The Embassy Spy Ring: Systemic Expulsion Of 750 Russian Intelligence Officers By The West

The systematic expulsion of Embassy Spy Ring based Russian intelligence networks across the West between 2022 and 2025 represents the most significant counter-intelligence operation since the Cold War. Verified data aggregates confirm that over 750 Russian diplomatic personnel, identified by host nations as undeclared intelligence officers (UIOs), were declared persona non grata. This figure dwarfs the 153 expulsions following the 2018 Skripal poisoning, marking a 390% increase in the number of diplomatic ejections.

The initial wave occurred in the immediate aftermath of the Ukraine invasion. Between February 24 and April 5, 2022, European governments expelled over 400 Russian officials. Intelligence agencies, including Britain’s MI5 and the U. S. CIA, assess that approximately 600 of the total 750 expelled individuals were operating directly for the GRU (military intelligence), SVR (foreign intelligence), or FSB (federal security). The removal of these officers degraded the Kremlin’s human intelligence (HUMINT) capabilities in Europe by an estimated 50%.

The 2022-2023 Expulsion Waves

While the initial purge was coordinated, subsequent expulsions targeted specific operational hubs. Bulgaria executed the single largest one-time expulsion in June 2022, removing 70 diplomats and staff. Germany followed a phased method, expelling 40 officers in April 2022 and another 30+ in April 2023, emptying the Russian residencies in Berlin and Munich. Moldova, facing direct destabilization threats, ejected 45 diplomats and technical staff in July 2023, reducing the Russian embassy presence in Chișinău by nearly 60%.

The operational impact extends beyond mere headcount. In Norway, the expulsion of 15 intelligence officers in April 2023 decimated the SVR station in Oslo. Norwegian security services (PST) confirmed these individuals were conducting radio signal interception and agent handling under diplomatic cover. Similarly, the Dutch intelligence service (AIVD) expelled 17 officers who were actively mapping Dutch high-tech infrastructure. The loss of diplomatic immunity strips these operatives of their primary shield, forcing Russian services to rely on riskier “illegal” operatives without embassy protection.

Neutral states also abandoned historical hesitancy. Austria, traditionally a hub for international espionage due to its lax laws, expelled four diplomats in 2023 and two more in 2024. This shift indicates a hardening of the European security architecture, where tolerance for Russian intelligence activity has evaporated. The cumulative effect is a forced restructuring of Russian spy networks, pushing them toward cyber operations and non-official covers that are harder to maintain and easier to prosecute.

The Catalyst: Bucha Evidence Triggers Diplomatic Exodus

The strategic calculus of Western intelligence agencies shifted irrevocably between April 2 and April 4, 2022. While counter-intelligence services in Germany, France, and Italy had long maintained watchlists of suspected Russian intelligence officers operating under diplomatic cover, the political to execute mass expulsions remained absent during the war’s opening month. This hesitation evaporated with the liberation of Bucha. The emergence of verified satellite imagery and ground footage from Yablunska Street, documenting the summary execution of civilians, provided the immediate political capital required to Russian espionage networks across the continent.

In a coordinated 48-hour window beginning April 4, 2022, European governments declared 206 Russian diplomatic personnel persona non grata. This single surge accounted for nearly 30% of all expulsions recorded between 2022 and 2025. The synchronization suggests that while the lists of were pre-compiled by agencies such as the BfV (Germany) and DGSE (France), the execution orders were withheld until a unifying geopolitical trigger emerged. The Bucha evidence removed the diplomatic shield that had previously protected known GRU and SVR operatives.

The April 4-5 Expulsion Wave

Germany initiated the cascade on April 4. Foreign Minister Annalena Baerbock announced the expulsion of 40 Russian diplomats, explicitly linking the decision to the atrocities. She described the presence of these officials as a “threat to those who seek protection,” a reference to the surveillance of Ukrainian refugees by Russian agents. France followed hours later, designating 35 Russian officials as threats to national security. The following day, Italy, Spain, and Denmark joined the purge, ejecting a combined 70 personnel.

The European Union’s External Action Service (EEAS) also broke precedent on April 5, declaring 19 officials from the Russian Permanent Mission to the EU in Brussels persona non grata. High Representative Josep Borrell confirmed these individuals were engaged in “activities contrary to their diplomatic status,” a standard euphemism for espionage, yet the timing was inextricably bound to the reports of war crimes.

Strategic of the Purge

The expulsion of 206 officials in two days degraded Russia’s human intelligence (HUMINT) capabilities in Western Europe. Intelligence assessments indicate that the expelled individuals included station chiefs (rezident) and encryption specialists essential for secure communication with Moscow. By removing these facilitators, host nations forced Russian intelligence services to rely on riskier non-official cover (illegals) and cyber operations.

Lithuania adopted the most severe stance. On April 4, Vilnius not only expelled diplomats formally downgraded diplomatic ties, ordering the Russian Ambassador to leave the country and closing the consulate in Klaipėda. Foreign Minister Gabrielius Landsbergis stated that “what the world saw in Bucha” necessitated a total re-evaluation of Russia’s diplomatic presence. This move signaled a fracture in the Vienna Convention’s traditional application, treating diplomatic missions not just as channels for dialogue, as extensions of a hostile military apparatus.

“The images from Bucha show an unbelievable brutality on the part of the Russian leadership and those who follow its propaganda… The Federal Government has therefore decided today to declare persona non grata a significant number of members of the Russian Embassy who have worked against our freedom.”
, Annalena Baerbock, German Foreign Minister (April 4, 2022)

Russia responded to the expulsions with symmetrical measures, yet the operational damage was asymmetrical. Western nations expelled active intelligence officers, while Russia’s retaliatory expulsions largely targeted genuine Western diplomats, further isolating Moscow from diplomatic channels without equally degrading Western intelligence collection, which relies heavily on technical means (SIGINT) rather than embassy-based operatives in Moscow.

Vienna Hub: The Unchecked Center of European Espionage

While London, Berlin, and Paris aggressively dismantled Russian intelligence networks following the 2022 invasion of Ukraine, Vienna remained a sanctuary for Kremlin operatives. Intelligence assessments from 2023 and 2024 identify the Austrian capital not as a diplomatic outpost, as the primary logistical and operational hub for Russian espionage across the European continent. A senior European intelligence official, speaking to the Financial Times in 2023, characterized Austria as a “veritable aircraft carrier” for Russian covert activity, a description supported by the clear in expulsion figures compared to NATO allies.

Between February 2022 and mid-2024, while other European nations expelled over 600 Russian diplomats, Austria declared only persona non grata. As of March 2024, verified that Russia maintained a diplomatic and administrative presence of over 500 state employees in Vienna. Austrian intelligence officials estimate that up to half of this contingent, approximately 250 individuals, are active intelligence officers operating under diplomatic cover. This density is facilitated by Austria’s hosting of international organizations, including the United Nations, OPEC, and the OSCE, which allows Moscow to accredit intelligence personnel to these bodies, bypassing bilateral limits.

The “Section 256” Loophole

The persistence of this espionage hub is legally structural. Until proposed legislative reforms in 2024, Austrian penal code Section 256 criminalized espionage only if it was directed “to the detriment of the Republic of Austria.” This legal framework created a permissive environment where Russian agents could legally operate from Viennese soil to conduct surveillance, recruit assets, and orchestrate operations against other nations, including Germany, the United States, and Ukraine, without fear of local prosecution. This “safe harbor” status allowed the GRU and SVR to use Vienna as a launchpad for kinetic operations across the Schengen zone.

The “Roof” and Technical Surveillance

Beyond human intelligence, Vienna serves as a serious node for Russian signals intelligence (SIGINT). Investigative reports and satellite imagery confirmed in 2023 that the rooftops of Russian diplomatic properties in Vienna, specifically the mission to the United Nations and the embassy on Reisnerstraße, are equipped with over 40 surveillance installations. These include parabolic dishes and multi-band antennas capable of intercepting satellite communications and cellular data across Central Europe. Unlike in other EU capitals where such equipment was dismantled or blocked, the “Roof” in Vienna remains fully operational, leveraging the city’s central location to monitor Western telecommunications traffic.

The Marsalek-Ott Nexus

The operational reality of the Vienna hub was exposed through the arrest of Egisto Ott, a former Austrian BVT (domestic intelligence) officer, in March 2024. Prosecutors allege Ott acted as a conduit for Jan Marsalek, the fugitive former COO of Wirecard and a suspected GRU asset. The investigation revealed that sensitive data, including the contents of smartphones belonging to high-ranking Austrian interior ministry officials, was physically transferred to Russian handlers in Vienna. also, intelligence suggests that the assassination of Maksim Kuzminov, a Russian pilot who defected to Ukraine and was killed in Spain in February 2024, was logistically supported by operatives based in Austria. The killers were reportedly paid with cash provided by Russian state employees operating out of the Vienna station, highlighting the direct link between the diplomatic “safe harbor” and lethal operations on European soil.

even with mounting pressure from Western allies, Austria’s response has been minimal. In April 2022, Vienna expelled four diplomats; in February 2023, four more; and in March 2024, two additional officials were ejected. This total of 10 expulsions over two years stands in sharp contrast to the hundreds removed by neighboring states, leaving the Vienna station largely intact and operational as of late 2025.

Geneva Operations: Intelligence Networks Under UN Cover

While European capitals systematically dismantled Russian intelligence networks throughout 2022 and 2023, Geneva emerged as the primary sanctuary for displaced operatives. Verified data from the Swiss Federal Intelligence Service (FIS) indicates that Switzerland maintained accreditation for approximately 220 Russian diplomatic personnel during the height of the expulsion waves. Intelligence assessments confirm that at least one-third of these individuals, roughly 75 to 80 officials, serve as active officers for the SVR, FSB, or GRU. This concentration represents the highest density of undeclared Russian intelligence personnel in Europe, turning the host city of the United Nations into a logistical hub for Kremlin operations across the continent.

The refusal of the Swiss Federal Council to mirror the mass expulsions enacted by the European Union created a distinct operational advantage for Moscow. Swiss authorities the preservation of diplomatic channels and traditional neutrality as justification for this inaction. Consequently, the Russian Mission to the United Nations in Geneva and the embassy in Bern absorbed intelligence officers who might otherwise have been ejected. FIS Director Christian Dussey publicly acknowledged in June 2023 that these diplomatic compounds function as command centers, with operatives using the cover of international organizations to conduct espionage without fear of immediate deportation.

The operational scope of these networks extends far beyond gathering political gossip. Investigations revealed that the Russian mission in Geneva provided logistical support for GRU Unit 29155, the elite squad responsible for sabotage and assassination missions across Europe. Egor Gordienko, a GRU officer operating under the diplomatic cover name “Georgy Gorshkov,” utilized his posting at the World Trade Organization to coordinate movements for hit squads before his quiet withdrawal. This direct link contradicts the notion that Geneva-based spies focus solely on passive information gathering. Instead, the city serves as a rear operating base where agents can procure supplies, secure funding, and coordinate travel across the Schengen zone with diplomatic immunity.

Technical surveillance capabilities within the diplomatic compounds have also expanded. In November 2024, Swiss public broadcaster RTS identified four unauthorized satellite antennas installed on the rooftops of Russian diplomatic buildings in Geneva. These devices, capable of intercepting signals intelligence (SIGINT) from nearby international bodies, were erected without the mandatory cantonal permits. The proximity of these installations to the European headquarters of the United Nations, the World Health Organization (WHO), and the International Telecommunication Union (ITU) allows Russian technicians to intercept sensitive communications regarding global sanctions, health policy, and telecommunications standards.

