Russian Hybrid Operations in Europe: 2022-2025

146

Documented Incidents

30+

Countries Affected

5.3x

Escalation 2022-2024

44

Sabotage/Arson Events

Incident Map

Escalation Pattern

The Russian Operations Against Europe Dataset documents a 5.3x increase in hybrid warfare incidents between 2022 and 2024. The pattern suggests systematic escalation rather than opportunistic disruption: 13 incidents in the first year following Russia's invasion of Ukraine rose to 69 documented operations in 2024.

40 incidents have already been documented in the first twelve days of January 2025. If the current pace continues, 2025 would surpass 2024 significantly. However, this projection carries uncertainty: the dataset's author notes that attribution for recent incidents may be revised as investigations progress.

Operation Categories

The dataset categorizes operations by type. Influence operations represent the largest single category (43 incidents), encompassing disinformation campaigns, manipulation of social media platforms, and orchestrated protests. Physical operations, including sabotage, arson, and reconnaissance, collectively account for 57 documented incidents.

Category	Count	Share
Influence Operations	43	28%
Reconnaissance	17	11%
Sabotage (incl. preparation/attempt)	30	20%
Arson	14	9%
Vandalism	12	8%
Disruption	12	8%
Terrorism	6	4%
Weaponized Immigration	5	3%
Assassination (incl. plots/attempts)	3	2%

Critical Infrastructure Targeting

Energy and communications infrastructure accounts for 13 documented incidents. The Baltic Sea region has emerged as a focal point, with multiple incidents targeting undersea cables and energy pipelines.

Target analysis from the dataset indicates systematic focus on specific infrastructure categories. Public spaces (shopping centers, memorials, schools) represent the largest target category at 39 incidents, consistent with influence and vandalism operations designed for visibility. Military and weapons production facilities account for 17 documented attacks.

Target Type	Incidents
Public Spaces	39
Internet/Social Media/News	19
Military/Weapons Infrastructure	17
Energy/Communications Infrastructure	13
Civil Aviation	13
Politicians/Officials	11

Geographic Distribution

Germany appears in the highest number of incident records, followed by Poland and the Baltic states. The concentration in northeastern Europe correlates with proximity to Russian territory and the presence of Russian-speaking diaspora populations. Western European nations, including the UK, France, and Spain, have documented incidents primarily in the influence operations and reconnaissance categories.

The Baltic Sea region warrants particular attention. Multiple undersea cable incidents have been documented since late 2023, with investigations ongoing. Per the dataset methodology, attribution confidence varies: some incidents are linked to Russia by official government statements, while others fit patterns of similar operations but lack definitive public attribution.

Attribution Methodology

The dataset methodology notes that incidents are included when they meet at least one of three criteria: (a) linked to Russia by authorities or politicians, (b) fit a pattern of similar attacks with official Russian attribution, or (c) supported by journalistic investigations with hard evidence of Russian links.

The dataset explicitly excludes most cyber operations unless they caused physical effects. Incidents with tenuous attribution have been omitted. This conservative approach suggests the 146 documented incidents represent a floor rather than a ceiling of actual hybrid warfare activity.

Additional data referenced by the IISS analysis includes ACLED (Armed Conflict Location and Event Data Project) and cross-referenced reporting from multiple European intelligence services.

Red Label Assessment

The pattern looks more like preparation than disruption.

The 146 documented incidents suggest Russia is testing European resilience rather than trying to cause serious damage. The timing, targets, and pace of escalation point to three priorities: mapping vulnerabilities, building networks of deniable operatives, and developing a playbook for larger operations if circumstances change.

What the data shows

The 5.3x increase tracks policy, not battlefield events

Incidents jumped from 13 in 2022 to 69 in 2024. This increase did not follow any specific development in Ukraine. It followed Western sanctions reaching full effect and European governments committing to long-term Ukraine support. The tempo increase appears to reflect a deliberate decision to raise costs for European governments, likely approved at senior levels in Moscow.

Russia is recruiting local operatives at scale

Multiple 2024 arson and sabotage incidents involved locals paid through intermediaries, often criminal networks. This approach is familiar, but the scale is new. Russia appears to be building a distributed network of low-level operatives across Europe that can be activated, expanded, or shut down as needed. These incidents will be harder to attribute, easier to deny, and cheaper to execute. European counterintelligence agencies are resourced to track state actors, not hundreds of recruited criminals.

