Existing tools – disruption, sanctions, investigation and prosecution – are sufficient in principle to hold cyber proxies accountable. What is missing is coordination. This chapter sets out concrete recommendations for moving from fragmented tactical responses to strategically coherent, sustained pressure.
Ukraine and its allies possess the tools to hold cyber proxies accountable – disruption capabilities, sanctions frameworks, prosecution authorities. The challenge is not inventing new mechanisms but coordinating existing ones so they reinforce rather than undermine each other. Moving from tactical disruption to strategic degradation of cyber proxies requires integrating existing tools and focusing efforts where they matter most – critically, it requires cultivating the political will to treat multi-dimensional, coordinated response as a priority.
This chapter organizes its recommendations around a hierarchy of proposed actions. It distinguishes between (A) core strategic levers, (B) strategic amplifiers and (C) enablers. Core levers create immediate operational friction and impose costs that cannot easily be evaded. Amplifiers magnify and sustain the effects of these levers across legal, operational and reputational dimensions. Enablers build the institutional and normative foundations for long-term effectiveness. This framing reflects both the political realities facing states seeking to tackle cyber proxy activities and the recognition that not all measures carry equal weight. Put another way, when resources and political bandwidth are finite, prioritization matters.
A. Core strategic levers: actions that directly degrade proxy capacity
In the first instance, we argue, governments and institutions seeking to tackle cyber proxies need to apply core levers as follows:
1. Target enabling ecosystems, not just individual actors
Effective disruption of proxy operations requires focusing on the infrastructure and supply chains that enable them: cryptocurrency exchanges facilitating payments, hosting providers enabling command-and-control infrastructure, technology suppliers providing tools, etc. Focusing on infrastructure rather than solely on individual actors is particularly effective because the same platforms and services often support cyber and information operations and other actors. While not conceptually new, ecosystem-level targeting has rarely been applied systematically or at scale. Achieving scale and consistency requires measures targeting the following entities:
- So-called ‘bulletproof hosting’ providers (internet hosting services that deliberately ignore takedown requests and legal demands, enabling proxy operations to persist and other malicious and illegal activity) and virtual private network (VPN) services that enable proxy operations;
- Cryptocurrency exchanges and mixers that facilitate payment flows;
- Domain registrars and content delivery networks (CDNs) that support cyberattacks and information campaigns; and
- Technology suppliers that provide malware-as-a-service or offensive tools.
Critical to this is the need to impose costs on enablers. Sanctions designations, prosecutions and public exposure should target not just proxy operators but the infrastructure providers, payment processors and technology suppliers that make proxy operations scalable. States should coordinate such designations multilaterally (see also Recommendation A2, below) to prevent targets from simply relocating to permissive jurisdictions. This requires differentiating between jurisdictions that harbour proxy infrastructure through lack of capability and those that do so deliberately – a distinction developed further in Recommendation C1.
2. Create standing mechanisms for rapid multilateral coordination of sanctions
Coordinated sanctions multiply pressure by closing safe havens. The EU’s June 2024 cyber sanctions demonstrate the potential for multilateral action, but current practice remains largely ad hoc. Moving from reactive to systematic responses requires institutionalizing the coordination infrastructure before the next major incident, not during it. Willing partners – at minimum the US, the UK, the EU, Australia, Canada and Japan – should establish a permanent cyber sanctions coordination cell with a mandate to take the following measures:
- Pre-position designation packages for known proxy networks, infrastructure providers and enablers of cyber-enabled operations, allowing sanctions to be activated quickly rather than constructed from scratch in a crisis. Pre-positioning would not remove the requirement for case-by-case ministerial review and legal assessment at the point of decision; rather, it would ensure the necessary evidentiary groundwork is already in place, facilitating faster adoption when the threshold for designation is met.
- Share attribution assessments, legal analysis and supporting intelligence through secure channels to enable faster, better-coordinated responses.
- Develop interoperable evidentiary standards for designations that accommodate different legal systems, while preserving enforceability across jurisdictions.
- Harmonize national cyber sanctions frameworks across participating jurisdictions where legal gaps or inconsistencies exist. Like-minded states should ensure their existing frameworks can accommodate coordinated cyber-specific listings, enabling full participation in rapid multilateral actions.
- Establish clear activation triggers and decision-making procedures, so that participating governments agree in advance on the threshold and process for deploying pre-positioned packages – since this is where sovereign legal differences are most likely to create friction.
