A fire in a warehouse, a scorched courier depot, a camera fixed to a lamppost on a supply route: many of the incidents now being investigated as Russian-linked sabotage in Europe are small in scale and, taken in isolation, look like ordinary criminality.

RUSI’s new long read argues that the connective tissue is not the technique or the target, but the transaction. Financing, it says, is both the facilitator of this strand of sabotage and one of the few practical levers for disrupting it.

The paper, published on 14 January 2026, concentrates on low-level attacks against predominantly civilian “soft” infrastructure, executed by civilians recruited online and paid per task. It draws on an expert workshop held in Warsaw in November 2025, earlier discussions in Brussels, open-source reporting and interviews with blockchain analytics providers.

The timing matters. CSIS has recorded a steep rise in Russia-linked acts of arson or serious sabotage in Europe since 2022: two incidents in 2022, 12 in 2023 and 34 in 2024. The EU’s 2025 internal security strategy states that sabotage targeting critical infrastructure increased “particularly in 2024”, and places it within wider “hybrid campaigns” that include arson, cyberattacks and manipulation of information. The UK’s National Security Strategy 2025 similarly refers to Russia’s “sub-threshold” activity, explicitly including sabotage.

RUSI’s contribution is to treat finance not as a technical detail but as the organising principle of this newer model. The report’s core claim is straightforward: if sabotage is commissioned as casual labour, then payment systems become both an enabling infrastructure and an investigative map.

The campaign logic: low cost, high churn, high deniability

The report distinguishes between intensive operations (such as damage to undersea cables) and a barrage of lower-grade actions that test response times, expose vulnerabilities and impose costs on states supporting Ukraine. The individual acts can be cheap. The cumulative effect lies in forcing governments and firms to spend more on protection, changing routine procedures, and increasing political friction around migration and support for Kyiv.

Investigations and prosecutions across Europe underline the point. Poland’s government has attributed the May 2024 fire that destroyed much of the Marywilska 44 shopping complex in Warsaw to Russian services, after a year-long investigation. Lithuania and Poland have both brought cases linking arson to Russian direction, including the conviction of Ukrainian nationals for participation in cross-border sabotage activity.

In the logistics chain, prosecutors in Poland said in January 2026 that five men had been charged in a Russian-directed plot involving explosive parcels, with detonations at courier depots in Britain, Germany and Poland in 2024. Earlier Reuters reporting described Lithuanian officials framing the 2024 depot explosions as a test run for attacks on cargo flights to North America.

Russia has repeatedly rejected allegations of running a sabotage campaign in Europe; in France, for example, the Russian embassy denied involvement in the June 2024 “coffins at the Eiffel Tower” incident after arrests and public scrutiny.

The recruitment shift: from cultivated assets to “agents for a day”

RUSI describes a move away from Cold War-era reliance on trained operatives towards remote, freelance tasking: a “gig-economy era” in which handlers recruit through encrypted messaging services and other online platforms, offer menus of tasks, and pay per job.

The mechanics are consistent with what security reporting has described elsewhere: platforms used for recruitment and coordination include Telegram and other services; targets can include young people and economically vulnerable individuals; and tasks can range from vandalism to reconnaissance and arson.

A key feature is disposability. RUSI notes that promised payments are sometimes withheld, and that the operating model expects high turnover. The individual is treated as expendable; the organiser preserves deniability through layers of intermediaries and compartmentalised communications.

This approach also exploits attribution dilemmas. The paper argues that if incidents are framed purely as the acts of individual Ukrainians or other foreign nationals, the political effect can be redirected towards social tension and anti-migrant sentiment, which is itself a potential objective of sabotage.

The money layer: why crypto is used, and where the system is weakest

RUSI’s central point is that cryptocurrency is not used because it is inherently invisible. It is used because it is accessible, cross-border, and easily paired with informal cash-out mechanisms that can bypass customer checks.

The report describes payment chains that are often simple and low-value, using mainstream assets such as Bitcoin and USDT. In the cases discussed, sophisticated obfuscation tools are not always necessary because anonymity can be achieved through informal intermediaries and cash conversion rather than technical concealment.

The critical node, in RUSI’s account, is the conversion layer: the point at which crypto becomes cash. Over-the-counter cash desks and other no- or low-verification services offer fast conversion with minimal scrutiny and are sometimes advertised openly on mainstream platforms. This is where financing becomes operationally actionable: it is a place where enforcement, licensing, supervision and targeted disruption can impose friction quickly.

RUSI also notes that cash and conventional channels continue to matter. Some payments route through ordinary bank accounts held by intermediaries; others involve couriering cash or paying in kind. In Lithuania, for example, reporting around the IKEA arson case described an agreed reward including money and a BMW, with the eventual sentence imposed by a Lithuanian court.

Case patterns: arson, parcels, reconnaissance, and “strategic vandalism”

What looks like a miscellany of incidents begins to form a recognisable pattern once financing and commissioning are treated as the common denominator.

Arson against civilian infrastructure. The Marywilska 44 fire in Warsaw became a reference point because of its scale and the political response. Prime Minister Donald Tusk said the blaze was ordered from Russia; Poland later moved to close a Russian consulate in Kraków, citing the investigation.

