Between February 2022, when Russia’s full-scale invasion of Ukraine began, and February 2026, European countries recorded at least 151 hybrid operations that researchers attribute to the Kremlin. This was stated in an updated report by the International Center for Counter-Terrorism and the GLOBSEC analytical project, published in late February 2026.
According to the analysis, the peak of activity occurred in 2024, with 64 incidents recorded. In the second half of 2025 and early 2026, another 12 similar attacks were recorded. The rate has not slowed; in fact, in some countries, it has significantly accelerated since the summer of 2025.
Poland saw the most incidents, with 31 cases. Next in line are:
France with 20 incidents (including five since mid-2025),
Lithuania and Germany with 15 each,
the United Kingdom with 12, and Estonia with 11.
The recorded actions included arson, explosions, sabotage of critical infrastructure, assassination attempts, kidnappings, vandalism, the use of drones to disrupt airport operations, damage to undersea cables, and other “gray zone” activities that do not escalate into open armed conflict but create ongoing tension.
Of the 172 identified perpetrators, 95% had no formal ties to Russian intelligence agencies. The most frequently targeted individuals were aged 30–35, including Ukrainian and Belarusian citizens residing in the EU. According to the report’s authors, only 26 individuals were motivated by ideological motives; the rest were motivated by money or blackmail.
Experts note that Russia is increasingly using criminal networks as a tool of hybrid warfare to destabilize Europe, undermine support for Ukraine, and sow distrust within NATO and the EU. In recent months, drone incidents over airports and attempts to sabotage energy facilities have become particularly frequent.
European intelligence agencies and politicians are increasingly calling what is happening a “shadow war” waged by the Kremlin on the continent. In response, EU and NATO countries are strengthening coordination, tightening control over critical infrastructure, and developing measures to counter such threats.