“Geneva is one of the most important hubs for Russian secret services. The sheer number of diplomats allows them to hide in plain sight, and the absence of expulsions makes it a safe harbor.”
, Boris Bondarev, former Russian diplomat to the UN in Geneva (Resigned May 2022)

The intelligence community refers to this phenomenon as the “Geneva Loophole.” While nations like Germany and France expelled hundreds of spies, the static number of Russian personnel in Switzerland suggests a deliberate strategy by Moscow to consolidate its assets where they are safest. The FIS 2023 situation report explicitly stated that the threat from prohibited intelligence activities remains “high” and that the Russian services have adapted to the new environment by relying more heavily on their Swiss-based infrastructure. This centralization allows the SVR to maintain contact with “illegals”, deep-cover spies operating without diplomatic status, who have become increasingly important as the number of legal residencies in other Western nations shrinks.

Counter-intelligence efforts in Switzerland remain reactive rather than proactive. Unlike the public declarations of persona non grata seen in Warsaw or Berlin, Swiss authorities prefer quiet administrative measures. The Federal Department of Foreign Affairs (FDFA) occasionally refuses accreditation to incoming replacements known to be intelligence officers, yet this attrition method is slow. As of late 2024, the number of Russian personnel in the country remained stable, ensuring that Geneva continues to function as a serious node in the Kremlin’s global intelligence architecture, even as the rest of the West closes its doors.

Brussels Infiltration: Targeting NATO and EU Headquarters

Brussels, hosting both the European Union and NATO headquarters, serves as the primary operating theater for Russian intelligence in Europe. The density of high-value , including 125 international organizations and thousands of diplomats, has transformed the Belgian capital into a congested zone of espionage. Between 2022 and 2025, Belgian authorities and EU officials dismantled a vast network of undeclared intelligence officers (UIOs) operating under diplomatic cover, revealing a sophisticated infrastructure designed to intercept decision-making at the highest levels of Western security.

The initial purge began on March 29, 2022, when the Belgian government expelled 21 Russian diplomats accredited to the Embassy in Brussels and the Consulate in Antwerp. Intelligence assessments confirmed these individuals were not engaged in diplomacy were elite operatives from the GRU (military intelligence) and SVR (foreign intelligence). Days later, on April 5, 2022, the European Union declared 19 officials from the Russian Permanent Mission to the EU persona non grata. This coordinated strike removed 40 intelligence officers in a single week, severely degrading Moscow’s ability to run human sources within EU institutions.

Investigations by the Belgian State Security Service (VSSE) and partner agencies exposed the specific identities and roles of those expelled. Among them was Alexei Kuksov, ostensibly an embassy official, identified as a high-ranking officer in the GRU’s Unit 29155, known for sabotage and assassination operations. Another expelled “attaché,” Aleksei Kozhevnikov, was traced to the address of GRU Unit 26165 in Moscow, a cyber-warfare division responsible for hacking the Democratic National Committee in 2016. These expulsions confirmed that the Kremlin used its Brussels diplomatic missions not just for political observation, as forward operating bases for kinetic and cyber operations.

Beyond human intelligence, the physical infrastructure of the Russian embassy in the Uccle district became a focal point of counter-intelligence efforts. An investigation dubbed “Espiomats,” concluded in April 2023, identified 17 large- satellite dishes and antenna arrays on the embassy roof, the highest concentration of such equipment at any Russian diplomatic site in Europe. Technical analysis indicates this hardware is capable of intercepting encrypted communications from the Belgian police (Astrid network), maritime traffic in the North Sea, and unshielded satellite uplinks used by NATO member states.

NATO headquarters has adopted the most aggressive containment strategy. Following the expulsion of eight undeclared officers in October 2021, the alliance capped the size of the Russian mission at ten personnel, paralyzing its intelligence-gathering capacity within the complex. Secretary General Jens Stoltenberg confirmed that the expulsions were a direct response to a surge in “malign activities,” including the collection of classified data on weapons shipments to Ukraine. By 2024, access for Russian officials to NATO premises was virtually non-existent, forcing operatives to rely on non-diplomatic covers.

“We are no longer dealing with diplomats who spy on the side. We are dealing with full-time intelligence officers who use diplomatic immunity solely as a shield for sabotage and interference operations.”

even with these measures, the threat through “grey zone” actors. The VSSE’s 2024 annual report highlights a tactical shift by Russian services toward using “illegals”, spies operating without diplomatic cover, and recruiting “freelancers” via platforms like Telegram for low-level sabotage. Kirill Logvinov, the acting head of the Russian Mission to the EU, remains in Brussels even with being identified by multiple European intelligence services as a suspected SVR associate. His continued presence illustrates the legal and diplomatic complexities Brussels faces: while known operatives are ejected, the diplomatic channel requires a minimum functional staff, creating a calculated vulnerability that Moscow continues to exploit.

Berlin: The Tiergarten Murder and BND Compromise

Embassy Spy Ring

The intelligence war between Germany and Russia reached its kinetic zenith in Berlin, transforming the German capital from a passive listening post into an active battleground for state-sponsored assassination and high-level treason. While expulsions elsewhere in Europe were frequently bureaucratic necessities, Berlin’s countermeasures were driven by blood spilled in the Kleiner Tiergarten and the penetration of Germany’s foreign intelligence service, the Bundesnachrichtendienst (BND).

On August 23, 2019, Zelimkhan Khangoshvili, a Georgian citizen of Chechen descent, was executed in broad daylight by Vadim Krasikov, an FSB operative traveling under the alias Vadim Sokolov. The brazen nature of the killing, committed with a silenced Glock 26 near the parliamentary district, forced a recalibration of German counter-intelligence. In December 2021, the Berlin Higher Regional Court delivered a landmark verdict, explicitly characterizing the assassination as “state terrorism” ordered by the Russian central government. This judicial confirmation triggered the immediate expulsion of two Russian diplomats, a precursor to the mass purges that would follow the invasion of Ukraine.

The geopolitical weight of the Tiergarten murder well into 2024. On August 1, 2024, Krasikov was released from German custody as the linchpin of a high- prisoner exchange involving the United States and Russia. His return to Moscow, where he was embraced on the tarmac by President Vladimir Putin, underscored the Kremlin’s operational doctrine: state assets be retrieved at any cost. For German authorities, the release was a bitter strategic concession, trading a convicted assassin to secure the freedom of Western nationals, including journalist Evan Gershkovich.

The BND Mole: Operation “Carsten L.”

While the Tiergarten murder played out in public, a catastrophic breach was unraveling inside the BND’s headquarters. In December 2022, German authorities arrested Carsten L., a senior BND director, on charges of high treason. Investigations revealed that Carsten L., aided by a courier identified as Arthur E., had transmitted highly classified intelligence to the FSB. The compromised material included nine internal documents regarding technical intelligence gathering, specifically targeting the Wagner Group’s internal communications during the war in Ukraine.

Prosecutors disclosed that the FSB paid the pair approximately €850, 000 for the material. The betrayal blinded Western intelligence to serious Russian paramilitary maneuvers at a decisive phase of the conflict. The trial, which commenced in December 2023, exposed the fragility of European intelligence vetting, revealing that Carsten L. had printed top-secret files at his workstation in Pullach and Berlin before handing them to Arthur E., who trafficked the digital copies to Moscow. The severity of the breach necessitated a complete overhaul of the BND’s internal security.

Diplomatic Scorched Earth

The cumulative impact of the assassination and the BND penetration catalyzed a diplomatic “scorched earth” policy by the German Foreign Office. In April 2023, Berlin executed a mass expulsion of over 30 Russian diplomats, identifying them as undeclared intelligence officers. Unlike previous expulsions, this operation was designed to the residency’s operational infrastructure permanently.

The escalation continued in May 2023, when Germany revoked the licenses of four out of the five Russian consulates operating in the country. This order forced the closure of Russian diplomatic missions in Hamburg, Leipzig, Frankfurt, and Munich, leaving only the embassy in Berlin and the consulate in Bonn operational. The move was a direct retaliation for Moscow’s imposition of a 350-person cap on German state employees in Russia, which had decimated the staff of the Goethe-Institut and German schools.

The “Zenit” Surveillance Network

even with the reduction in human assets, Russian technical surveillance capabilities in Berlin remained a primary concern. Investigative reports by the Dossier Center in 2023 identified the Russian embassy on Unter den Linden as a major node in the “Zenit” signals intelligence (SIGINT) network. Satellite imagery and on-site analysis confirmed the presence of a “cage” antenna system and multiple containers on the embassy roof, equipment capable of intercepting cellular and radio communications across the government district.

Security officials assessed that these installations allowed the GRU to monitor Bundestag communications and mobile data within a significant radius. While the expulsion of technical officers degraded the maintenance of these systems, the physical infrastructure remained protected under diplomatic inviolability, creating a persistent electronic surveillance threat in the heart of the German capital.

London Strategy: MI5 and the Strategic Blow Assessment

The systematic of Russian intelligence networks in the United Kingdom has evolved from reactive expulsions into a calculated doctrine of permanent exclusion. In November 2022, MI5 Director General Ken McCallum delivered a definitive assessment of this campaign, declaring that the coordinated expulsion of over 400 Russian officials from Europe, including 600 globally, constituted the “most significant strategic blow” against the Russian Intelligence Services in recent history. For London, this was not a diplomatic signal an operational reset designed to blind the Kremlin’s human intelligence (HUMINT) capabilities permanently.

Central to this strategy is the “Kick Them Out, Keep Them Out” doctrine, a phrase McCallum explicitly used in his October 2024 threat update. The Home Office and Foreign, Commonwealth & Development Office (FCDO) have enforced a rigorous visa denial regime to prevent the rotation of fresh intelligence officers into the UK. By late 2022, British authorities had already refused over 100 diplomatic visa applications on national security grounds, placing a hard cap on the Russian mission’s size. This policy of attrition has forced the GRU and SVR to operate with a “reduced roster” of embassy-based spies, severing the traditional links between diplomatic cover and street-level espionage.

The May 2024 Escalation: Seacox Heath and Colonel Elovik

The campaign intensified on May 8, 2024, when the UK government executed a targeted strike against the remaining infrastructure of Russian intelligence in Britain. Home Secretary James Cleverly announced the expulsion of Colonel Maxim Elovik, the Russian Defence Attaché, identifying him as an “undeclared military intelligence officer.” Elovik’s expulsion marked the time since the Cold War that a serving Russian defence attaché was ejected from London, signaling a total collapse in military-to-military trust.

Simultaneously, the government stripped the diplomatic status from two key properties: the Trade and Defence Section in Highgate, north London, and Seacox Heath in Ticehurst, East Sussex. Seacox Heath, a 19th-century manor used for decades as a weekend retreat for embassy staff, was identified by intelligence agencies as a secure base for espionage operations. By removing its diplomatic immunity, the UK stripped the site of its legal protections, allowing British law enforcement and counter-intelligence agencies chance access and surveillance capabilities previously barred by the Vienna Convention.

The Shift to “Mayhem” and Proxy Warfare

The success of the expulsion strategy has forced a dangerous tactical evolution in Russian operations. With their professional intelligence officers removed or denied entry, the Kremlin has increasingly turned to “proxies”, including organized criminals and private intelligence operatives, to conduct what MI5 describes as “dirty work.” In his October 2024 update, McCallum warned that the GRU was on a “sustained mission to generate mayhem” on British and European streets, resorting to arson, sabotage, and reckless violence executed by amateurs recruited remotely.

This shift represents a degradation of tradecraft an increase in volatility. The reliance on proxies indicates that the “London Strategy” has successfully severed the secure command-and-control links that professional spies once maintained. yet, the use of expendable criminal elements for kinetic attacks, such as the arson of Ukrainian-linked commercial properties, demonstrates a desperate attempt to maintain a threat posture even with the loss of sophisticated HUMINT networks.

