. If the public feels unsafe, exhausted, and distrustful, it becomes harder to maintain political resolve—whether that’s supporting Ukraine or sanctioning Russia.”
That strategy appears to be working in parts of Europe. By mid-2025, pro-Russian narratives had gained traction in far-right and far-left political circles in France, Germany, and Italy. Anti-refugee sentiment surged. Calls to halt arms deliveries to Kyiv were growing louder in parliamentary debates across several EU member states.
The goal is not victory on the battlefield—it’s division at the ballot box, distrust in democratic institutions, and ultimately, a geopolitical rebalancing of Europe on Moscow’s terms.
A New Kind of War Requires a New Kind of Response
Europe today stands at a pivotal crossroads. The nature of modern conflict has shifted from visible battlefields to invisible ones—where the weapons are no longer tanks and artillery, but malware, manipulated minds, and manufactured chaos. The hybrid war launched by the Kremlin is already well within Europe’s borders. It infiltrates its institutions, exploits its freedoms, and aims to shake the very foundations of democratic cohesion.
While Ukraine holds the kinetic front line with courage and sacrifice, European nations face a parallel war—one fought in shadows, behind screens, in courtrooms, and on the streets of their own cities. Saboteurs posing as delivery drivers, operatives recruited through encrypted apps, cloned news outlets designed to erode public trust—this is the new face of 21st-century warfare.
What makes this form of aggression especially dangerous is its ambiguity. There are no formal declarations, no uniformed armies, and no clear moments of escalation. This ambiguity serves Russia well, allowing it to test the limits of Western resolve while avoiding direct military confrontation. It also blurs the line between peace and war, leaving societies in a constant state of low-grade anxiety and confusion.
Without urgent, coordinated action, the costs could be severe. A lack of transparency allows disinformation to flourish. A lack of digital resilience leaves critical infrastructure vulnerable. And a failure of cross-border cooperation gives these covert networks space to thrive. The very tools that define open, democratic societies—freedom of expression, movement, and association—are being turned against them.
Europe must therefore reimagine its defensive posture. Intelligence sharing must be faster and more integrated. Civilian institutions must be hardened against manipulation. Public awareness must be raised—not with fear, but with facts. And above all, democracies must not allow authoritarian regimes to set the rules of this conflict.
This hybrid war may not make daily headlines like conventional battles, but it is no less consequential. It is the frontline we didn’t expect—but one we can no longer afford to ignore. Because if Europe fails to defend itself in the shadows, the darkness will only grow bolder.