The Baltic Sea cable incidents matter most

Undersea cables and energy pipelines have limited redundancy. The incidents so far have caused inconvenience rather than serious damage, but they have generated valuable intelligence for Russia: repair timelines, response protocols, media coverage patterns, and political reactions. Moscow now has a clearer picture of how Europe would respond to a major infrastructure attack. That information becomes more valuable if the war in Ukraine escalates or Western support increases.

What most coverage misses

Most analysis focuses on the incidents themselves. The more important question is what has not happened. Despite 146 documented operations, there has been no mass-casualty attack, no sustained infrastructure outage, and no incident that forced a major European policy change. The restraint is informative.

Russia is keeping the campaign below the threshold that would trigger a unified European response or invoke NATO Article 5 collective defense provisions. The operations are costly and annoying, but not existential. The purpose appears to be coercive rather than destructive: raise the cost of supporting Ukraine, create domestic political pressure in European capitals, and demonstrate capability without triggering serious consequences.

The risk is that this changes. The dataset shows clear escalation over three years. If the current approach fails to achieve Russian objectives, or if the war in Ukraine reaches a critical point, the operations being tested now could be executed at much higher intensity. Russia has mapped the infrastructure, built the networks, and tested the methods.

The policy question

European governments are treating this as a counterintelligence problem. It may require a deterrence response. The current approach, investigating incidents after they occur and occasionally expelling diplomats, has not slowed the pace of operations. The 5.3x escalation happened despite increased Western vigilance. At some point, European capitals may need to decide whether to impose costs that Russia actually feels, or accept that this level of activity is the new baseline.

For private sector actors, the practical implication is straightforward: the risk environment in Europe has changed. Russia has built persistent capabilities for disruption across the continent. Those capabilities will remain whether or not there is a peace deal in Ukraine, and they represent a new baseline for operational risk in European markets.

Client Implications

For our clients conducting due diligence, M&A transactions, or portfolio risk assessment in European markets, this data has direct operational relevance:

PE/VC Firms

Portfolio exposure: Companies with critical infrastructure dependencies in Germany, Poland, or the Baltics face elevated operational risk.
Defense/aerospace holdings: The 19 incidents targeting military and weapons infrastructure indicate heightened threat to this sector.
Logistics assets: Baltic Sea shipping routes and undersea cable-dependent operations warrant scenario planning for disruption.

Corporates

Supply chain: European manufacturing with single-source dependencies on Baltic logistics or northeastern European suppliers should map alternatives.
Executive travel: Incidents targeting government officials and politicians suggest elevated risk for high-profile business leaders in affected regions.
Cyber-physical convergence: 19 incidents targeted internet/social media, often as precursors or complements to physical operations.

Family Offices

Real estate: Properties in high-incident-density areas (Berlin, Warsaw, Baltic capitals) may face insurance reassessment or regulatory scrutiny.
Asset protection: The 3 documented assassination plots, while low in number, indicate willingness to target individuals. UHNW families with Eastern European business ties warrant enhanced security protocols.

Law Firms

M&A due diligence: Target companies in affected sectors require expanded risk assessment beyond standard commercial DD.
Sanctions exposure: The proxy recruitment pattern means counterparty risk extends beyond obvious Russian-linked entities.
Litigation risk: Companies suffering operational disruption from hybrid warfare may face shareholder or insurance claims regarding preparedness.

Due Diligence Questions

When assessing European assets or counterparties, consider:

What is the target's dependency on Baltic Sea logistics or undersea cable infrastructure?
Does the company have single points of failure in high-incident-density countries?
What business continuity plans exist for sustained infrastructure disruption?
Has the company or its executives been subject to influence operations or reconnaissance?
What insurance coverage exists for hybrid warfare-related disruption?

Sources

Source	Publication
Russian Operations Against Europe Dataset, 2022-2025	January 2026
IISS Analysis: Russian Hybrid Warfare Activity Across Europe	January 2026
ACLED (Armed Conflict Location & Event Data Project)	Ongoing