The retaliatory pattern continued in May 2024, with Moscow expelling the British Defence Attaché, Captain Adrian Coghill, in a tit-for-tat response. Yet, the asymmetry of the exchange is clear. The UK’s strategy has not reduced numbers has fundamentally altered the operating environment, forcing Russian intelligence services to abandon long-term infiltration for short-term, high-risk disruption tactics. As of 2025, the Russian diplomatic footprint in London remains at a historic low, with the visa blockade ensuring that the networks dismantled in 2022 and 2024 cannot be quietly rebuilt.

The Oslo Deception: ‘José Assis Giammaria’

On October 24, 2022, officers from the Norwegian Police Security Service (PST) detained a man on his way to the University of Tromsø (UiT). To his colleagues at the Centre for Peace Studies, he was José Assis Giammaria, a gregarious 37-year-old Brazilian academic eager to research hybrid threats and Arctic security. To counter-intelligence officials, he was Mikhail Valeryevich Mikushin, a Colonel in the Russian Main Intelligence Directorate (GRU). His arrest marked the collapse of a decade-long “illegal” operation designed to infiltrate the highest levels of Northern European security policy.

The detention of Mikushin represented a significant victory for Western counter-intelligence, exposing a deep-cover operative who had successfully navigated Canadian and Norwegian academic circles for years. Unlike intelligence officers operating under diplomatic cover, “illegals” like Mikushin operate without official protection, building elaborate backstories, or “legends”, to blend direct into the target society. Mikushin’s specific mission targeted the strategic High North, a region of intensifying geopolitical competition between NATO and Russia.

The Legend vs. The Reality

Mikushin’s cover identity was meticulously constructed fragile. He spent years establishing his bona fides in Canada before moving to Norway, a common tactic to build a verifiable Western footprint. The following table contrasts the fabricated persona of “José Assis Giammaria” with the verified biographical data of the GRU officer.

The sophistication of Mikushin’s cover allowed him to access sensitive academic networks. In Canada, he volunteered for political campaigns and published articles advocating for a stronger Canadian naval presence in the Arctic, a classic “dangle” to establish credibility as a security hawk. By 2021, he had secured a position at UiT’s GreyZone research group, which specializes in studying exactly the kind of hybrid warfare tactics he was deployed to execute. His placement gave him chance access to experts, policy discussions, and unclassified sensitive data regarding NATO’s northern flank.

Digital Breadcrumbs and Identification

Even with the elaborate backstory, Mikushin’s tradecraft contained fatal errors. Investigative analysis by Bellingcat and The Insider, corroborated by Norwegian authorities, revealed that Mikushin had reused passwords across his personal and cover accounts. One password used for his university account was linked to an old Russian email address, mika-invasor@rambler. ru (“Mikhail the Invader”), and another account associated with the Brazilian persona. also, digital traces connected him to a driver’s license issued in Russia and a registered address at the GRU’s conservatory in Moscow.

These digital slip-ups accelerated the PST’s investigation. Norwegian authorities had been tracking him prior to the arrest, concerned by his keen interest in infrastructure and security policy. The timing of the arrest in late 2022 coincided with heightened vigilance across Europe following the invasion of Ukraine and the sabotage of the Nord Stream pipelines. The PST assessed that Mikushin’s presence in Tromsø was not academic operational, likely intended to sabotage or recruit sources within the Norwegian security establishment.

Judicial Proceedings and Prisoner Exchange

Following his arrest, Mikushin was charged with aggravated intelligence-gathering activity targeting state secrets. For over a year, he maintained his Brazilian identity, refusing to speak Russian and communicating only in English or Portuguese. yet, the weight of biometric and digital evidence eventually forced a concession. In December 2023, during a court hearing, he admitted to being a Russian national, though he stopped short of confirming his intelligence affiliation at that time.

The legal saga concluded outside the courtroom. On August 1, 2024, Mikushin was released as part of a high-profile prisoner exchange between Russia and the West, coordinated by Turkish intelligence. His inclusion in the swap, alongside convicted hitman Vadim Krasikov and other high-value assets, served as de facto confirmation of his importance to the Kremlin. The exchange underscored the high of the “illegal” program; Moscow was to trade significant political capital to retrieve a compromised officer, signaling the strategic value placed on deep-cover operations in the Arctic.

The expulsion of Mikushin disrupted a long-term GRU investment in Northern Europe. His removal forced Russian intelligence to abandon a carefully cultivated asset and highlighted the vulnerabilities of Western academic institutions to foreign espionage. The case remains a primary case study for counter-intelligence services in Norway and Canada, demonstrating that even well-credentialed researchers can serve as vectors for hostile state actors.

The Ljubljana Sleeper Cell: The Argentine Family Cover

In early December 2022, Slovenian special police units raided a modest suburban home at 35 Primožičeva Street in the Črnuče district of Ljubljana. The were Ludwig Gisch and Maria Rosa Mayer Muñoz, a quiet couple ostensibly from Argentina who had lived in the Alpine nation since 2017. Neighbors knew them as a polite, Spanish-speaking family with two young children attending the British International School. This domestic façade collapsed when investigators discovered a specially modified compartment in the kitchen refrigerator containing hundreds of thousands of euros in crisp banknotes. The “Argentines” were identified as Artem Viktorovich Dultsev and Anna Valerevna Dultseva, elite deep-cover officers of the Russian Foreign Intelligence Service (SVR).

The Dultsevs operated as “illegals,” a tier of spies who function without diplomatic immunity or official connection to the Russian state. Their cover identities were meticulously constructed over a decade. Artem Dultsev posed as Ludwig Gisch, the CEO of DSM&IT, a startup purporting to sell security software. Technical analysis of the company’s products later revealed them to be obsolete and non-functional, serving as a pretext for his frequent travel. Anna Dultseva operated under the alias Maria Rosa Mayer Muñoz, running an online art business called “5’14 Gallery.” Her platform claimed to represent over 90 artists and allowed her to attend art fairs across Europe, providing a plausible reason for cross-border movement within the Schengen Zone.

Intelligence assessments indicate the couple used Slovenia as a logistical rear base for SVR operations throughout the European Union. Unlike embassy-based spies who recruit assets, the Dultsevs functioned as paymasters and couriers. The cash hoard found in their refrigerator was not for personal enrichment for financing other Russian intelligence assets in Italy, Croatia, and Hungary. During the raid, authorities also seized specialized hardware used to send encrypted burst transmissions to handlers in Moscow. The encryption was so advanced that neither Slovenian nor American technicians could decrypt the device’s contents without the access codes.

The operational security of the cell was absolute, extending even to the couple’s own children. The daughter and son, aged 11 and 8 at the time of the prisoner exchange, spoke only Spanish and were completely unaware of their Russian heritage. Following the parents’ arrest, the children were placed in care while the Dultsevs remained in detention for 19 months. The couple refused to cooperate with investigators, maintaining silence consistent with SVR counter-interrogation training. It was only on July 31, 2024, that they entered a guilty plea at the Ljubljana District Court. They were sentenced to one year and seven months in prison, time already served, and ordered to be expelled from the country for five years.

The expulsion materialized the following day, August 1, 2024, as part of the largest East-West prisoner swap since the Cold War. The family was flown to Ankara, Turkey, and then transferred to a Russian government jet bound for Moscow. Upon arrival, they were greeted on the tarmac by President Vladimir Putin, who addressed the children in Spanish with “Buenas noches.” Kremlin officials later confirmed that the children learned of their true nationality only during the flight from Ankara to Moscow. The Dultsev case exposed a serious vulnerability in European security architecture: the use of third-country nationals to bypass counter-intelligence monitoring focused on Russian diplomatic missions.

Sofia Sabotage: GRU Unit 29155 and Ammo Depot Blasts

The investigation into a decade-long campaign of sabotage on Bulgarian soil culminated in April 2021, when the Prosecutor General’s Office in Sofia formally linked six Russian nationals to a series of explosions at military ammunition depots. These incidents, previously categorized as industrial accidents, were reclassified as acts of state-sponsored terrorism orchestrated by GRU Unit 29155. The probe revealed a systematic effort by Russian military intelligence to sever logistical supply lines providing Soviet-standard munitions to Ukraine and Georgia. Between 2015 and 2020, Unit 29155 operatives executed four distinct attacks on facilities housing inventory owned by EMCO, the arms trading firm led by Emilian Gebrev.

Forensic analysis conducted in 2021 established that the blasts followed a specific signature: a precursor fire intended to force an evacuation, followed by a remote detonation of high-yield charges. The most significant of these attacks occurred in March and April 2015 at the VMZ Sopot state military plant in Iganovo. On March 21, 2015, over 2, 000 rockets and anti-tank grenades destined for the Ukrainian frontlines were destroyed. A second explosion struck the same facility on April 14, 2015, obliterating additional stockpiles. Prosecutors confirmed that the specific aim was to disrupt the flow of 120mm and 152mm artillery shells to Kyiv during the height of the Donbas conflict.

The sabotage campaign operated in tandem with lethal kinetic operations against key personnel. Emilian Gebrev, his son Hristo, and production director Valentin Tahchiev were targeted with a Novichok-class nerve agent in Sofia between April 28 and May 4, 2015. Toxicology reports verified the presence of organophosphates, linking the assassination attempt directly to the chemical weapon signature used in the 2018 Salisbury attack. Flight manifests and border control data placed GRU Major General Denis Sergeyev, operating under the alias “Sergei Fedotov,” in Bulgaria during both the Iganovo explosions and the poisoning of Gebrev. Sergeyev commanded the operation on the ground, coordinating with a rotating team of Unit 29155 specialists.

The diplomatic from these precipitated a collapse in Sofia-Moscow relations. Following the April 2021 announcement, the Bulgarian Ministry of Foreign Affairs declared a Russian diplomat persona non grata, citing incompatible activities. This initial ejection triggered a cascade of counter-intelligence actions. In March 2022, amid the broader European response to the invasion of Ukraine, Bulgaria expelled 10 Russian diplomats. The purge intensified in June 2022, when Prime Minister Kiril Petkov ordered the expulsion of 70 Russian diplomatic staff, the largest single ejection in the country’s history. The government identified these individuals as working under diplomatic cover to espionage and sabotage operations.

Investigations continued into 2023, uncovering further infiltration within non-state institutions. In September 2023, the State Agency for National Security (DANS) expelled Archimandrite Vassian (Nikolai Zmeev), the head of the Russian Orthodox Church in Sofia, along with two Belarusian clerics. DANS their participation in “hybrid warfare operations” and efforts to influence Bulgarian socio-political processes in favor of the Kremlin. This move signaled a widening of the counter-intelligence net, targeting the logistical and ideological support structures that had allowed Unit 29155 to operate with impunity for over a decade.

The 2020 explosion at the Arsenal plant in Maglizh remains a focal point of ongoing inquiries. Prosecutors established that specific detonators used in the blast matched the technical specifications of devices deployed by GRU teams in the 2014 Vrbětice explosions in the Czech Republic. This forensic link provided the concrete evidence of a synchronized, cross-border sabotage campaign orchestrated by General Andrey Averyanov, the commander of Unit 29155, designed to systematically disarm NATO’s eastern flank.

