| | | |
|---|
Operation Eastwood (Jun. 2024) – disruption of NoName057(16) hacktivist network. | Dismantle infrastructure; arrest core members; deter recruitment through legal warnings. | Takedown of pro-Russian DDoS hacktivist network including 100+ servers; arrest warrants in Germany and Spain; US indictment of Victoria Eduardovna Dubranova for alleged GRU collaboration (cases not yet concluded); and legal warnings to volunteer supporters. | Europol, Eurojust, 12+ national law enforcement agencies, US Department of Justice (DOJ) |
Threat detection and blocking (continuous, 2022–24) | Identify and block malicious infrastructure in real time; prevent compromise of Ukrainian government networks and critical infrastructure. | Real-time detection and blocking of Russian malware and phishing infrastructure; threat intelligence sharing across CERT Ukraine, SBU and Western cybersecurity partners to identify and neutralize malicious campaigns before systems are compromised. | CERT Ukraine, SBU, Western cybersecurity firms |
Microsoft-DOJ Star Blizzard/Callisto Group disruption (Oct. 2024) | Disrupt phishing operations; remove espionage infrastructure; impose operational costs on FSB Centre 18 and associated actors. | Seizure of 107 domains used by FSB Centre 18’s Callisto Group (tracked by Microsoft as Star Blizzard) and criminal proxies acting on its behalf, for spear-phishing and credential theft targeting government officials, defence contractors, think-tanks, journalists and NGOs. | US DOJ, Microsoft Digital Crimes Unit |
Operation Cronos (Feb. 2024) – LockBit takedown | Dismantle ransomware-as-a-service ecosystem; arrest operators; cut financial flows; deter recruitment and further participation by affiliates. | Seizure of LockBit dark-web infrastructure; arrest of affiliates; international arrest warrants and indictments (France, US); cryptocurrency asset freezing. | UK National Crime Agency (NCA), FBI, Europol, Eurojust, US DOJ, 10+ countries |
Sources: Compiled by authors.
Technology companies played a key role in these disruption operations, working with law enforcement to disable malicious infrastructure. Microsoft’s Digital Crimes Unit, acting concurrently with the US Department of Justice, seized domains used by Russian intelligence proxies (such as Star Blizzard), while cybersecurity firms such as CrowdStrike, Mandiant and Recorded Future provided threat intelligence and attribution support across a range of similar operations. Nonprofit groups like ShadowServer and abuse.ch aided operations such as Eastwood, mapping infrastructure used by pro-Russian hackers. Commercial intelligence helped dismantle ransomware networks during Operation Cronos. The success of these operations relied on close coordination between government agencies and private sector entities controlling the exploited infrastructure.
B. Cost imposition: legal, financial and reputational measures
In addition to disruption efforts, Ukraine and its allies have increasingly focused on cost imposition measures to ensure cyber operations, especially those by Russian cyber proxies, are met with lasting consequences. These measures are intended not only to deter future attacks but also to raise the costs of recruiting and maintaining proxy actors, making it more difficult for these networks to operate.
This section examines three primary cost imposition tools: cyber sanctions, criminal prosecution and diplomatic retorsion (unfriendly but lawful acts taken in response to the conduct of another state), which together represent the most visible and politically significant accountability mechanisms deployed by states against Russian cyber proxies.
Cyber sanctions
The EU has systematically expanded its cyber sanctions framework in response to Russian proxy operations. Following the June 2024 designation of six individuals for their involvement in malicious cyber operations targeting Ukraine and its allies, the Council of the European Union extended the broader cyber sanctions regime until 2028, signalling sustained political commitment. These sanctions impose asset freezes, travel bans and financial transaction prohibitions on designated actors, though the practical impact of the measures depends heavily on enforcement and the geographic and political reach of sanctioning authorities.
Developed as a component of the EU’s 2017 Cyber Diplomacy Toolbox, sanctions form one instrument within a framework designed to provide a graduated spectrum of diplomatic responses to malicious cyber activity – from coordinated statements and démarches (formal diplomatic messages expressing a government’s position or request) through to targeted sanctions of the types mentioned above. The toolbox is premised on collective attribution enabling collective response, and in principle represents exactly the kind of integrated, strategically coherent framework this paper advocates. In practice, however, it has been underused relative to its ambition, with consensus among member states proving difficult to achieve consistently.