By institutionalizing pre-authorized response pathways and shared operational infrastructure, this mechanism would allow sanctions to function as a rapid, integrated instrument of collective cyber deterrence rather than as a reactive or symbolic measure.
3. Integrate evidence sharing with broader disruption strategies
Bilateral and multilateral evidence-sharing mechanisms – including MLATs, the Budapest Convention framework and joint investigation teams – have enabled successful prosecutions, as demonstrated by operations targeting NoName057(16), LockBit and other proxy networks. However, the strategic gap does not lie with cooperation mechanisms themselves; rather, it is the persistent disconnect between law enforcement, sanctions authorities, intelligence agencies and diplomatic services – within and between governments – in integrating evidence collection with sanctions, operational disruption and diplomatic pressure to generate compounding effects.
When evidence sharing operates independently of other response tools, its impact is limited. Criminal investigations that proceed without coordination with sanctions authorities may inadvertently alert targets before asset freezes can be imposed. Infrastructure takedowns conducted without preserving evidence for prosecution risk wasting opportunities for criminal accountability.
To achieve strategic integration, the relevant authorities and agencies need to:
- Coordinate timing across tools. This means aligning evidence collection with sanctions designations and operational disruptions to ensure that criminal investigations, technical takedowns and financial measures reinforce rather than undermine each other. Operation Cronos demonstrated the benefit of sequencing actions to maximize their legal and strategic effects.
- Expand direct judicial cooperation. This will entail building on frameworks such as the EU’s e-Evidence Regulation and bilateral agreements under the US CLOUD Act to enable authorities to request data directly from providers across borders, while respecting privacy and legal safeguards.
- Formalize rapid-response protocols. Policymakers should establish pre-agreed procedures for high-priority cases involving critical infrastructure or active campaigns, ensuring that law enforcement, intelligence agencies and private sector partners act in a synchronized, rapid and legally compliant manner rather than relying on ad hoc coordination during crises.
B. Strategic amplifiers: measures that magnify pressure
Like-minded states, working through national authorities and multilateral bodies such as Europol and Eurojust, should take the following steps to amplify the effects of the above-mentioned core levers:
1. Coordinate operational disruption campaigns
Current disruption efforts often treat each incident as isolated. Infrastructure is seized, domains are taken down, but proxies regroup and reconstitute themselves quickly using alternative providers. A shift to ‘campaign-based’ disruption would enable one-off actions to be replaced with sustained pressure targeting the same proxy network across multiple dimensions simultaneously. Policymakers should:
- Focus campaigns on high-value targets. This means prioritizing proxy networks that enable multiple types of operations (cyber and information operations) or that support critical Russian strategic objectives, rather than attempting to disrupt every proxy operation globally.
- Target shared infrastructure. This will entail identifying hosting providers, CDNs and domain registrars used by proxies for cyber and information operations. Takedowns of shared infrastructure should be coordinated to generate compounding effects, the aim being to simultaneously degrade offensive cyber capabilities and dismantle influence networks.
- Deny reconstitution, not just access. Takedowns of proxies should be carefully sequenced in coordination with sanctions targeting infrastructure providers. Technical disruptions should be complemented with legal action (civil suits, criminal prosecution) that impose lasting consequences on facilitators. Publicizing disruptions would also help to increase reputational costs to cyber proxies and their sponsors.
Across all these measures, the cognitive dimension of disruption deserves explicit attention. Technical takedowns achieve their greatest strategic value when they are designed to generate psychological and organizational friction within adversary networks – eroding trust among affiliates, undermining leadership credibility, and creating doubt about the reliability of tools and partners. Operation Cronos (see Table 3) illustrates this well: the operation’s most lasting effect was not the seizure of infrastructure but the reputational collapse it triggered within the LockBit ecosystem, which proved difficult to reverse.
Disruption campaigns should be designed from the outset with this signalling dimension in mind: identifying the pressure points where targeted interventions can generate disproportionate and compounding effects, and ensuring that operations are visible, attributed and sequenced to maximize organizational friction rather than being treated as isolated technical events.
Finally, these tools have structural limits – particularly where proxies operate from safe havens beyond the reach of law enforcement. In such contexts, some states have publicly acknowledged that offensive cyber capabilities form part of their national security toolkit. Whether and how such capabilities should be integrated into the coordinated accountability frameworks recommended here – and under what legal and oversight conditions – is a question that deserves serious attention, even if it remains politically sensitive.