The April 2021

On April 17, 2021, the Czech government shattered decades of diplomatic inertia with a televised announcement that fundamentally altered the security architecture of Central Europe. Prime Minister Andrej Babiš and Interior Minister Jan Hamáček revealed “unequivocal evidence” linking Russian military intelligence (GRU) to the 2014 ammunition depot explosions in Vrbětice, which killed two Czech nationals. The immediate response was the expulsion of 18 Russian diplomats identified as undercover intelligence officers from the SVR and GRU. This move, while significant, was the opening salvo in a confrontation that would decimate Moscow’s intelligence capabilities in Prague.

The Vrbětice incident, initially treated as an industrial accident, was reclassified as an act of state terrorism following a forensic breakthrough by the Czech Security Information Service (BIS) and the National Centre for Combating Organised Crime (NCOZ). Investigators placed notorious GRU Unit 29155 operatives at the scene days before the blast. The triggered a diplomatic chain reaction: when Moscow retaliated by expelling 20 Czech diplomats, paralyzing the Czech embassy in Russia, Prague invoked Article 11 of the Vienna Convention. The Czech Foreign Ministry demanded “strict parity,” capping the Russian embassy’s workforce to match the size of the Czech mission in Moscow. This ultimatum forced the departure of an additional 63 Russian embassy employees by May 31, 2021, marking the largest single ejection of Russian personnel prior to the 2022 invasion of Ukraine.

Forensic Trail: Unit 29155

The evidence presented by Czech authorities provided a rare, granular view into the operational mechanics of GRU sabotage teams. The investigation confirmed that Anatoliy Chepiga and Alexander Mishkin, the same duo later charged with the 2018 Skripal poisoning in Salisbury, had entered the Czech Republic in October 2014 under the aliases “Ruslan Tabarov” and “Nikolay Popa.” Unlike their tourist cover in the UK, the operatives posed as arms inspectors representing the National Guard of Tajikistan.

Key documentary evidence included an email sent to the Imex Group, the operator of the Vrbětice depot, requesting entry permits for the two men. While the email appeared to originate from Tajikistan, digital forensics traced its metadata back to GRU infrastructure. also, travel logs placed the unit’s commander, General Andrey Averyanov, in Vienna and Ostrava during the serious window, suggesting high-level on-site supervision. The operation targeted munitions owned by Bulgarian arms dealer Emilian Gebrev, intended for transfer to Ukraine to support its defense against the initial Russian incursion in Donbas.

The Parity Precedent

The invocation of “strict parity” was a strategic innovation that stripped Russia of its numerical advantage in diplomatic staffing. Historically, the Russian embassy in Prague functioned as a regional hub for intelligence operations, hosting over 120 staff members compared to the Czech Republic’s modest presence in Moscow. By tethering the Russian cap to the Czech headcount, Prague forced a structural downsizing that mere persona non grata declarations could not achieve. This method dismantled the logistical support network for Russian espionage in Central Europe, removing the drivers, technicians, and administrative staff who facilitated covert operations.

The extended beyond bilateral relations. Slovakia, Estonia, Latvia, and Lithuania expelled Russian diplomats in solidarity, signaling a NATO response to kinetic sabotage on alliance territory. The Vrbětice case served as a serious stress test for Western counter-intelligence coordination, establishing the evidentiary standards and diplomatic playbooks that would be deployed following the full- invasion of Ukraine in 2022. The expulsion of over 80 Russian staff from Prague in 2021 blinded the GRU in a key operational theater just months before the Kremlin launched its war.

The Collapse of the SVR’s “Special Reserve”

The myth of Russia’s “illegals” (nelegaly), deep-cover intelligence officers operating without diplomatic immunity, shattered between 2022 and 2025. Historically revered by the SVR (Foreign Intelligence Service) as the “Special Reserve,” these operatives were designed to be undetectable, living for decades under elaborate non-Russian legends. yet, a cascade of arrests and exposures across Europe and the Americas revealed a widespread degradation in Russian tradecraft. Western counter-intelligence agencies, aided by digital forensics and biometric data sharing, dismantled networks that had taken Moscow decades and millions of dollars to construct. The expulsion of “legal” spies from embassies forced the SVR and GRU to activate these deep-cover assets, exposing them to heightened scrutiny they could not withstand.

The most high-profile failure involved the SVR couple Artem Dultsev and Anna Dultseva, who operated in Ljubljana, Slovenia, under the aliases Ludwig Gisch and Maria Rosa Mayer Muños. Posing as Argentine expatriates, they ran an IT startup and an online art gallery respectively, using Slovenia’s Schengen access to travel freely across Europe. Their arrest in December 2022 and subsequent guilty pleas in 2024 exposed the SVR’s reliance on South American “legends” to bypass European visa restrictions. The couple’s children, who attended an international school in Ljubljana, remained unaware of their Russian heritage until the family was deported to Moscow during the August 2024 prisoner exchange. This case confirmed that the SVR continued to deploy “married couples” in the tradition of the Cold War, a tactic that proved fragile in the age of ubiquitous digital surveillance.

Simultaneously, the GRU (Main Directorate of the General Staff) suffered parallel catastrophes within its own illegals program, frequently due to sloppy administrative errors. The exposure of Sergey Vladimirovich Cherkasov, who spent a decade building the identity of Brazilian national “Victor Muller Ferreira,” highlighted the vulnerability of these legends. Cherkasov attempted to infiltrate the International Criminal Court (ICC) in The Hague as an intern in April 2022, precisely when the court began investigating Russian war crimes in Ukraine. Dutch intelligence (AIVD) intercepted him at the border, identifying him as a GRU officer. His cover crumbled not through human betrayal, through biometric analysis and the discovery of sequential passport numbers issued to GRU operatives, a bureaucratic oversight that compromised dozens of agents.

The of these networks extended to Scandinavia and the Mediterranean. In Norway, “José Assis Giammaria,” a researcher at the University of Tromsø focused on hybrid threats, was unmasked in October 2022 as Mikhail Mikushin, a GRU colonel. Like Cherkasov, he utilized a Brazilian cover identity. In Greece, the disappearance of “Maria Tsalla”, a knitting shop owner in Athens, and her husband “Gerhard Daniel Campos Wittich” in Rio de Janeiro, further exposed the depth of the infiltration. Identified as Irina Smireva and Artem Shmyrev, this couple fled in January 2023, abandoning their lives as their network began to unravel. These synchronized exposures suggest a coordinated Western counter-intelligence effort to purge the “illegals” infrastructure that Moscow had positioned as its strategic insurance policy.

Operational Failures and Exposed Agents (2022, 2025)

The strategic impact of these failures exceeds the loss of individual officers. The “illegals” program requires years of training and identity construction, making these assets irreplaceable in the short term. The exposure of the “South American route”, the systematic use of Brazilian, Argentine, and Peruvian birth certificates to create legends, forces Russian intelligence to abandon a primary infiltration vector. also, the public identification of these officers strips away the psychological mystique of the SVR’s reach. The August 2024 exchange, where President Putin personally greeted the Dultsevs at Vnukovo Airport, was a tacit admission of the program’s compromise. Moscow recovered its people, the network they inhabited is burned.

Unit 29155: Neutralizing the Assassination Squads

Within the broader expulsion of 750 intelligence officers, the of GRU Unit 29155 represented the most urgent tactical priority for Western counter-intelligence. Unlike the SVR’s political analysts or the GRU’s cyber operators in Unit 74455, Unit 29155 functioned as a dedicated kinetic warfare branch, tasked with assassinations, sabotage, and coup attempts on European soil. Intelligence assessments finalized in late 2024 confirm that at least 34 operatives directly attached to this unit were among those expelled under diplomatic cover between 2022 and 2025, severing the logistical arteries of Russia’s “wetwork” capabilities.

The unit, commanded by Major General Andrei Averyanov, operated for over a decade with relative impunity, utilizing diplomatic missions in Vienna, Geneva, and Prague as forward operating bases. The systematic neutralization of this cell began in earnest not in 2022, with the April 2021 expulsion of 18 Russian diplomats from the Czech Republic. This action followed the that Unit 29155 operatives Alexander Mishkin and Anatoly Chepiga, the same duo responsible for the 2018 Salisbury Novichok poisoning, orchestrated the 2014 ammunition depot explosions in Vrbětice, which killed two Czech nationals. The 2021 purge in Prague stripped the unit of its primary Central European logistics hub, forcing a relocation of operational planning to Switzerland and Austria.

By 2024, the scope of Unit 29155’s aggression became fully visible. A joint investigation by The Insider, Der Spiegel, and 60 Minutes provided the forensic evidence linking the unit to “anomalous health incidents,” commonly known as Havana Syndrome. Verified travel data placed Unit 29155 operatives, including Averyanov’s son, at the precise locations of acoustic energy attacks against U. S. diplomats in Frankfurt, Tbilisi, and Tashkent. These accelerated the targeted ejection of specific “attachés” in Germany and the Baltics who were identified as support officers for these directed energy operations.

The expulsion of these officers forced a tactical regression in Russian sabotage operations. Deprived of seasoned intelligence officers with diplomatic immunity to transport explosives or chemical agents, the GRU increasingly relied on “expendable” proxies. Throughout 2024 and 2025, security services in Poland, Germany, and the UK arrested dozens of low-level recruits, frequently recruited via Telegram for small sums, tasked with arson attacks on warehouses and commercial centers. These amateur saboteurs absence the tradecraft of the professional Unit 29155 officers they replaced, leading to high failure rates and rapid attribution.

The degradation of Unit 29155 also exposed its internal restructuring. Following the exposure of the Vrbětice attack and the Skripal poisoning, General Averyanov was reassigned to lead the “Service for Special Activities,” a new umbrella organization designed to integrate kinetic sabotage with cyber warfare. This shift was confirmed in September 2024, when the FBI and CISA Unit 29155 as the actor behind the “WhisperGate” malware, marking the time the assassination squad was formally attributed to destructive cyber operations. This hybridization of tactics reflects a desperate adaptation; with their physical presence in embassies decimated by mass expulsions, the unit was forced to strike from behind a keyboard in Moscow rather than from a hotel room in Salisbury.

even with these setbacks, the unit remains a lethal threat. The February 2024 assassination of Maxim Kuzminov, a Russian pilot who defected to Ukraine, in Spain demonstrated that Unit 29155 retains the capacity for targeted violence in non-hostile territories. yet, the operational tempo has slowed significantly compared to the 2014, 2018 peak. The loss of the “Geneva residency”, a serious safe haven where operatives like Denis Sergeev (alias Sergey Fedotov) coordinated attacks, has forced the GRU to route operations through third countries with laxer visa regimes, increasing the risk of detection.

“We have stripped them of their armor. In 2018, they could travel with diplomatic pouches and immunity. Today, they are forced to hire local criminals to burn down sheds, because their officers cannot cross the border without triggering a biometric alarm.”
, Senior Counter-Terrorism Official, German BfV (Briefing to Bundestag Control Committee, October 2025)

The cumulative effect of these expulsions is the functional neutralization of Unit 29155 as a strategic asset in Western Europe. While they continue to attempt sabotage, the era of elite officers traveling freely to conduct chemical weapons attacks or precision bombings has been curtailed by the coordinated removal of their diplomatic support network. The infrastructure that allowed Mishkin and Chepiga to survey the Salisbury cathedral spire has been dismantled, visa by visa, person by person.

Proxy Warfare: Hiring Criminals for Arson and Mayhem

With their diplomatic networks dismantled and 750 intelligence officers expelled, the GRU and FSB were forced to pivot their operational model in 2024. Unable to rely on protected embassy staff to plant explosives or conduct surveillance, Russian intelligence agencies turned to a “gig economy” of terror, recruiting disposable proxies through encrypted messaging apps like Telegram. This shift marked a dangerous devolution in statecraft, where professional spies were replaced by petty criminals, football hooligans, and desperate migrants hired for as little as €500 to conduct arson and sabotage across Europe.

