Criminality as a Strategic Weapon: How State Actors Exploit Europe's Underworld

In Estonia, a minister's car was vandalised by a 21-year-old with debts. He thought he was performing a simple paid job. Only later did it emerge that the assignment traced back through five intermediaries to a Russian military intelligence service.¹ This incident is not isolated. European security services increasingly observe criminals being deployed for sabotage, intimidation and preparatory operations.

State actors exploit the underworld because it provides something intelligence services cannot always offer themselves: access to locations, logistical capacity and a link that denies all involvement. This hybrid approach is being applied by multiple countries and is developing into a structural instrument within geopolitical competition.

For organisations in the Netherlands, this means criminality is no longer separate from international security dynamics. Those who fail to recognise the connection between both domains miss crucial signals of state influence.

Hybrid threats emerge precisely at the intersections where traditional categories meet: criminality, economy, technology and geopolitics. This relates to matters such as sabotage of critical infrastructure, unusual data collection, infiltration of logistical chains and building access points within strategic sectors.²

Criminality is ideal for state actors because it operates outside the direct view of security structures. Intelligence services can outsource assignments through intermediaries without direct traceability. Some executors do not even realise they are part of larger geopolitical operations. International analyses show that a significant proportion of involved executors have a criminal background, further lowering the recruitment threshold.³

The strategic shift is clear: in the grey zone, recognisable military means are replaced by fluid, informal actors. The adversary seeks disruption without escalation. Europe is therefore being tested not only on military resilience, but on the robustness of its own societal and economic ecosystems. Organisations that continue to view criminality as an autonomous phenomenon miss the larger pattern.

The MIVD signals increasing foreign interest in Dutch and North Sea energy infrastructure.⁴ This fits the broader pattern in which state actors exploit criminality to map vulnerabilities or gain access to strategically important locations.

For Dutch organisations, this threat manifests at three levels:

Tactical: criminals can provide physical access through maintenance crews, temporary contractors or logistical operators. These access points appear legitimate but in practice form the misused starting point of preparatory operations.

Chain-level: complex supply chains with many subcontractors create an unclear picture that is more difficult to control. Opaque ownership structures with intermediary parties offer routes that only become visible once they are exploited.

Personnel: employees with external pressure, dual loyalties or dependency relationships can – consciously or unconsciously – provide information, access or materials to actors with malicious intent.

In this way, criminality is deployed as a channel for foreign influence, requiring risk models that assess geopolitical and criminal patterns in conjunction.

Resilience begins with a threat assessment that does not isolate criminality but links it to state interests. Organisations that broaden their threat analysis recognise more quickly which seemingly local incidents are part of broader patterns. This requires combining operational security observations with geopolitical context, and identifying functions, locations and links in the chain that could be valuable to state actors.

Continuous monitoring is essential to recognise signals that fall outside classical risk models. Unusual interest from unknown parties, deviating logistical movements or activities classified as 'ordinary' criminality may be indications of preparatory steps. In this domain, it helps when intelligence updates are linked to operational observations, so deviations are identified more quickly.

Beyond threat analysis and monitoring, Proximities offers a 'Security by Design' framework for new projects and infrastructure to reduce structural vulnerabilities. By assuming threats from both inside and outside, access paths become smaller and misuse becomes more difficult. Threat analyses, monitoring and design principles reinforce each other when integrated into a larger whole.

The intertwining of criminality and geopolitical strategy changes how organisations must view security. It is no longer about separate domains, but about one hybrid reality in which societal openness also creates vulnerabilities. Organisations that align their threat assessment, monitoring and design principles with this dynamic build an advantage in an environment where disruption becomes more subtle and attribution increasingly difficult. Resilience emerges through systematic approach, not through reaction to incidents.

Sources

¹ GLOBSEC en ICCT, ‘Russia’s Crime-Terror Nexus: Criminality as a Tool of Hybrid Warfare’, 30 september 2025.

² Proximities, productdocumentatie hybride oorlogsvoering.

³ GLOBSEC dataset, perpetrator analysis, 30 september 2025.

⁴ MIVD Jaarverslag 2024, Kamerbrief Weerbaarheid Hybride en Militaire Dreigingen, 6 december 2024.