2. Establish structured public–private engagement frameworks
Technology companies control much of the infrastructure that proxies exploit, but the former’s cooperation with governments often remains ad hoc, inconsistent and hampered by concerns about liability, resource constraints, and conflicts between security obligations and user privacy commitments. Formalizing engagement would transform reactive coordination into predictable partnerships with clear roles and mutual expectations – combining incentives with binding obligations.
Policymakers need to define clear expectations for infrastructure providers. This implies the following actions:
- Technology companies and infrastructure providers should be required to report proxy activity detected on their platforms, and preserve evidence for lawful investigations in a timely manner.
- Where companies detect active proxy campaigns, they should have pre-agreed protocols for coordinating with law enforcement rather than acting unilaterally – to ensure that technical disruption does not inadvertently compromise ongoing criminal investigations or destroy evidence needed for prosecution.
- Governments should explore the possibility of expanding mandatory reporting requirements for cyber incidents, scaled proportionately to organizational size. Current obligations – focused primarily on data theft and personal data breaches – may not adequately capture the full range of hostile cyber activity relevant to proxy operations. Governments should assess whether reporting obligations should be extended to include suspected espionage and unauthorized access to government and corporate networks and systems. Key points to address include: the evidentiary threshold that would trigger reporting; whether reports should flow to regulatory bodies or directly to law enforcement and intelligence agencies; how to manage disclosure risks; and what liability protections companies would require to participate in good faith. Structured dialogue with industry on the design of reporting procedures could ensure that requirements are technically workable and consistently applied across jurisdictions. It will be important to develop operational definitions of ‘espionage’ and ‘unauthorized access’ in a corporate context. Existing mandatory reporting frameworks among like-minded states offer useful starting points.
In addition, work on establishing structured public–private engagement needs to:
- Balance obligations with safeguards. This means ensuring frameworks respect human rights obligations, particularly regarding content moderation, data sharing and user privacy. It also means preventing inappropriate delegation of state authority to private companies for decisions on attribution or designation.
- Address non-compliance. For companies that refuse to cooperate or that persistently enable proxy infrastructure, states should consider consequences such as loss of government contracts, public disclosure of non-cooperation or, in serious cases, placement on a sanctions’ list. At the same time, governments should prioritize cooperation with willing partners rather than attempting to compel universal participation – building coalitions of cooperative providers creates competitive pressure on holdouts.
Effective public–private engagement would help to transform companies from passive infrastructure providers into active contributors to collective defence, amplifying the effects of government actions through the corporate sector’s unique capabilities and visibility into proxy operations.
C. Enablers: building foundations for long-term effectiveness
To sustain long-term effectiveness and reinforce the institutional foundations on which core levers and amplifiers depend, like-minded states should take the following steps:
1. Strengthen multilateral coordination infrastructure
Effective coordination across states and agencies is essential, but current mechanisms have limits. Organizations such as Europol, Interpol and Eurojust provide valuable avenues for collaboration, and schemes like the Counter Ransomware Initiative demonstrate potential for accelerated crisis response. However, real-time operational coordination is currently limited, domestic legal frameworks vary, and uneven resourcing creates gaps in capability that adversaries exploit.
To address these constraints, states should:
- Enhance law enforcement cooperation through Europol, Interpol, the EU SIRIUS network and Eurojust, ensuring agencies can share intelligence securely and coordinate responses in real time.
- Invest in training and resources to enable joint investigations and rapid operational coordination, underpinned by domestic legislation that explicitly permits such activities.
- Ratify pending international instruments that expand compatible legal frameworks for evidence sharing, namely: the UN Convention against Cybercrime and Second Additional Protocol to the Budapest Convention. While these instruments will not solve coordination challenges alone, they would expand the base of countries with aligned legal authorities for obtaining electronic evidence across borders.
- Work towards common attribution standards and shared frameworks for when and how to respond. While revisions to the Articles on State Responsibility are unlikely in practice, Track 1.5 dialogues – bringing together government officials, tech companies, researchers and civil society – can explore whether common methodologies are feasible while protecting intelligence sources.
- Differentiate between inadvertent and deliberate safe havens. States that harbour proxy infrastructure because they lack capability require a fundamentally different response from those that do so deliberately. For the former, targeted capacity-building support should be provided.
2. Sustain ecosystem pressure through multilateral and minilateral initiatives
While recommendations A1 and B1 mostly focus on directly targeting specific enabling infrastructure providers through sanctions and takedowns, sustained pressure requires multilateral frameworks that coordinate such actions over time and expand them globally. The Pall Mall Process and Counter Ransomware Initiative, for example, offer early models for how standing platforms can constrain enabling ecosystems beyond individual operations.