Intelligence assessments from 2025 confirm that this outsourcing strategy was not a stopgap a calculated doctrine of “plausible deniability.” By hiring local amateurs, Moscow sought to distance itself from the physical acts of destruction while maintaining the strategic aim of destabilizing Western logistics. The recruits, frequently unaware of their true paymasters, were paid in cryptocurrency to burn warehouses, vandalize government property, and attack serious infrastructure.

The London Starlink Plot

The most high-profile failure of this new model occurred in East London. In March 2024, a group of British men recruited by the Wagner Group set fire to a warehouse in Leyton containing Starlink satellite equipment destined for the Ukrainian frontline. The operation, orchestrated by 20-year-old Dylan Earl, caused approximately £1 million in damages failed to destroy the bulk of the tactical gear. Earl and his accomplices, including Jake Reeves, were convicted in July 2025 under the National Security Act. Prosecutors revealed that the cell had been recruited via Telegram and paid to target entities supporting Ukraine’s defense.

The Warsaw Shopping Center Inferno

A more destructive success for this proxy network occurred in Poland. On May 12, 2024, the Marywilska 44 shopping center in Warsaw was destroyed by a massive fire. Polish Prime Minister Donald Tusk later confirmed that the arson was ordered by Russian intelligence services. Investigations revealed that the perpetrators were recruited from organized crime circles within the Belarusian and Ukrainian diaspora. In October 2025, a Polish court sentenced three Ukrainian nationals for their roles in the attack, which was part of a broader campaign to sabotage logistics hubs in Central Europe.

The “Mayhem” Doctrine

The operational tempo of these attacks forced Western security services to problem clear public warnings. In October 2024, MI5 Director General Ken McCallum stated that the GRU was on a “sustained mission to generate mayhem on British and European streets.” This assessment was corroborated by the discovery of incendiary devices in DHL logistics hubs in the UK and Germany in July 2024. These devices, disguised as consumer electronics, were timed to ignite mid-flight, posing a catastrophic risk to civilian cargo aircraft.

“We face state-backed sabotage and assassination plots against the backdrop of a major European land war. The Russian intelligence services have gone a bit feral… they are using proxies, including organized criminal networks, to do their dirty work.”
, Ken McCallum, Director General of MI5, October 8, 2024

The use of “expendable” agents also extended to symbolic violence. In Estonia, Russian operatives paid local criminals to smash the car windows of Interior Minister Lauri Läänemets in early 2024. In Latvia, a man recruited from prison via Telegram threw a Molotov cocktail into the Museum of the Occupation in Riga. These incidents, while tactically minor, served a strategic purpose: to exhaust Western counter-terrorism resources by flooding the zone with low-level, high-frequency threats.

Maritime Threat: The Ghost Fleet Mapping Nordic Cables

The systematic expulsion of 750 Russian intelligence officers from European capitals forced the Kremlin to shift its reconnaissance infrastructure from diplomatic compounds to the open sea. By early 2026, intelligence assessments from Nordic agencies confirmed that the Main Directorate of Deep-Sea Research (GUGI) had assumed primary responsibility for mapping serious energy and data infrastructure in the North and Baltic Seas. This strategic pivot relies on a “Ghost Fleet” of ostensibly civilian vessels, fishing trawlers, research ships, and shadow tankers, equipped with military-grade surveillance technology.

A joint investigation released in April 2023 by public broadcasters DR (Denmark), NRK (Norway), SVT (Sweden), and Yle (Finland) exposed the of this operation. The investigation, titled The Shadow War, analyzed maritime traffic data from 2013 to 2023 and identified 50 Russian vessels operating with suspicious sailing patterns. These ships frequently disabled their Automatic Identification System (AIS) transponders to from civilian tracking while loitering near offshore wind farms, gas pipelines, and fiber-optic cables. Intelligence officials in Copenhagen and Oslo state that the primary objective is not espionage the preparation of target packages for sabotage in the event of a kinetic conflict with NATO.

The operational methodology was vividly illustrated by the activities of the Admiral Vladimirsky. Officially as an oceanographic research vessel, the ship conducted a month-long voyage through the Baltic and North Seas in late 2022. During this mission, it systematically mapped current and future offshore wind farm sites off the coasts of Scotland and Denmark. When a team of journalists from DR method the vessel in a rigid-hulled inflatable boat near the Kattegat strait, they were not met by scientists. Instead, a masked individual clad in military tactical gear appeared on the deck and aimed an assault rifle at the reporting team. The Admiral Vladimirsky had operated with its AIS transmitter disabled for weeks prior to this encounter.

The threat escalated significantly between 2024 and 2025 as the “Shadow Fleet” of uninsured oil tankers began to play a dual role in sanctions evasion and hybrid warfare. In December 2024, the Cook Islands-flagged tanker Eagle S dragged its anchor for 100 miles across the Gulf of Finland seabed. This action severed the Balticconnector gas pipeline and multiple data cables connecting Estonia and Finland. Finnish investigators later determined the anchor drag was intentional. By August 2025, Finnish prosecutors formally charged the vessel’s captain and officer with endangering maritime traffic and damaging serious infrastructure. The Eagle S incident marked a tactical evolution where commercial vessels are used as kinetic weapons against subsea assets.

The coordination of these assets links directly back to the intelligence vacuum created by the embassy expulsions. With fewer GRU and SVR officers on the ground to verify physically, Moscow relies on electronic and hydroacoustic data gathered by these vessels. The British Royal Navy and Norwegian Coast Guard have responded by increasing patrols around key energy installations. In September 2025, the UK Ministry of Defence reported tracking the Yantar as it shadowed strategic communication cables off the coast of Ireland. The vessel is known to carry manned and unmanned submersibles capable of cutting or tapping underwater lines.

Norwegian intelligence services warned in their 2026 annual assessment that the distinction between civilian and military maritime activity has dissolved. Russian intelligence agencies operatives within the crews of fishing trawlers docked in Kirkenes and Tromsø. These vessels possess the legal right to enter ports that military ships cannot access. Once docked, they serve as platforms for signals intelligence (SIGINT) collection against local NATO naval movements. The expulsion of diplomats removed the spies from the embassies, the network has reorganized on the water, where the legal frameworks for counter-intelligence are far more complex to enforce.

Cyber Pivot: Replacing Human Agents with Malware

The expulsion of over 750 Russian intelligence officers from Western capitals between 2022 and 2025 created an immediate, catastrophic blackout for the Kremlin’s human intelligence (HUMINT) networks. Deprived of the physical access required to recruit sources and plant listening devices, Russian intelligence agencies, specifically the SVR and FSB, executed a strategic pivot to aggressive cyber espionage to fill the collection vacuum. By 2024, this digital substitution had transformed the threat, with Microsoft threat intelligence reporting a 25% year-over-year increase in Russian cyber operations targeting NATO member states.

This shift represents a fundamental change in tradecraft. Where case officers once met assets in Viennese cafes, state-sponsored hacking groups deploy sophisticated malware to penetrate foreign ministries. The SVR-linked group APT29 (also known as Midnight Blizzard or Cozy Bear) spearheaded this transition, launching a persistent campaign throughout 2023 and 2024 specifically designed to compromise diplomatic communications. Security researchers at Check Point identified a particularly brazen operation in early 2025, where APT29 operatives impersonated European ambassadors to send phishing emails disguised as invitations to wine-tasting events. These communications contained a new malware loader, dubbed GRAPELOADER, which deployed a backdoor into the unclassified networks of multiple European foreign ministries.

The desperation to regain lost visibility also drove the FSB to turn its digital weapons inward against foreign missions operating within Russia. In a departure from traditional surveillance, the FSB’s “Secret Blizzard” unit began compromising the local internet service providers (ISPs) serving embassies in Moscow. A July 2025 investigation by Microsoft revealed that this unit utilized “adversary-in-the-middle” (AitM) attacks to intercept traffic from diplomatic compounds. By hijacking the connection at the ISP level, the FSB injected a custom malware implant called ApolloShadow into the devices of embassy staff. This capability allowed Russian counterintelligence to decrypt secure sessions and exfiltrate sensitive documents without ever entering the embassy grounds, replacing the physical bugs that expelled diplomats could no longer maintain.

The volume of these attacks correlates directly with the timeline of diplomatic ejections. Data from the Foreign Intelligence Service of Ukraine indicates that 86% of recorded Russian hybrid attacks in Europe between 2014 and 2024 occurred after the 2022 invasion, with a six-fold increase in incidents in 2024 alone compared to the previous year. This surge confirms that cyber operations are no longer a support function the primary method for Russian state intelligence gathering in the West. NATO officials have noted that while the expulsions successfully degraded Russia’s ability to run human sources, the “reconstituted” cyber threat exhibits a higher risk appetite, targeting serious infrastructure and diplomatic logistics chains with a frequency that human agents could never match.

The replacement of spies with code has introduced new vulnerabilities for the aggressor as well. Unlike a diplomat protected by immunity, malware can be reverse-engineered, attributed, and neutralized publicly. The exposure of the ApolloShadow campaign forced Western nations to route embassy traffic through encrypted satellite tunnels, further isolating Russian networks. Yet, the operational tempo remains high. In late 2024, the SVR expanded its target list beyond government officials to include think tanks and NGOs, utilizing cloud-based token theft techniques to bypass multi-factor authentication. This “identity-centric” espionage model allows Russian intelligence to maintain persistence in Western networks for months before detection, proving that while the spies have left the embassies, their digital shadows remain firmly entrenched in the servers.

Latin America: The Legend Factory for False Identities

The systematic expulsion of diplomatic intelligence officers from Europe forced the GRU and SVR to activate their deepest reserves: the “illegals.” These operatives, absence diplomatic immunity, live under non-Russian aliases cultivated over decades. Investigations between 2022 and 2025 reveal that Latin America serves as the primary incubator for these false identities. Russian intelligence agencies exploit bureaucratic gaps in Brazil, Argentina, and Peru to manufacture “legends”, backstories supported by genuine government documents, that allow agents to travel to the West as harmless Global South nationals.

Brazil acts as the central hub for this documentation laundering. The country’s “late birth registration” laws, designed to help rural populations, allow adults to obtain birth certificates with minimal proof of origin. Russian operatives use this method to acquire authentic Brazilian birth certificates, which then yield genuine passports. These documents function as “golden tickets” for visa-free travel to the Schengen Zone and easy entry into the United States. Intelligence assessments confirm that at least nine deep-cover Russian officers were unmasked holding Latin American citizenship between 2022 and 2025.

The ICC Infiltrator: Sergey Cherkasov

The most high-profile failure of this program involved Sergey Vladimirovich Cherkasov, a GRU officer posing as Victor Muller Ferreira. Cherkasov spent a decade building his Brazilian legend, eventually securing a placement at Johns Hopkins University in the United States. In April 2022, he attempted to begin an internship at the International Criminal Court (ICC) in The Hague, precisely as the tribunal began investigating Russian war crimes in Ukraine. Dutch intelligence intercepted him at the border and deported him to Brazil.

Upon his return, Brazilian federal police arrested Cherkasov. In July 2022, a federal court sentenced him to 15 years in prison for document fraud, a sentence later reduced to five years and two months. The case sparked a geopolitical tug-of-war. The United States requested his extradition on espionage charges, while Moscow filed a competing request based on fabricated drug trafficking allegations to retrieve their asset. As of late 2024, Cherkasov remains incarcerated in Brazil, his cover irrevocably blown.

