Hostile States Are Running Criminal Networks as Weapons. Law Enforcement Is Playing Catch-Up.
Source: ChatGPT
EXECUTIVE SUMMARY
Russia, Iran, China, and North Korea are systematically weaponizing transnational criminal organizations, using them as deniable proxies for sabotage, influence operations, and infrastructure disruption below the threshold of open conflict. Investigations in Poland, Germany, and Lithuania have uncovered overlapping networks linked to Russian military intelligence operating through criminal intermediaries to target Ukraine-bound supply chains. Europol has specifically named criminal networks operating under direction from Iranian security institutions as active threats inside EU member states. Iran's newly established Electronic Operations Room, stood up on February 28, 2026, the same day Operation Epic Fury began, has claimed responsibility through state-aligned proxies for disruptive cyber operations. The model is deniability by design: use criminals, claim ignorance, achieve strategic effect.
ANALYSIS
The use of criminal proxies by hostile states is not new, but the scale and coordination have accelerated materially since 2022. Russia's hybrid warfare doctrine, refined through its operations in Ukraine and against European logistics infrastructure, has demonstrated that criminal networks can perform sabotage missions with a fraction of the footprint and risk of state actors. Authorities in Poland, Germany, and Lithuania uncovered overlapping networks in 2025 linked to Russian military intelligence targeting railways, logistics hubs, and commercial infrastructure connected to Ukraine-bound supply chains, according to GLOBSEC analysis.
Iran's model is structurally different but strategically similar. Rather than running criminal proxies for sabotage, Tehran has historically used its proxy networks for assassination, surveillance, and financial crime inside Western countries. Europol's March 6 assessment specifically identified criminal networks operating under the direction of Iranian security institutions as active threats inside EU member states. That is not a theoretical concern. It is a current operational assessment from the continent's primary law enforcement intelligence body.
The Electronic Operations Room that Iran established on February 28 represents a newer dimension of this architecture. Palo Alto's Unit 42 reports that multiple Iranian state-aligned personas and collectives claimed responsibility for disruptive cyber operations through this entity in the days following the launch of Operation Epic Fury. The structure appears designed to aggregate and direct proxy cyber actors while maintaining enough distance for Tehran to deny direct involvement. It is the digital equivalent of the deniable criminal intermediary.
China and North Korea run comparable architectures in the cyber domain. Google has linked China, Iran, Russia, and North Korea to coordinated defense sector targeting operations, according to The Hacker News. North Korea's use of cryptocurrency theft to fund its weapons programs is well documented. China's FishMonger group, affiliated with the contractor I-SOON, runs parallel espionage and financially motivated operations simultaneously. The line between intelligence collection and criminal enterprise has effectively disappeared in the operations of all four state actors.
Operation Candy illustrates why this convergence matters beyond its specific facts. A criminal network with logistics infrastructure capable of moving 1.2 tonnes of narcotics from Europe to Australia represents a supply chain that could be adapted to move other things. The intelligence value of disrupting these networks is not limited to preventing drug sales. It is about collapsing infrastructure that hostile state actors can exploit.
The United States faces this threat across multiple domains simultaneously. Russian criminal proxies are operating in Europe against NATO supply chains. Iranian criminal networks are operating inside allied countries with a declared motivation to attack American targets. Chinese state-affiliated contractors are running espionage operations against US government institutions. North Korean hackers are financing a nuclear weapons program through cyber theft. Each of these is a distinct problem requiring a distinct response. Together they represent a coordinated adversarial posture that exploits the same fundamental gap: law enforcement is organized by jurisdiction and crime type, while the threat is organized around effect.
The net assessment is that the weaponization of criminal networks by hostile states will intensify as conventional military confrontation becomes more costly and as Western sanctions regimes expand. Each new sanction creates a new compliance gap. Each new logistics disruption operation teaches the model to the next proxy. Washington's challenge is not simply to disrupt individual networks but to raise the cost of the entire model high enough that the strategic calculus changes for the states running it.
