Russian cyber proxies exist in a complex and crowded operational landscape, in which multiple actors often overlap. This messiness and seeming disorder are advantageous for Russia – increasing disruption, creating confusion about the identities of perpetrators, and complicating accountability mechanisms.
While this paper focuses on Russian cyber proxies in the context of the war in Ukraine, the broader problem is systemic: states now routinely deploy proxy actors across multiple domains and regions – cyber, sabotage, influence operations, paramilitary activities and informational warfare. In the case of Russia’s hybrid war against Europe, proxies constitute a central instrument of strategic competition and coercion. The use of non-state and semi-state actors enables Russia to sustain pressure, cause disruption and operate below the threshold of conventional war – while preserving plausible deniability. Russia uses many different tools – from disinformation campaigns to sabotage and cyberattacks – but the underlying logic of proxy use is the same: operators are shielded behind a façade of non-state status, complicating accountability and response.
Critically, we argue, while the specific measures appropriate for responding to each type of proxy activity (cyberwarfare, physical sabotage, information operations, etc.) may vary by context, the need for strategic coherence remains constant across domains. Recognizing proxy actors as a structural challenge to international security therefore demands not merely ad hoc or domain-specific responses, but also a holistic enforcement framework that coordinates tools for both disruption and cost imposition.
Approaches to defining cyber proxies
Any attempt to map Russia’s cyber proxy ecosystem must begin by recognizing that the term ‘cyber proxy’ has no universally accepted definition. Cyber proxies operate in a dispersed digital space, often across borders, and with deliberate obfuscation both by states and by non-state actors. This makes their relationships with sponsoring states more fluid and harder to observe, and makes it hard to establish accountability for malign cyber operations. Russia’s cyber proxy ecosystem, in particular, spans military intelligence units, criminal syndicates, front companies, patriotic hackers and loosely organized hacktivists. Many of these actors shift roles or identities over time. As a result, mapping cyber proxies and their networks is inherently challenging, and never a static exercise.
Despite these difficulties, understanding the cyber proxy ecosystem is critical. The purpose of mapping is not simply to list actors, but to understand patterns of alignment and how actors work together across a broad landscape, even if it is not possible to develop a full picture. Doing so helps clarify where Russia relies on state-directed units, where it exploits permissive environments, and where opportunistic actors generate effects that align (whether intentionally or incidentally) with Russian strategic interests. Mapping the cyber proxy ecosystem also highlights how attributional uncertainty, deniability and the diffusion of cyber capabilities create policy and legal challenges for states seeking to respond.
Existing literature offers several approaches to defining cyber proxies. Notable approaches include Andrew Mumford’s understanding of proxies as non-state actors leveraged by states to advance political or military objectives while maintaining plausible deniability; and Tim Maurer’s adaption of this concept to cyberspace, emphasizing a spectrum of state influence. By starting from a broad definition, ‘actor B acting for actor A’, Maurer formalizes the proxy relationship while leaving room for variations in autonomy and operational control. His conceptualization is integral to the analysis in this paper.
Since 2016, the cyber proxy phenomenon has grown substantially. In the mid-2010s, only a limited number of states – most prominently Russia, Iran and, to a lesser extent, China – had begun employing non-state actors to conduct cyber operations as a means of achieving political goals without assuming full responsibility for the consequences. A decade later, the landscape has changed significantly even beyond the Russian context. China’s cyber ecosystem, little more than an informal network of hacker collectives in the mid-1990s and 2000s, has evolved greatly in the intervening years to become a flourishing web of overlapping actors in which cyber proxies are core enablers of the state. As several participants at our November 2025 workshop emphasized, proxies are no longer marginal or exceptional actors. They are now deeply embedded in the normal operating environment of cyber conflict. Russia’s war against Ukraine has made this shift especially visible. Russia’s proxy actors operate as part of a broader ecosystem that blends cyber disruption, information operations and strategic signalling. Their role is not peripheral but central to how Russia conducts hostile activity below the threshold of armed attack.
Given these developments, and operational realities in cyberspace (including the difficulty of attribution, fluid group identities, and the alignment of non-state actors with state objectives), there is a need for flexible, empirically informed definitions on the part of organizations mapping these spaces.
Organizations that monitor and provide intelligence on cyber threats generally adopt an operational or behavioural approach to defining cyber proxies. Google’s Threat Analysis Group, Microsoft and Recorded Future all classify potential proxies by observable indicators of alignment, such as target selection, timing, infrastructure overlap, shared tooling, public statements of political motive or responsiveness to a given state’s strategic priorities. These approaches intentionally avoid claiming firm command-and-control relationships between a state-level sponsor and a specific proxy unless the evidence is overwhelming. Instead, they rely on confidence levels to describe the existence of probable state links, recognizing that cyber operations often involve partial visibility or deliberate obfuscation. For example, when a hacker group claims responsibility for an attack that the group did not perpetrate, this may be a deliberate attempt to mislead targets or investigating organizations.
To establish a practical and analytically sound definition of cyber proxies, this paper maps them across a range of relationship types – from APT-commissioned actors operating under close state direction, through criminal and hacktivist groups enjoying varying degrees of state tolerance, to commercial enablers with no direct state relationship. This analytical framework has significant implications for how accountability mechanisms are designed and applied, as different relationship types require different policy responses.