The Arctic Colonel: Mikhail Mikushin

In October 2022, Norwegian security services arrested a researcher at the University of Tromsø named José Assis Giammaria. He claimed to be a Brazilian academic focused on Arctic security and hybrid threats. Investigation revealed he was actually Mikhail Mikushin, a colonel in the GRU. Mikushin had spent years in Canada and Norway building his academic credentials. His Brazilian passport allowed him to operate within NATO member states without the scrutiny applied to Russian nationals. Mikushin admitted his identity in December 2023 and was returned to Russia on August 1, 2024, as part of a high-level prisoner exchange involving the United States and Germany.

The Slovenian Cell: The Dultsev Family

The deception extended to Argentina. In December 2022, Slovenian authorities arrested “Ludwig Gisch” and “Maria Rosa Mayer Muños,” a couple living in Ljubljana with their two children. They posed as Argentine expatriates running an IT startup and an online art gallery. Forensic analysis confirmed they were Artem Dultsev and Anna Dultseva, elite SVR officers. They used their Argentine citizenship to travel throughout Europe, acting as a communications hub for other illegals. Like Mikushin, the Dultsevs were released back to Moscow in the August 2024 prisoner swap. Their children, who spoke only Spanish, reportedly learned of their true Russian heritage only during the flight to Moscow.

“The use of Brazilian and Argentine documents is not accidental. These passports are high-quality, visa-exempt for Europe, and backed by civil registries that still rely on paper records in remote areas. Russia mechanized the exploitation of these systems to insert officers who could never pass vetting under their own names.”
, Ricardo Saadi, Former Director of Organized Crime Investigation, Brazilian Federal Police (2023 Statement)

The network began to disintegrate following the arrests in Slovenia and Norway. In early 2023, a Rio de Janeiro businessman known as Gerhard Daniel Campos Wittich disappeared while on a trip to Malaysia. He left behind a Brazilian girlfriend and a 3D printing business. Greek intelligence later identified him as Artem Shmyrev, the husband of another illegal, “Maria Tsalla,” who simultaneously abandoned her knitting shop in Athens. Both operatives fled back to Russia, fearing exposure from the data seized in the Dultsev raid. This “ghosting” phenomenon confirms that the Latin American legend factory operated as an interconnected global enterprise, not a series of cases.

Cash Couriers: Moving Operational Funds via Vienna

While Western capitals from London to Berlin aggressively dismantled Russian intelligence networks through mass expulsions in 2022 and 2023, Vienna quietly solidified its status as the financial logistics hub for Kremlin operations across Europe. Protected by Austria’s neutrality and a legal framework that historically did not criminalize espionage against foreign states, the Russian diplomatic mission in Vienna swelled to over 500 personnel by mid-2024. Intelligence assessments from multiple European agencies indicate that this bloated diplomatic corps serves a serious logistical function: the physical movement of operational cash to fund sabotage, influence campaigns, and assassinations throughout the Schengen Zone.

The method for this liquidity pipeline relies on the abuse of diplomatic immunity. According to Austrian intelligence officials in 2024, Russian state actors transport large volumes of Euro and Dollar banknotes by road into EU border states such as Lithuania. From these entry points, Vienna-based Russian diplomats, who enjoy freedom of movement within the Schengen Area, act as couriers. These operatives ferry the cash across borders utilizing diplomatic pouches, which are legally inviolable and exempt from police search under the Vienna Convention. This method circumvents the swift exclusion of Russian banks from the SWIFT system and bypasses rigorous anti-money laundering (AML) controls monitored by Western financial intelligence units.

The operational consequences of this cash flow are lethal. In February 2024, Maksim Kuzminov, a Russian helicopter pilot who defected to Ukraine, was assassinated in Spain. Spanish and Austrian investigators later linked the payment for the hitmen to cash reserves managed by Russian state employees based in Vienna. The funds were reportedly hand-delivered to criminal intermediaries, demonstrating the direct kinetic impact of the Vienna station’s financial logistics. Unlike digital transfers, which leave forensic trails accessible to the NSA or GCHQ, these physical cash handovers create an air gap that Western counter-intelligence struggles to without physical surveillance of every diplomat crossing Austrian borders.

The Austrian government’s response has been markedly different from its NATO neighbors. Between February 2022 and late 2024, Austria expelled fewer than 15 Russian diplomats, a fraction of the hundreds ejected by Germany, France, and Poland. This reluctance is rooted in the ” -builder” doctrine of Austrian foreign policy, it has turned the city into a safe harbor for the SVR and GRU. The Russian presence is not limited to the embassy compound; over 40 properties in Vienna are owned by the Russian state or linked entities. Surveillance equipment, including complex rooftop antenna arrays capable of intercepting satellite and cellular communications, has been documented on several of these buildings, providing technical support alongside the financial logistics.

“We are becoming a liability for our neighbors because Russia is using us as an operational base. The cash for the killers in Spain didn’t come from Moscow directly; it came from the safe houses in Vienna.”
, Senior Austrian Intelligence Official, June 2024.

The financial infrastructure in Vienna also supports non-kinetic operations, including the “Voice of Europe” influence network exposed in 2024. While the network’s digital propaganda was visible, the payments to far-right European politicians required untraceable funding sources. Investigations suggest that the Vienna station acted as the clearinghouse for these payments, distributing funds to proxies who then engaged with political in Germany, France, and Belgium. The expulsion of two Russian diplomats in March 2024 and another in September 2025 for “acts incompatible with their diplomatic status” signaled a slight shift in Vienna’s tolerance, yet the core infrastructure of the cash courier network remains largely intact, insulated by the sheer volume of diplomatic personnel that Austria permits to remain.

Visa Weaponization: Biometrics Ending the Alias Era

The operational capacity of Russian intelligence services in the West has faced a terminal decline not due to political, through the weaponization of biometric data. For decades, the GRU and SVR relied on “legend” building, creating false identities backed by paper trails, to insert officers into target nations. This tradecraft, in the 20th century, has collapsed under the weight of integrated digital border systems. The modern counter-intelligence apparatus no longer tracks names; it tracks biological markers. Once an intelligence officer’s fingerprint or facial map is recorded in the Schengen Information System (SIS II) or the Visa Information System (VIS), that individual is permanently tethered to a single physical identity, rendering the use of multiple aliases impossible.

Between 2022 and 2025, Western nations expelled over 750 Russian diplomatic personnel. The strategic catastrophe for Moscow lies not in the immediate loss of personnel, in the permanent neutralization of these assets. In previous eras, an expelled officer could undergo facial reconstruction or simply adopt a new name and passport to return to the field. Today, biometric interoperability between EU member states, the United States, and Five Eyes partners ensures that a fingerprint collected in Paris in 2016 trigger an alert if the same individual attempts to enter New York or Berlin under a different name in 2024. Intelligence agencies confirm that this “biometric wall” has burned thousands of chance replacements, as mid-level officers had previously traveled to the West as tourists or minor attachés, leaving indelible biometric footprints.

The Collapse of the “Illegals” Program

The vulnerability of the “illegals” program, deep-cover agents operating without diplomatic immunity, was clear exposed by the arrests of high-value in 2022 and 2023. These officers spent years building complex backstories in South America before attempting to infiltrate European institutions. Their failures illustrate the impossibility of evading modern data dragnets.

“The era of the clean skin is over. not build a legend that withstands a database query. If an officer has ever crossed a border, applied for a visa, or been detained, their biological signature is burned. We are seeing the SVR struggle to find candidates with zero digital or biometric history.”
, Senior Counter-Intelligence Official, Brussels (2024)

Two prominent cases highlight this widespread failure. Sergey Cherkasov, a GRU officer posing as Brazilian national “Victor Muller Ferreira,” spent years establishing a cover identity to infiltrate the International Criminal Court (ICC) in The Hague. even with his elaborate paper trail, Dutch intelligence identified him upon arrival in 2022, reportedly aided by biometric data sharing that linked his physical profile to existing Russian military records. Similarly, Mikhail Mikushin, a GRU colonel posing as a Brazilian academic named “José Assis Giammaria,” was arrested in Norway in October 2022. His cover crumbled when investigators correlated his biometric data with Russian databases, confirming his true identity and rank.

Data Integration as a Counter-Measure

The European Union’s move toward full interoperability of its border management systems has accelerated this trend. The integration of the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS) creates a closed loop where visa applications are automatically cross-referenced against criminal and intelligence watchlists. This prevents the “washing” of identities through third countries. Russian intelligence previously used nations with laxer visa controls as staging grounds; yet, the of databases means a flag in Poland is instantly visible to border guards in Portugal.

The desperation in Moscow is clear in the shift toward cyber-espionage and the recruitment of “cleanskins”, foreign nationals with no Russian ties, to act as proxies. Yet, these proxies absence the training and discipline of career officers. The SVR has also attempted to use Switzerland as a final operational hub, capitalizing on its non-EU status. Nevertheless, Swiss authorities reported in 2023 that even their systems are sufficiently integrated with European databases to detect and deny visas to known intelligence officers. The result is a severe manpower emergency for the Kremlin; the physical infrastructure of human intelligence is being dismantled by the very technology intended to travel.

The Human Cost of “Persona Non Grata”

The mass ejection of over 750 Russian intelligence officers between 2022 and 2025 inflicted a catastrophic psychological blow on the SVR and GRU, networks that took decades to cultivate. Beyond the operational blackout, the expulsions triggered a emergency of morale and identity within the ranks of Russian intelligence. For officers accustomed to the privileges of diplomatic immunity, lavish housing, international schools for their children, and the status of elite state representatives, the sudden forced return to a sanctioned, economically Moscow was a shock to the system. Reports from November 2023 indicate that expelled officers faced immediate professional abandonment; spouses of high-ranking GRU operatives were reportedly told by superiors to “deliver pizzas” if they required financial assistance, a clear contrast to the “state protection” promised during their recruitment.

This betrayal by the Kremlin apparatus created a fertile ground for Western counter-intelligence. The psychological disintegration of the Russian officer class transformed the expulsions from a logistical hurdle into a recruitment bonanza for the CIA and MI6. Deprived of their European bases and fearing deployment to the Ukrainian front lines, where elite GRU Spetsnaz units reportedly suffered casualty rates exceeding 90% by late 2025, officers began viewing Western intelligence agencies not as adversaries, as chance lifelines.

The “Once-in-a-Generation” Opportunity

Western agencies aggressively capitalized on this disillusionment. CIA Director William Burns publicly characterized the disaffection within Russia as a “once-in-a-generation” recruitment opportunity. In a coordinated psychological operation, the CIA and FBI released a series of cinematic recruitment videos on Telegram and other platforms between 2022 and 2024. These productions, viewed millions of times, did not target ideological defectors rather professional officers exhausted by corruption and the war’s futility. The FBI specifically geofenced social media advertisements to mobile phones active near the Russian Embassy in Washington, D. C., offering a secure “way out” for staff trapped in a paranoid, shrinking diplomatic enclave.

The British Secret Intelligence Service (MI6) escalated this psychological pressure in September 2025. In his final address as “C,” Sir Richard Moore launched “Silent Courier,” a dedicated dark-web portal designed to secure contact for Russian officials. Moore explicitly appealed to the “silent resistance” within the Russian security services, acknowledging that officers were “keeping their heads down” were to sell secrets to protect their futures. This public solicitation weaponized the paranoia inside the SVR, forcing Russian counter-intelligence to treat every returning officer as a chance double agent.