Similarly, the UK imposed sanctions on 18 GRU officers and three military intelligence units in July 2025, explicitly targeting personnel assessed as having been involved in sustained malicious cyber activity against Western institutions and energy infrastructure and in hybrid warfare operations. The designations covered GRU Units 29155 and 26165, both implicated in proxy-linked campaigns, and drew explicit connections between Russian-backed cyber operations and Moscow’s broader destabilization efforts. Amplifying the diplomatic signal, NATO and EU allies issued coordinated statements condemning Russian hybrid activities.
The UK has also stepped up sanctions recently in light of escalating hybrid threats, especially in relation to information warfare attributed to Russian proxies; these proxies include Russian think-tanks such as the ‘Centre for Geopolitical Expertise’ that seek to hide their links to the Russian government.
In November 2025, Canada for the first time sanctioned entities supplying the digital infrastructure used in Russian hybrid strategies against Ukraine; this was alongside designations targeting Russia’s drone programme and shadow fleet.
The strategic logic of cyber sanctions rests on several assumptions: that individual actors can be deterred by personal costs, that sanctions signal resolve to domestic and allied audiences, and that cumulative designations raise the operational cost of proxy recruitment and retention. However, the effectiveness of such measures remains difficult to measure. Individuals subject to economic sanctions may have assets seized and be unable to engage in financial transactions touching the US or other sanctioning countries – these risks will be felt at the personal level, and may exert a form of ‘micro-level’ deterrence. On the other hand, sanctioned individuals often have limited assets in Western jurisdictions, and Russia has demonstrated willingness to absorb reputational costs.
The primary value of current sanctions may therefore lie in normative signalling and coordination rather than immediate behavioural change – communicating that proxy misuse will invoke sustained political consequences even when kinetic or legal responses are unavailable. Whether normative signalling alone can contribute meaningfully to deterrence remains an open question, and one that points to the need for sanctions to be embedded within a broader, coherent response strategy rather than deployed in isolation.
Prosecution under domestic criminal law
As is clear from Table 3 above, prosecution of proxy actors can interact with other accountability measures – political, diplomatic, financial and reputational – to impose costs.
Both Ukraine and its allies increasingly target Russia’s proxies with court action. Ukraine has brought prosecutions against Russian hackers under its domestic criminal code. For example, in October 2024 a Ukrainian court sentenced in absentia two members of the Russian Federal Security Service (FSB)-backed hacker group ‘Armageddon’ for having carried out more than 5,000 cyberattacks against Ukrainian institutions and critical infrastructure. The unnamed hackers previously worked as employees of Ukraine’s SBU in occupied Crimea before voluntarily joining the FSB following Russia’s annexation of Crimea in 2014.
The US has issued a series of indictments since 2014 in relation to malicious cyber actors from Russia, China, Iran and North Korea. In several high-profile cases, the US has used a multi-pronged strategy of issuing a public statement, imposing sanctions, then issuing an indictment against the individuals concerned. The sequencing of measures will depend on the facts in each case: sometimes, indictments are issued before sanctions, as in the case of US accusations against Iran of DDoS attacks on financial institutions.
The US has indicted suspected cyber proxies apparently operating from Russia, based on extraterritorial jurisdiction. For example, in the case of US v. Stigal, a Russian national has been charged with intentional conspiracy to hack into and destroy computer systems and data. The indictment states that the accused ‘supported the activities of the GRU by setting up online infrastructure for GRU officers to use in cyberattacks, including in the deployment of the WhisperGate malware’. According to the US Department of Justice, in advance of the full-scale Russian invasion of Ukraine, the targets of Stigal and his alleged co-conspirators included Ukrainian government systems and data with no military or defence-related roles. Later targets included computer systems in countries that were providing support to Ukraine, including the US.
In December 2025, the US charged a Ukrainian national, Victoria Eduardovna Dubranova, with conducting alleged cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations. One operation was said to be with the CyberArmyofRussia_Reborn (known as CARR), which was founded and funded by Russia’s GRU, according to prosecutors. CARR is said to have caused damage to the control systems of public drinking water systems in several US states, and resulted in huge water spills; CARR is also alleged to have triggered an ammonia leak and spoiled meat at a processing facility. The second operation in which Dubranova is alleged to have been involved was with the group NoName057(16) (see row 4 of Table 2 and row 1 of Table 3 above), which launched more than 1,500 attacks on government agencies, financial institutions, railways and ports in Ukraine and NATO countries including Estonia, Finland, Lithuania, Norway, Poland and Sweden between March 2022 and June 2025.
Even where a case does not go to trial, the launching of an investigation can bring some immediate benefits.
