Key Points
-
Russia has allegedly launched a coordinated sabotage campaign across Europe using proxies to carry out incendiary attacks, arson, vandalism, and disinformation. Key incidents include incendiary DHL parcels and an arson attack on an IKEA store in Lithuania.
-
Incendiary devices disguised as consumer goods ignited in DHL hubs in the UK and Germany, posing a catastrophic threat to air cargo safety.
-
The campaign leverages low-level operatives recruited online and paid in cryptocurrency, creating plausible deniability for the Kremlin.
-
The sabotage presents a growing threat to European aviation, civilian infrastructure, and global supply chain integrity.
What:
A wave of sabotage incidents across Europe has been attributed to a Russian GRU-directed operation. The campaign employed criminal proxies and online recruits to conduct arson, parcel-borne incendiary attacks, and acts of vandalism intended to destabilise Western countries economically and psychologically. The most alarming plot involved sending disguised incendiary devices via DHL cargo flights, with the potential to cause in-flight disasters.
When:
The campaign’s key activities took place between May and October 2024. Arrests and prosecutions related to the campaign continued into early 2025.
Who:
Russia’s military intelligence agency (GRU) is believed to be coordinating the operation. Key figures, such as Alexander Bezrukavyi, arrested in November 2024, acted as facilitators, linking GRU handlers with criminal networks and online job seekers.
Where:
-
United Kingdom (June 2024): A DHL parcel ignited in a Birmingham warehouse.
-
Germany (July 2024): Another incendiary parcel caught fire at a DHL logistics hub in Leipzig.
-
Lithuania (August 2024): An arson attack was carried out on an IKEA store in Vilnius; Lithuanian prosecutors confirmed GRU involvement.
-
Poland (Summer 2024): Fires were reported at a paint factory and a shopping mall in Warsaw.
-
France (August–September 2024): Operatives placed symbolic coffins beneath the Eiffel Tower and graffitied antisemitic slogans at Jewish sites.
-
Estonia (September 2024): Vandalism targeted vehicles belonging to political and public figures in Tallinn.
How:
Devices were hidden in parcels containing consumer products such as massage pillows and sex toys. Operatives, often with criminal records or financial vulnerability, were recruited via encrypted messaging apps and Telegram channels, including one believed to be operated by a GRU handler using the alias “VWarrior.” Many participants were unaware of the strategic intent, incentivised only by cryptocurrency payments and temporary job offers.
Strategic Analysis
This sabotage campaign represents a clear evolution in Russia’s hybrid warfare doctrine. Rather than relying solely on overt cyberattacks or traditional espionage, the GRU deployed low-tech but high-impact disruptive tactics, focusing on plausible deniability. These operations aim to:
-
Sow fear and confusion within European civil society.
-
Undermine trust in public safety and government competence.
-
Erode the West’s logistical and political resolve in supporting Ukraine.
-
Test European aviation and border security protocols without escalating to overt confrontation.
This approach is consistent with the GRU’s operational profile post-2018, which includes poisoning attacks, undersea infrastructure disruptions, and influence campaigns in both Europe and Africa. The use of migrant populations, petty criminals, and Telegram channels provides an expendable and decentralized force—one difficult for security services to pre-empt or disrupt.
Evolution of Russian Intelligence Tradecraft
The sabotage campaign also reflects a significant shift in how Russian intelligence services conduct foreign operations. During the Cold War, Russia (then the Soviet Union) frequently deployed under-cover agents—intelligence officers who operated under diplomatic cover, such as working at embassies or consulates. These agents enjoyed diplomatic immunity and were relatively easy to recall or shield if exposed.
In contrast, deep-cover illegals operate without official protection or diplomatic cover. During the Cold War, these operatives embedded themselves in target countries using entirely fabricated identities (known as legends), with no traceable link to the Soviet Union. They were highly trained, fluent in local languages, and often spent years building their cover stories before engaging in espionage, intelligence collection, or recruitment.
In the post–Cold War period, however, a second generation of agents emerged. These operatives, exemplified by Anna Chapman, arrested in the United States in 2010, often used their real names, genuine Russian passports, and true nationalities while posing as ordinary civilians (e.g., students, entrepreneurs). This shift was made possible by the liberalisation of international travel, visa regimes, and the integration of Russian nationals into Western societies. Though they lacked diplomatic immunity, their real identities enabled smoother assimilation and more credible access to local networks for recruitment and intelligence gathering.