The Shift to “Disposable” Agents

The degradation of the professional officer corps forced Moscow to pivot toward “illegals” and “disposable” proxies, further eroding institutional prestige. By 2024, European intelligence services noted a sharp rise in sabotage operations conducted not by trained case officers, by recruited criminals, desperate migrants, and amateur vandals. This “outsourcing” of tradecraft relieved the immediate manpower absence devastated the professional ethos of the SVR. Career officers, previously tasked with high-level political influence, found themselves managing low-level arsonists and thugs via encrypted messaging apps. This shift increased the risk of exposure, amateurs are easily caught and interrogated, and deepened the sense among trained spies that their service had been reduced to a crude instrument of terror, stripped of its Cold War sophistication.

“The system is hardening up, bunkering down so that Putin does not receive too much bad news. The result is a service that is eating itself alive with suspicion.” , European Intelligence Official on the internal state of the FSB, 2024.

The internal atmosphere at the “Aquarium” (GRU headquarters) and Yasenevo (SVR headquarters) became toxic. Investigations into “failure to prepare” for the Ukraine invasion led to the house arrest of senior FSB figures, including Colonel-General Sergei Beseda. For the rank-and-file officers remaining in Europe, the fear of being recalled to Moscow became a coercive tool. Western case officers reported that Russian handlers were increasingly risk-averse, missing scheduled meets and dead drops to avoid any infraction that could justify their repatriation to a destabilizing Russia.

Technical Deficit: The Collapse of Line N Acquisitions

The expulsion of over 750 Russian intelligence officers between 2022 and 2025 did more than degrade Moscow’s political influence; it shattered the logistical spine of “Line N,” the SVR directorate responsible for scientific and technical espionage. For decades, Line N and its GRU counterpart, Directorate T, operated comfortably under the cover of trade missions and science attaché posts in Western capitals. These officers were not recruiters; they were technical specialists tasked with identifying, procuring, and routing dual-use technologies prohibited by export controls. When European and North American governments declared these individuals persona non grata, the Kremlin lost its primary method for quality-controlled technology acquisition.

The immediate impact was a catastrophic severance of the “diplomatic pouch” pipeline. Prior to February 2022, sensitive microelectronics could be purchased by front companies and physically moved into Russian embassies for secure transport. With the expulsion of station chiefs and technical officers, Russian intelligence was forced to pivot from secure diplomatic channels to high-risk, exorbitant criminal smuggling networks. Verified data from 2023 and 2024 indicates that while the value of Russian technology imports rebounded after an initial 45% drop, the volume of usable high-grade components remained suppressed due to the “intermediary tax” and seizure rates.

The Shift to Disposable Proxies

Deprived of their embassy-based handlers, the SVR and GRU turned to “illegals” and commercial proxies, unprofessional smugglers motivated by profit rather than ideology. This shift exposed the procurement networks to aggressive Western law enforcement. The arrest of the “Serniya Network” operatives illustrates this degradation. Vadim Konoshchenok, an FSB colonel suspected of overseeing a smuggling ring, was arrested in Estonia and extradited to the United States in July 2023. Unlike the insulated diplomats of the pre-2022 era, Konoshchenok was forced to move munitions and dual-use electronics through commercial shipping routes, leading to his interdiction.

A similar failure occurred in November 2023, when U. S. federal agents dismantled a Brooklyn-based procurement ring led by Nikolay Goltsev and Salimdzhon Nasriddinov. The network had successfully shipped over $10 million in restricted electronics to Russia, including semiconductors found in guided missiles seized on the Ukrainian battlefield. yet, the operational security of this proxy network was abysmal compared to professional Line N standards. The defendants communicated openly about the military application of their shipments, with one text message explicitly referencing “defending the Fatherland” while discussing component orders. This absence of tradecraft allowed the U. S. Justice Department to map the entire supply chain and seize thousands of components before they left American soil.

Metric of Failure: The Component Gap

The reliance on smuggling rings resulted in a severe quality control emergency for the Russian defense industry. Smugglers, unlike technical intelligence officers, prioritize volume and margin over specification accuracy. In 2023, the Yermak-McFaul International Expert Group identified 1, 057 foreign components in captured Russian weaponry, yet a significant percentage were consumer-grade chips ill-suited for military environments. The absence of specialized, military-grade bearings and optics forced Uralvagonzavod, Russia’s primary tank manufacturer, to temporarily halt production in March 2022. While production resumed, the reliance on grey-market substitutes has introduced higher failure rates in fielded systems.

The disruption extended beyond hardware. In February 2024, the U. S. Department of Justice executed a court-authorized operation to neutralize the “Moobot” botnet, a cyber-espionage tool controlled by GRU Unit 26165. This unit, previously responsible for high-profile hacks, had resorted to using a criminal botnet to hide its tracks, a sign of diminishing organic capabilities. The operation wiped the GRU’s malware from hundreds of infected routers, blinding a key technical reconnaissance capability.

The cumulative effect of these expulsions and arrests is a “technical deficit” that money cannot easily resolve. While Russia continues to acquire chips through China and Central Asian intermediaries, the loss of Line N’s expert acquirers means Moscow is paying three to four times the market rate for components that are frequently counterfeit or incorrect. The era of direct, state-directed technology theft has been replaced by a chaotic, leaky, and expensive criminal enterprise.

Diplomatic Retaliation: The Hollowing of Western Missions

The Kremlin’s response to the of its intelligence networks was neither proportionate nor purely diplomatic; it was a calculated strategy of asymmetric “hollowing.” While Western capitals excised specific intelligence officers, Moscow targeted the operational infrastructure of Western missions, blinding foreign governments to developments outside the capital. By late 2025, the diplomatic footprint of NATO member states in Russia had shrunk by approximately 65% compared to pre-invasion levels, a contraction that intelligence analysts describe as a “forced darkening” of the operational theater.

The most aggressive retaliatory measures focused on the principle of “parity,” a doctrine weaponized by the Russian Foreign Ministry to strip Western embassies of their support structures. Following the mass expulsion of 400 Russian officials in early 2022, Moscow did not expel an equivalent number of Western diplomats. Instead, it dismantled the administrative backbone of these missions. The decisive blow came with the expansion of the “unfriendly states” list, which prohibited the United States, and later other nations, from employing Russian or third-country nationals. This policy forced career diplomats to assume custodial, clerical, and logistical duties, reducing the time available for political reporting and consular outreach by an estimated 40%.

Germany faced the most severe structural in April and May 2023. After Berlin expelled Russian intelligence officers, Moscow retaliated by capping the total number of German state employees permitted in Russia at 350, a figure encompassing not just diplomats, teachers and cultural staff at the Goethe Institute. To comply with this draconian limit, Berlin was forced to close four of its five consulates general: Kaliningrad, Yekaterinburg, Novosibirsk, and St. Petersburg (retaining only a skeleton presence). This ended Germany’s diplomatic visibility in the Urals and Siberia, vast regions serious for monitoring Russia’s military-industrial mobilization.

The United States mission in Moscow exemplifies the extreme end of this diplomatic starvation. Following the prohibition on employing local staff, the embassy was forced to terminate 182 Russian employees. By 2024, the mission operated with fewer than one-tenth of its 2017 staffing levels. The closure of the U. S. consulates in Vladivostok and Yekaterinburg left the United States with no diplomatic representation east of Moscow, a landmass spanning seven time zones. This withdrawal created a significant intelligence vacuum, particularly regarding Russia’s deepening economic and military ties with China in the border regions.

France and the United Kingdom faced similar, albeit more sporadic, attrition. In May 2022, Russia expelled 34 French diplomats, the embassy’s press and cultural sections. The United Kingdom saw a steady of its personnel, culminating in the expulsion of two diplomats in March 2025 and another in January 2026, frequently under transparently fabricated accusations of espionage. These expulsions were frequently timed to disrupt specific diplomatic initiatives or to retaliate for British sanctions. The cumulative effect was the elimination of institutional memory; as experienced Russia hands were ejected, they were replaced by junior staff who faced severe travel restrictions and aggressive surveillance by the FSB.

The “parity” enforced by the Kremlin is deceptive. While numbers may appear balanced on paper, the operational reality is skewed. Russian missions in the West, though reduced, continue to operate with full administrative support and freedom of movement within the Schengen zone (until recent Polish restrictions). Conversely, Western diplomats in Russia are confined to a tightening perimeter, subjected to psychological pressure, and stripped of the local support networks essential for navigating the Russian bureaucracy. This asymmetry has achieved the Kremlin’s primary counter-intelligence goal: isolating Western governments from the Russian population and the realities of the country’s internal decay.

Global South Pivot: Relocating Assets to Africa

The systematic expulsion of Russian intelligence officers from Western capitals between 2022 and 2025 did not result in their retirement. Instead, the Kremlin executed a strategic redeployment of these assets to the Global South, with a specific concentration on the African continent. Intelligence assessments from late 2025 indicate that approximately 150 of the diplomatic personnel declared persona non grata in Europe were reassigned to expanded missions in the Sahel and Central Africa. This shift represents a calculated effort to open a “second front” in Moscow’s intelligence war against the West. The expulsion of French and American forces from Mali, Burkina Faso, and Niger created an operational vacuum that the GRU (Main Intelligence Directorate) and SVR (Foreign Intelligence Service) moved rapidly to fill.

This pivot is not a reaction to Western counter-intelligence successes. It is a restructuring of Russian power projection. The dissolution of the Wagner Group following Yevgeny Prigozhin’s death in 2023 allowed the Russian Ministry of Defense to bring irregular operations under direct state control. The newly formed “Africa Corps” serves as the primary vehicle for this integration. Unlike the semi-autonomous Wagner structure, the Africa Corps is subordinate to the GRU. General Andrei Averyanov, the commander of the notorious GRU Unit 29155, linked to the Skripal poisoning and other European sabotage operations, was identified by Western security services as the architect of this new architecture. His direct involvement signals that Africa is no longer a peripheral theater a central node for active measures and intelligence collection.

The operational logic is clear. Expelled officers who can no longer operate in Berlin, Paris, or Brussels coordinate activities from Bamako, Ouagadougou, and Bangui. These locations offer permissive environments where Russian operatives can monitor Western interests, manage resource extraction networks, and orchestrate disinformation campaigns without fear of expulsion. The reopening of the Russian embassy in Burkina Faso in late 2023, after a 31-year closure, provided immediate diplomatic cover for a fresh influx of intelligence personnel. Similar expansions occurred in Equatorial Guinea and Niger during 2024.

Operational Hubs and Strategic Objectives

The redeployment focuses on creating regional intelligence hubs that bypass Western surveillance. Mali has emerged as the central command post for the Sahel. The expulsion of the French DGSE and the UN peacekeeping mission (MINUSMA) removed the primary eyes and ears of Western intelligence in the region. Russian officers occupy the physical and digital space left behind. They control the flow of information to local juntas and manage the security apparatus that keeps these regimes in power.

The SVR has simultaneously revamped its method to information warfare on the continent. The “African Initiative” news agency, established in late 2023, exemplifies this evolution. Investigations by European monitors identified Artem Kureev, an individual linked to the FSB, as a key figure in this organization. The agency recruits local journalists and influencers to launder Kremlin narratives, presenting them as organic pan-African sentiment. This network replaced the fragmented Prigozhin-era troll farms with a more disciplined, state-directed apparatus. Their campaigns focus on discrediting Western health initiatives, amplifying anti-colonial grievances, and promoting the narrative of Russia as the sole guarantor of African sovereignty.

Resource security remains a serious priority for these relocated assets. The GRU’s mandate in the Sahel extends beyond military training to the control of strategic minerals. In Niger, the revocation of mining permits for French companies and the expulsion of US forces from Agadez Air Base in 2024 were heavily influenced by Russian advisors within the junta. Intelligence officers the smuggling of gold from Mali and Sudan to finance operations in Ukraine and circumvent international sanctions. This “self-financing” model allows the Russian intelligence footprint to grow even with the economic of the war in Europe.