These initiatives become strategically coherent when they:
- Connect to accountability mechanisms. This ensures findings feed directly into sanctions regimes, criminal prosecutions and diplomatic pressure rather than operating as standalone research or dialogue forums.
- Expand geographic participation. Bringing in countries that currently lack comprehensive cyber sanctions or prosecution frameworks would create broader coverage against jurisdictional arbitrage, and would make it easier to close the safe havens that proxy networks systematically exploit.
- Develop shared standards for designating persistent threat actors and harbouring states. Frameworks analogous to those identifying ‘state sponsors of terrorism’ could be developed for use against states that persistently enable proxy ecosystems or harbour proxies. This would create a legal and diplomatic basis for graduated consequences.
- Learn from adjacent international law frameworks. Instruments addressing mercenaries, foreign fighters and transnational organized crime offer relevant precedents for connecting criminal, diplomatic and economic responses in ways that the current cyber accountability architecture has not yet replicated.
3. Build societal resilience and normative frameworks
Societal resilience reinforces the long-term effectiveness of action to combat cyber proxies by reducing their operational space and public tolerance for malicious activity. Increasing resilience requires action across three mutually reinforcing layers:
Public awareness and education
- States should promote media literacy programmes addressing influence operations, deepfakes and coordinated inauthentic behaviour.
- States should connect public education to accountability strategies, building understanding of government responses and political support for sustained pressure.
Government transparency about threats
- States should expand the toolkit through which they communicate the threat landscape – this should go beyond reactive advisories to include regular published bulletins, formal cyber threat-level systems analogous to terrorism threat levels, and more aggressive use of indictments as transparency instruments.
- More states should emulate the practice of publicly exposing Russian cyber interference in democratic processes and developing detailed threat actor profiles. This was demonstrated by the UK’s public attribution of GRU cyber and hybrid operations, and by the joint technical advisory on Sandworm/GRU Unit 74455 issued by the UK, US, Canadian and Australian cybersecurity agencies. Equally instructive is the US practice of unsealing criminal indictments as transparency instruments, which simultaneously exposes threat actor tradecraft, signals intelligence capabilities, and creates reputational and legal costs for named individuals – making it one of the highest-impact public attribution mechanisms available to governments.
Dedicated institutional capacity
- Governments should establish focused teams for hybrid threat response, coordinating law enforcement, intelligence and diplomatic functions to ensure responses are integrated rather than siloed. The UK Foreign, Commonwealth and Development Office’s establishment of the Cyber, Information and Tech Threats Directorate (CITT) reflects this approach, demonstrating recognition that sustained institutional capacity is necessary for strategic and coordinated interventions.
4. Bridge UN cyber governance and cybercrime processes
Russia’s use of proxies deliberately blurs the line between state-sponsored operations and criminal activity, complicating efforts to establish accountability under existing frameworks. The UN addresses the issues through parallel but disconnected processes: one focused on cyber governance and norms (First Committee, Global Mechanism on ICT Security); and one dedicated to cybercrime (Third Committee, UN Convention against Cybercrime). Bridging these tracks could strengthen accountability in respect of proxy operations.
However, such a proposal might meet political and institutional resistance. Governments have historically and deliberately kept cyber governance and cybercrime processes separate, concerned that connecting them would complicate attribution standards, blur the line between criminal and state responsibility, and create unwanted precedents in each forum. That resistance deserves acknowledgment. However, the rationale for strict separation has substantially weakened: the UN Convention against Cybercrime is now agreed, and the OEWG has transitioned into a permanent mechanism. The institutional landscape has changed sufficiently to revisit whether continued separation serves accountability or merely entrenches impunity.
In this context, we advocate the establishment of the following bridging mechanisms:
- Like-minded states should establish joint working sessions between First and Third Committee focal points during UN cyber meetings to identify overlapping issues (e.g., how cybercrime treaty implementation relates to due diligence obligations under the Framework for Responsible State Behaviour in Cyberspace).
- They should also task national delegations to coordinate across both processes, ensuring cybercrime prosecutions inform discussions of state due diligence obligations and vice versa.
- Relevant UN agencies such as the UN Institute for Disarmament Research (UNIDIR) should commission joint studies examining how states’ obligations to prosecute cybercrime (Third Committee focus) intersect with obligations to prevent territory from being used for malicious cyber operations (First Committee due diligence principle).
This integration would help address the current problem of proxy operations falling between governance frameworks: too state-linked to be treated as pure crime, yet too criminal to be clearly attributable as state action.