Today, however, Russia appears to have pivoted again—this time toward a low-cost, high-scale model of recruitment. Rather than deploying trained officers abroad, GRU handlers now use encrypted messaging platforms and Russian-language job boards to recruit operatives online. These individuals—often petty criminals, migrants, or people in economic hardship—are offered money (typically in cryptocurrency) to carry out sabotage, arson, or reconnaissance. In many cases, they do not know they are working for Russian intelligence.
This tactic provides Moscow with several advantages:
-
It allows GRU officers to remain in Russia while extending operational reach across Europe.
-
It offers plausible deniability, as operatives are not directly linked to the Russian state.
-
It enables large-scale operations at low cost, exploiting the vulnerabilities of open Western societies.
However, this approach comes with trade-offs. These online recruits are not trained spies. They lack tradecraft, are more prone to operational errors, and are easier to detect, intercept, and prosecute by Western intelligence and law enforcement agencies. Indeed, several recent arrests across Poland, Lithuania, and Germany suggest that while the campaign is widespread, it is also brittle and vulnerable to disruption.
Implications for Security, Aviation, and Supply Chains
Aviation Security
-
Elevated Risk to Cargo Aircraft: Magnesium-based incendiary devices disguised in consumer goods presented a major threat to aircraft safety. Aviation authorities have since increased scrutiny of outbound cargo, particularly from Eastern Europe.
-
Operational Disruption: Carriers like DHL have implemented stricter parcel screening and sender verification. Authorities in the US and Canada now mandate more detailed documentation on consignors and consignees.
-
Broader Civil Aviation Threat: Although no aircraft were brought down, the operation underscores how easily parcel systems can be exploited to target critical infrastructure.
Supply Chain Vulnerabilities
-
Parcel Network Compromise: These incidents exposed significant gaps in Europe’s commercial logistics. Saboteurs exploited cross-border shipping and anonymised courier systems to distribute devices.
-
Compliance Burdens: Forwarders and shippers now face new regulatory requirements, which could slow deliveries and increase operating costs. There’s particular concern for time-sensitive sectors, such as pharmaceuticals and food logistics.
-
Resilience Testing: The operation may have been a test run for future hybrid campaigns aimed at paralyzing civilian infrastructure during crises.
National Security and Civilian Infrastructure
-
Wider Target Spectrum: Civilian targets—shopping malls, logistics centres, public transport—are now firmly within the GRU’s hybrid warfare portfolio.
-
Law Enforcement Overload: With attacks mimicking criminal or lone-wolf actions, law enforcement struggles to differentiate between coordinated acts of sabotage and ordinary crime.
Forecast and Recommendations
Outlook
The broader sabotage campaign is highly likely to continue into 2025 in some form, particularly as Russia seeks to destabilise European unity over Ukraine. However, after top officials in the Biden administration contacted their Russian counterparts to demand that President Putin halt the incendiary parcel operation, those particular activities appear to have stopped—for now. It remains unclear whether this is a permanent cessation or a tactical pause. A resumption of such attacks cannot be ruled out, especially if Moscow perceives renewed strategic benefit.
Recommendations
Aviation and Logistics:
- Strengthen anomaly detection in parcel processing systems using AI-assisted screening.
- Mandate sender/recipient verification in high-risk routes.
- Implement real-time tracking and geo-tagging of sensitive cargo shipments.
Law Enforcement and Intelligence:
- Enhance cooperation among European counter-sabotage task forces.
- Increase human intelligence (HUMINT) operations within diaspora communities and online recruitment channels.
- Publicise GRU tactics to deter recruits and reduce plausible deniability.
Public Awareness and Crisis Preparedness:
- Issue discreet guidance to parcel handling staff on identifying suspicious shipments.
- Develop quick-response protocols for civilian infrastructure threats.
- Encourage public-private information sharing across logistics and freight industries.
Diplomatic and Strategic Measures:
- Maintain transatlantic intelligence coordination to track GRU sabotage cells.
- Publicly expose confirmed operatives and tactics to impose reputational and legal costs on Russia.
- Use international forums to reinforce norms against attacks on civilian infrastructure.