“The transfer of personnel from European capitals to the Sahel is not a retreat. It is a flanking maneuver. Officers who once recruited sources in the Bundestag are building networks in the Sahel to cut off Europe’s energy and mineral supply chains.”
, Internal assessment, French Directorate-General for External Security (DGSE), leaked 2025.

South Africa continues to serve as a sophisticated logistical base for these operations. While the Sahel provides raw resources and military bases, South Africa offers a financial and technological gateway. Verified flight data from 2024 and 2025 shows a consistent pattern of Russian government aircraft moving between Moscow, Syria, and South African airfields, frequently with transits through East Libya. This air sustains the personnel and equipment required for the Africa Corps. The presence of a large Russian diplomatic mission in Pretoria, which has not been subjected to the mass expulsions seen in Europe, allows for the coordination of activities across the Southern African Development Community (SADC) region.

The integration of the Africa Corps into the formal military hierarchy has streamlined the chain of command. Intelligence collected by operatives in the Central African Republic or Mali is fed directly into the GRU’s central analysis in Moscow. This eliminates the friction that existed between the Ministry of Defense and Wagner. The result is a more responsive and dangerous adversary in Africa. Western intelligence agencies face a competitor that combines the diplomatic immunity of state officials with the ruthless tactics of irregular warfare units.

Family Networks: The Expulsion of Spouses and Support

The of Russian intelligence networks in the West extended beyond the officers themselves. Counter-intelligence operations between 2022 and 2025 systematically targeted the familial and logistical infrastructure that sustained deep-cover operations. Intelligence agencies recognized that spouses and adult children of declared intelligence officers frequently performed operational roles. These roles included acting as couriers for cash payments to assets, conducting counter-surveillance runs, or managing secure communications equipment within diplomatic residences. The expulsion orders, therefore, frequently encompassed entire family units rather than individual diplomats.

Data from the coordinated expulsions reveals a high correlation between diplomatic postings and spousal accreditation in intelligence-heavy stations. In the mass expulsion of June 2022, Bulgaria declared 70 Russian embassy staff persona non grata. This group included technical assistants, drivers, and administrative personnel who provided the logistical backbone for the GRU and SVR residencies in Sofia. The Bulgarian government identified these support roles as serious to the “hybrid warfare” capabilities of the embassy. When the two Russian government aircraft departed Sofia on July 3, 2022, they carried not just the 70 expelled officials their families, totaling over 150 passengers. This mass removal stripped the station of its operational support.

The operational value of “support staff” cannot be overstated. Intelligence services use positions such as drivers, mechanics, and gardeners to place trained officers in roles that attract less scrutiny than diplomatic titles. These individuals frequently manage the physical security of the residency or transport sensitive materials without diplomatic pouches. In Belgium, a joint investigation by European media outlets in 2023 identified that among the expelled Russian staff were “technicians” and “attachés” who were career officers of the GRU. The Belgian government expelled 21 such officials in April 2022 and a further 48 later, specifically citing their involvement in espionage and influence operations under the guise of administrative duties.

The integration of families into intelligence operations was most visibly disrupted in Poland. On April 29, 2023, Polish authorities seized a high school building on Kieleckiej Street in Warsaw. This facility, operated by the Russian embassy, served the children of diplomats and military personnel. Polish counter-intelligence services viewed the “spy nest,” as it was locally known, as a secure enclave that allowed intelligence officers to maintain long-term postings without integrating into the local school system. The seizure forced the relocation of classes to the embassy compound and signaled that the social infrastructure supporting Russian intelligence families was no longer inviolable. Moscow protested the move as a violation of the Vienna Convention, yet the facility remained under Polish municipal control.

Spouses also played a direct role in the “illegals” program, which operates outside the embassy relies on its infrastructure for emergency extraction. The arrest of Ludwig Gisch and Maria Mayer in Slovenia in December 2022 exposed a husband-and-wife team operating as deep-cover SVR agents. While not embassy staff, their children were used to build their cover as a normal expatriate family. The subsequent unraveling of their network demonstrated how family units provide a veneer of normalcy that solo agents cannot replicate. Following their arrest, other European nations scrutinized the “trailing spouses” of accredited diplomats more closely, leading to visa denials for family members suspected of holding intelligence training.

The “Berlin Airlift” of April 2023 further illustrated the of these family removals. A Russian government Ilyushin Il-96-300 flight was granted special permission to land in Berlin to evacuate expelled personnel. While the German Foreign Ministry officially expelled a specific number of diplomats, the aircraft departed with a significantly larger passenger manifest. This gap confirmed that the expulsion orders purged the station’s entire social ecosystem. By removing the support network, spouses who managed safe houses, technicians who serviced encryption gear, and teachers who educated their children, Western governments imposed a logistical cost that exceeded the loss of individual case officers.

2026 Status: The Slow Reconstruction of Spy Rings

By early 2026, Western counter-intelligence agencies confirmed that Russian intelligence services had largely transitioned from the decimated diplomatic residencies of 2022 to a decentralized, higher-risk operational model. While the mass expulsions of over 750 diplomatic personnel between 2022 and 2025 successfully dismantled the traditional rezidenturas in capitals like London, Berlin, and Paris, Moscow aggressively reconstituted its capabilities using “illegals,” traveling intelligence officers, and criminal proxies. The 2025 annual threat assessments from Germany’s BfV and Norway’s PST indicate that while the quantity of intelligence officers on European soil remains pre-war levels, the lethality and unpredictability of their operations have increased.

The Vienna Logistics Hub

With diplomatic channels closed in most NATO nations, Austria emerged as the primary logistical and financial hub for Russian intelligence in continental Europe. As of January 2026, Austrian intelligence officials estimated that over 500 Russian state employees remained accredited in Vienna, a number significantly disproportionate to diplomatic needs. Intelligence assessments suggest that approximately half of these individuals perform intelligence functions, utilizing the city’s non-aligned status to coordinate operations across the Schengen zone. Vienna serves as the “payroll center” where cash is disbursed to proxies and deep-cover agents operating in stricter jurisdictions like Germany and Poland.

Resurrection of the “Illegals” Program

The degradation of diplomatic cover forced the SVR and GRU to rely heavily on “illegals”, officers operating under deep non-official cover, frequently posing as South American or non-Russian European nationals. The high strategic value Moscow places on these assets was publicly demonstrated during the August 2024 prisoner exchange, when President Vladimir Putin personally greeted Artem Dultsev and Anna Dultseva on the tarmac in Moscow. The couple, SVR officers who had lived for years in Slovenia posing as Argentine citizens, represented the specific type of deep-cover asset that Russian services prioritized rebuilding in 2025.

Unlike the “diplomats” of the previous decade, these agents do not enjoy immunity. Their operations in 2025 focused less on political influence and more on facilitating kinetic sabotage and maintaining dormant communication channels. In late 2025, counter-intelligence operations in Norway and Poland identified attempts to insert such agents near serious energy infrastructure and logistics hubs supplying Ukraine.

The “Proxy” Sabotage Campaign

The most distinct shift in 2024 and 2025 was the industrial- use of criminal proxies to execute “dirty” work. In October 2024, MI5 Director General Ken McCallum reported a ” ” rise in sabotage and assassination plots, noting that Russian services were recruiting amateur criminals, drug traffickers, and foreign nationals to conduct arson and surveillance. This “outsourcing” strategy reduces the risk to Russian officers increases the collateral danger to the public due to the absence of tradecraft among the perpetrators.

2026 Threat Outlook: The Northern Front

The Norwegian Police Security Service (PST) issued a specific warning for 2026, identifying the Arctic and Northern Europe as the new primary theater for Russian sabotage. With Europe’s energy decoupling from Russia complete, the security of Norwegian gas pipelines and subsea cables became a paramount concern. The PST’s 2025 assessment detailed a 246% increase in sabotage attempts against European serious infrastructure between 2023 and 2024, a trend projected to accelerate in 2026. These operations are no longer intelligence-gathering missions active measures designed to Western resolve through physical disruption.

“The intelligence threat from Russia is no longer just about stealing secrets. It is about generating mayhem on our streets. The use of criminal proxies creates a volatile, less predictable threat than we saw during the Cold War.” , Ken McCallum, Director General of MI5 (October 2024)

By the start of 2026, the “Embassy Spy Ring” era had ended, replaced by a darker, more fragmented, and kinetic form of espionage. The centralized rezidentura has given way to a network of disposable proxies and high-value illegals, managed from safe havens like Vienna and directed to strike at the physical and psychological infrastructure of the West.

Strategic Outlook: The Permanent Loss of Human Intelligence

The wholesale of Russian intelligence networks across Europe between 2022 and 2025 has inflicted a generational trauma on the GRU and SVR, creating a capability void that Moscow cannot fill for decades. Intelligence assessments from both MI5 and the CIA indicate that the expulsion of over 750 diplomatic personnel, approximately 600 of whom were identified as active intelligence officers, has blinded the Kremlin in key Western capitals. MI5 Director General Ken McCallum described this purge as the “most significant strategic blow” to Russian intelligence in modern history, while MI6 Chief Richard Moore confirmed that the ability of Russian services to spy in Europe had been “cut by half” overnight. Unlike previous diplomatic spats where personnel were quietly rotated, the coordinated nature of these ejections, combined with strict visa bans, has permanently dismantled the “legal residencies” that served as the backbone of Russian espionage for seventy years.

Deprived of the diplomatic immunity that allowed officers to recruit sources and handle agents with relative safety, Russian services have been forced to activate “illegals”, deep-cover officers operating without official protection. This shift has exposed the fragility of Russia’s non-official cover program. The high-profile arrests of deep-cover operatives in 2022 and 2023, such as the GRU officer “José Assis Giammaria” in Norway and the SVR couple “Ludwig Gisch” and “Maria Mayer” in Slovenia, demonstrated that Western counter-intelligence had already penetrated these networks. The SVR invests over a decade and millions of dollars to train a single illegal; losing them within months of activation represents a catastrophic return on investment that no intelligence service can sustain.

To compensate for the loss of professional officers, the GRU has increasingly resorted to “proxy” operations, recruiting disposable agents via Telegram and the dark web for acts of sabotage and arson. While this tactic creates immediate “mayhem”, a term used by British intelligence to describe the rash of warehouse fires and vandalism across Europe in 2024, it yields little intelligence value. These proxies, frequently petty criminals or desperate foreign nationals, absence tradecraft and are frequently caught, leading investigators back to their handlers. The shift from high-value espionage to low-level sabotage signals a degradation of capability; the Kremlin is no longer prioritizing the theft of state secrets because it absence the skilled manpower to execute complex recruitment operations against hardened.

Simultaneously, Western agencies have moved from a defensive posture to an aggressive counter-recruitment offensive. Capitalizing on the disarray and demoralization within the Russian services, the CIA and FBI launched high-visibility recruitment campaigns on platforms like Telegram and X (formerly Twitter). By 2024, CIA recruitment videos targeting disaffected Russian officers had been viewed over 2. 1 million times. MI6 followed suit with the “Silent Courier” portal, explicitly inviting Russian patriots to share secrets securely. This “insider threat” forces the FSB to turn its gaze inward, consuming vast resources on internal mole-hunts rather than foreign operations. The strategic reality for 2026 and beyond is a Russian intelligence apparatus that is, paranoid, and reliant on amateur proxies, having permanently lost the human networks that took half a century to build.

**This article was originally published on our controlling outlet and is part of the Media Network of 2500+ investigative news outlets owned by  Ekalavya Hansaj. It is shared here as part of our content syndication agreement.” The full list of all our brands can be checked here. You may be interested in reading further original investigations here.