Parcel devices and logistics disruption. The January 2026 charges in Poland relate to devices concealed in consumer items and routed through courier systems, with depot detonations in 2024. Reuters has previously reported Lithuanian officials describing the events as a test run for attacks aimed at cargo flights. The key point, from an operational perspective, is not only physical damage but the security drag: tightened protocols, higher costs, and altered procedures across the freight system.

Reconnaissance and vulnerability testing. RUSI includes preparatory activity within its definition of sabotage when it supports hostile intent: photographing infrastructure, mapping routes, couriering materials, and installing devices. This matters for finance because small payments for “minor” tasks can be an early warning of a developing network.

Symbolic acts that are designed for amplification. Vandalism can be coupled with pre-planned social media narratives and bot-driven dissemination. French and other European reporting has described how images of Stars of David graffiti in Paris were rapidly pushed online, with suspicions of external interference. Le Monde also reported on links between the “coffins at the Eiffel Tower” incident and other acts of destabilisation, pointing to a pattern in which physical acts are documented and then circulated.

The point is not that each incident is strategically decisive. It is that a series of low-cost actions can be used to probe state capacity, strain policing, and shape local narratives, while keeping organisers distant from the scene.

Why sabotage financing is hard to counter with existing tools

RUSI’s diagnosis is that the obstacle is not a complete absence of instruments, but a mismatch between the threat model and the operating model of European institutions.

Definitions and thresholds. The report notes that there is no single EU legal definition that cleanly captures both direct and symbolic sabotage, which complicates the classification of incidents and the selection of tools. The EU internal security strategy addresses sabotage as part of hybrid campaigns, but legal treatment still varies by jurisdiction and by incident type.

Attribution and proportionality. When organisers sit behind layers of intermediaries, the visible perpetrator may face charges for arson or vandalism alone. RUSI argues this can produce penalties that do not reflect the strategic intent or escalation risk, and therefore deliver limited deterrence.

Speed. Money can move across borders in minutes. Legal requests, information sharing and judicial processes often do not. RUSI describes a persistent “speed gap” between financial flows and the mobilisation of cross-border investigative tools.

Information silos. Private firms may see transaction patterns; law enforcement may hold operational intelligence; intelligence agencies may hold attribution-sensitive material. If these are not combined early, financial intelligence arrives late, after arrests, when its preventative value is reduced.

Platform accountability: Telegram, the DSA, and investigatory friction

RUSI treats platform governance as part of the financing ecosystem because recruitment, tasking and coordination can all occur on the same services used to move money and to publicise outcomes.

Under the EU Digital Services Act, platforms designated as “very large online platforms” face enhanced obligations; the Commission’s threshold is 45 million average monthly active recipients in the EU. Telegram has appointed a legal representative in Belgium for DSA purposes, placing it under Belgian supervision for the rules that apply to its services.

RUSI’s concern is practical: if a platform is central to recruitment and coordination, delays or limitations in data cooperation become operational constraints. The report argues for meaningful, timely cooperation on metadata and related indicators, within lawful frameworks, to assist investigations into recruitment channels and linked financial activity.

Where the financial response could bite: regulation, enforcement, and cooperation

RUSI’s recommendations are framed as a multi-agency shift from reactive disruption to systemic pressure on enabling infrastructure. The underlying logic is that the financing of low-level sabotage depends on repeatable services: brokers, cash-out desks, non-compliant exchanges, and facilitators who can be replaced but not removed from the business model.

Three developments in the EU framework are relevant here.

First, the EU’s internal security strategy explicitly calls for stronger cooperation between law enforcement, security services, private operators and other authorities to anticipate and respond to sabotage against critical infrastructure.

Second, Europol’s EFIPPP provides an established structure for cross-border public–private information exchange on financial crime and terrorist financing typologies, with Europol publishing practical guidance on operational cooperation.

Third, the EU’s Anti-Money Laundering Regulation (Regulation (EU) 2024/1624) contains an Article 75 framework enabling “partnerships for information sharing”, setting conditions for controlled sharing of customer and transaction information and associated safeguards.

RUSI’s argument is that these mechanisms are underused against sabotage because sabotage is still too often treated as isolated crime rather than a hybrid security problem with a financing backbone.

The most immediate pressure point, on the report’s account, is the cash-to-crypto interface. If cash desks and small exchanges operate without effective customer due diligence, they provide the practical anonymity that taskers rely on. A second pressure point is early integration of financial intelligence into sabotage investigations, so that repeat wallets, brokers and facilitators can be identified before a network disperses or evolves.

The strategic implication: sabotage as a policing problem and a foreign policy problem

RUSI’s paper repeatedly returns to a basic tension. The acts are often low-level. The intent, as described by investigators and strategy documents, is linked to state competition and coercion. If policy treats these incidents solely as crime, organisers can retain strategic advantage through deniability and churn. If policy treats them solely as intelligence problems, it can neglect the practical toolset of financial regulation and compliance.

The financial lens does not solve attribution. It does, however, offer a route to disruption that does not rely on public proof of direct command. Tracing payment patterns, identifying repeat conversion services, and tightening compliance at cash-out hubs can impose cost and delay on the commissioning model even when organisers remain at a distance.

That is the report’s central proposition: the sabotage problem is not only about guarding infrastructure. It is also about constraining the market that pays people to attack it.