However, there are various challenges to the investigation and prosecution of cyber proxies. Investigations are time-consuming and expensive, therefore only an option for well-resourced states with strong attribution capabilities. To gather the evidence, states are likely to need to cooperate with service providers or cybersecurity companies on technical attribution. But in some cases, local law, or the terms of service of the companies concerned, may prevent companies from handing over relevant data. Mutual legal assistance procedures for gathering evidence for prosecution are typically slow and bureaucratic, and states may not have the relevant law in place or the resources to prosecute. If the alleged perpetrators are located in Russia, Russia will refuse to prosecute or extradite them (in the Stigal case above, the accused remains at large). As a result, there have been relatively few successful prosecutions so far.
Despite these challenges, prosecution of malicious cyber activity is on the rise. Even where a case does not go to trial, the launching of a domestic investigation can bring some immediate benefits. Firstly, it puts partners – states, intergovernmental organizations such as Europol and Interpol, and the private sector, which increasingly work together – on notice of the prosecuting state’s need for evidence to secure prosecution and mobilizes networks of cooperation, for example those established under the Budapest Convention on Cybercrime 2001. Secondly, partner states may choose to provide political or diplomatic support in various ways, for example by participating in collective efforts on attribution or the imposition of sanctions on the individuals or entities concerned. Finally, the launching of a domestic investigation sets up the potential for joint investigations. Since attribution and due diligence come with major challenges in relation to proxies, and since Russia is increasingly conceived as operating in effect as a criminal state, there are clear strategic benefits in states joining forces in investigations and prosecutions. As Table 3 makes clear, several recent operations have proved the effectiveness of this approach, including Germany and Spain issuing arrest warrants for seven suspected members of NoName057(16), a pro-Russian hacking group. These arrests were the result of an international operation involving law enforcement and judicial authorities from several countries, including France, Italy, the Netherlands, Sweden and the US.
The recent adoption of several multilateral instruments is likely to strengthen the prospects for successful prosecution of cyber proxies. In addition to the Budapest Convention on Cybercrime – which has 81 states parties, including the US – the Second Additional Protocol to the Budapest Convention on enhanced cooperation and disclosure of electronic evidence (signed but not yet in force) will enable states parties to obtain electronic data (such as subscriber information and traffic data) directly from service providers located in other countries. This will apply regardless of whether there is a mutual legal assistance treaty (MLAT) – the legal channel that enables states to request and share evidence from criminal investigations and prosecutions – in place. Direct requests by EU member states to service providers for certain electronic data will also be possible under the EU’s e-Evidence framework, which will establish uniform rules on the preservation and disclosure of electronic evidence from 2026. The UN Convention against Cybercrime, signed in 2025 by 71 states and the EU, could also be useful for the purposes of collecting, obtaining, preserving and sharing evidence of cybercrime..Importantly for the purpose of proxy activity, these treaties do not just apply to ordinary cybercrime such as spamming or computer fraud, but also to malicious cyber activity more broadly (the UN Convention against Cybercrime, for example, applies to ‘any serious crime’).
Prosecutions also send a signal to the public, as well as to perpetrators, that the prosecuting state has intelligence about where the malicious cyber activity is coming from and has sufficient evidence to prosecute. This has been part of the US’s rationale for its ‘speaking indictments’. And even if the alleged perpetrator is in a state that refuses to prosecute or extradite, their movement will be restricted, as a person travelling to a country that is prepared to extradite risks being arrested and sent to trial. For example, Russians associated with the Phobos ransomware tool were arrested and extradited from South Korea and Italy for prosecution. In the US v. Dubranova case mentioned above, the accused was extradited to the US and is standing trial there. Fear of prosecution may also have a deterrent effect.
Diplomatic retorsion and symbolic costs
Since the start of the war, Ukraine’s allies have used diplomatic ‘retorsion’ – which includes measures such as formal protests and expulsions of diplomats – to signal that hostile cyber and hybrid activities carry political costs. Expulsions of Russian diplomatic personnel since 2022 have been driven by concerns over espionage and destabilizing intelligence operations that may have been carried out under diplomatic cover. Many Western governments have explicitly framed the expulsions as responses to Russia’s hybrid campaign – which includes cyberattacks, disinformation and sabotage supporting the war effort against Ukraine.