Building on these strands of scholarship, and recognizing the need for a definition broad enough to capture both a range of actors and a range of potential levels of state involvement, this paper defines cyber proxies as follows:
Russian cyber proxies: the current landscape
Any consideration of Russian cyber proxy usage must necessarily situate cyber proxies within the context of Russia’s broader information security ecosystem. This is a landscape in which cyber operations, information control, propaganda, disinformation and media manipulation are not discrete domains but deeply intertwined components of state strategy. For Russia, ‘information confrontation’ is an umbrella concept that combines many different strands – such as technical cyber operations, psychological operations, propaganda, censorship, intelligence gathering and influence campaigns – into a single strategic domain.
Russia’s broader information security ecosystem is a landscape in which cyber operations, information control, propaganda, disinformation and media manipulation are not discrete domains but deeply intertwined components of state strategy.
Russia’s concept of information confrontation is described as ‘a form of conflict between parties … each of which attempts to cause the other defeat or damage by means of information impact … [it has become] a form of combat in which information is both the tool, the environment, and the target’. Evidently, this ‘environment’, as Keir Giles argues, goes well beyond cyberspace; the definition includes public opinion and narratives. Scholars such as Timothy Thomas have long argued that Russian military thinkers conceive of information conflict as occupying a holistic battlespace in which psychological, political and cyber tools reinforce one another and can be deployed in parallel during peace and wartime. As a result, cyber proxies cannot be analysed only as technical disruptors. They are embedded within a much broader Russian strategy aimed at shaping perceptions, generating ambiguity and eroding adversaries’ ability to respond.
Russia’s approach to information confrontation is associated with a tightly managed domestic media environment, the use of online propaganda and troll networks, and disinformation and cyber activities. This paper recognizes the intertwined relationship between cyber operations and influence operations, acknowledging that both are products of a closely controlled Russian information ecosystem. Our analysis focuses on cyber proxies because they raise distinct and consequential questions around attribution, state responsibility and legal accountability. Proxies are where the opacity of the Russian information ecosystem creates the greatest policy challenges; isolating this element enables more precise analysis and more actionable recommendations.
Challenges in mapping the Russian cyber proxy ecosystem
The proliferation of Russian proxy actors, as well as the fluidity of these actors across ambiguous spaces, makes mapping Russia’s cyber proxy ecosystem a complex task. There are four primary challenges.
Firstly, proxy relationships in cyberspace resist simple categorization. Russian cyber operations draw both on direct state actors – such as Sandworm and other GRU-integrated units – and on a range of non-state proxies, from APT-commissioned actors operating under close state direction, through criminal groups and hacktivist networks operating with varying degrees of state tolerance, to commercial enablers with no direct state relationship. Actors may shift between categories depending on the operation, target or geopolitical context, and some may occupy different positions simultaneously.
The second challenge is that this ecosystem is not static. Groups rebrand, splinter, merge and adopt new identities, sometimes to obscure attribution, sometimes to signal new alliances, sometimes due to disruptive action taken against them or even internal disagreement between members, and sometimes simply to maintain relevance in a competitive underground economy. Campaign names evolve, and similar tools may be used by multiple actors with varying degrees of skill. Opportunistic actors may suddenly attach themselves to a Russian narrative following major battlefield events, while previously active collectives may fade or reappear under new banners. This dynamism limits the value of static taxonomies and requires continuous assessment.
Thirdly, different groups often occupy overlapping categories and perform hybrid functions. Criminal groups may undertake profit-motivated ransomware campaigns alongside politically motivated disruptions (with often only the latter aligned with Russian state interests). Hacktivist collectives sometimes perform primarily informational or psychological functions, such as defacing websites, leaking stolen data or amplifying narratives through Telegram, but they may also participate in low-level disruptive operations themselves. State-backed APTs may outsource components of campaigns to criminal subcontractors or rely on tolerant ecosystems to ‘launder infrastructure’. The result is a blurring of motivations, methods and organizational roles, making categorization inherently approximate.
Finally, many incidents remain undisclosed or only partially observable in the public domain. Open-source reporting, public attribution and media coverage capture only a fraction of activity, meaning that the proxy ecosystem is likely far denser and more active than publicly documented. As a result, analyses based solely on open-source information may underestimate both the frequency and strategic impact of cyber operations. This limitation underscores the importance of continuous monitoring and integration of multiple intelligence sources to build a more accurate operational picture.
To understand Russia’s cyber campaign against Ukraine, and the role that proxies have played, it is necessary to map the landscape of actors involved, examining both their organizational profiles and their relationships with the Russian state. Yet in light of the above, mapping proxies is less about fixing actors into permanent boxes and more about assessing patterns of alignment, behaviour and utility across an evolving ecosystem. Attribution in cyberspace remains complex, particularly where self-proclaimed ‘patriotic’ groups or criminal entities are concerned, and available open-source evidence often reveals alignment with state objectives rather than direct evidence of state tasking.
Classification of Russian cyber proxies
Table 1 categorizes Russian cyber proxies according to their relationship with the Russian state, primary activities and degree of strategic intent. The categories reflect variable and overlapping degrees of state control and alignment, as mentioned ranging from APT-commissioned proxies under direct intelligence guidance to commercial enablers – hosting providers, cryptocurrency services and IT contractors – whose relationship with the state is indirect, willingly providing services to malicious actors rather than acting under state direction. The framework should not be read as implying a neat linear sequence: ideological hacktivists, though largely self-directed, occupy an intermediate position because their operations have generally produced effects aligned with Russian state objectives and have been amplified through state-linked media channels. Influence operation actors cut across the typology entirely. This typology draws on observable patterns in Russian-linked cyber activity since 2022, though many proxy relationships predate the full-scale invasion.