In March 2022, more than 20 Russian diplomats were expelled by countries including Belgium and the Netherlands, with the authorities claiming that Russian intelligence gathering was being disguised as diplomatic activity. Poland expelled dozens of Russian diplomats that same month on national security grounds. Across Europe, hundreds of Russian diplomatic staff were targeted in coordinated waves of expulsions linked to concerns about espionage and interference supporting Russia’s war effort.
More recently, in January 2026, Germany expelled a Russian diplomat identified as a military intelligence officer accused of espionage tied to the conflict, with Moscow responding by expelling a German diplomat in a tit-for-tat move.
These measures create symbolic and political costs by isolating Moscow diplomatically and highlighting international condemnation of Russia’s hybrid operations. While most expulsions have not been tied to specific cyber incidents, they contribute to raising costs for Russia’s intelligence apparatus – which integrates cyber operations with traditional espionage and influence campaigns – and complicate the conduct of future hostile operations. Actions taken under disruption and cost imposition form part of a cumulative signalling strategy: repeated public attributions, coordinated sanctions, synchronized diplomatic statements, arrests and prosecutions are intended to communicate resolve and impose reputational costs on Russia and its proxies. Although the effectiveness of individual measures may be limited, their accumulation over time can have a deterrent effect and shape adversary perceptions of risk and consequence.
C. Deterrence and its limits
There is credible evidence that coordinated law enforcement can generate short-term deterrence effects against cybercriminal and proxy actors, though these effects remain uneven. Analysts of cyber deterrence have distinguished between deterrence by denial – making attacks less likely to succeed – and deterrence by punishment, through imposing costs after the fact. The measures discussed in this section operate primarily through the latter mechanism, with the limitations that punishment-based deterrence is most effective when costs imposed are visible, credible and sufficiently severe to alter the cost–benefit calculations of potential actors.
Following Operation Cronos – the multinational operation led by the UK National Crime Agency (NCA), US Department of Justice (DOJ) and Europol – the LockBit ransomware group’s core infrastructure was seized, internal data exposed and key associates indicted; these measures significantly degraded the group’s operational capacity and reputation in early 2024. Security analysts assessed that the operation undermined LockBit’s trust relationships with affiliates by demonstrating that participation carried elevated legal risk, even for actors operating outside Western jurisdictions.
More directly, the above-mentioned arrest and extradition of Victoria Eduardovna Dubranova from a third country to the US for her alleged role in supporting pro-Russian cyber operations – including activity linked to NoName057(16) and CyberArmyofRussia_Reborn – provided a concrete demonstration that individuals suspected of involvement in Russian-aligned proxy cyber activity may face personal legal consequences beyond Russia’s borders. This case materially challenges assumptions about geographic safe havens, and plausibly increases perceived risk among opportunistic or peripheral participants. In parallel, Europol-coordinated actions against NoName057(16) included public warnings and direct outreach highlighting criminal liability, which authorities assessed as contributing to some disengagement among lower-commitment volunteers, even if precise attrition levels remain unverified.
At the same time, the limitations of deterrence are substantial and persistent. Despite repeated disruptions, pro-Russian hacktivist activity has continued, with DDoS campaigns against NATO-aligned states remaining a recurrent feature of the threat landscape. LockBit re-established an online presence after the 2024 takedown; this has been cited as evidence that ransomware ecosystems can absorb infrastructure losses and reconstitute themselves quickly. However, LockBit’s credibility among affiliates collapsed, its activity levels dropped sharply, and the group has shown little meaningful operational recovery. The more precise conclusion is that Operation Cronos deterred the activity rather than eliminating the actor – a distinction that matters for how we measure the success of disruption operations. Nevertheless, new or rebranded pro-Russian hacktivist entities have continued to emerge, indicating a low barrier to entry and a surplus of motivated participants willing to replace disrupted actors. This suggests that deterring individual groups, while valuable, does not on its own remove the structural conditions that make proxy recruitment possible.
There is no publicly available evidence that cumulative disruptions, indictments or sanctions have altered Russia’s strategic reliance on cyber proxies.
Most significantly, there is no publicly available evidence that cumulative disruptions, indictments or sanctions have altered Russia’s strategic reliance on cyber proxies. Western governments have sanctioned GRU officers and Russian cyber units, and have publicly attributed state-directed malicious activity to Russia, yet Russia has continued to tolerate – and in some cases indirectly enable – criminal and hacktivist actors that advance its strategic objectives while preserving plausible deniability. The persistence of proxy activity suggests that, from Moscow’s perspective, the operational and political benefits of cyber proxies outweigh the cumulative costs imposed by international pressure. This limits the strategic deterrent value of current countermeasures.