Insider Risk Watch #1: A Russian Agent In A Haystack

Two years after the death of Alexei Navalny five European countries – France, Germany, The Netherlands, Sweden, and the UK – have released a joint statement concluding that he has been killed by the Russian government. According to the statement, only Russia had “the combined means, motive, and disregard for international law” to carry out the act.

Russia initially declared that Navalny had died of natural causes while serving a 19-year sentence in a penal colony in the Arctic. However, samples retrieved from his body were subjected to laboratory testing that revealed Navalny has been poisoned with epibatidine, a toxin secreted by the skin of poison dart frogs, native to northern South America. As using a toxin of this nature constitutes a violation of the Chemical Weapons Convention, the signatories of the statement will be referring this case to the Organisation for the Prohibition of Chemical Weapons (OPCW) in The Hague, The Netherlands.

This is not the first time that such a case of this type has been reported to the OPCW in recent years. On March 4th, 2018 in Salisbury, UK, GRU agents poisoned Sergei Skripal, a former Russian intelligence officer who had been recruited by the MI6 in the 1990s and subsequently brought to the UK in a prisoner swap.

NATO collectively declared Russian involvement, and with the aid of the OPCW it was possible to determine that the poison used was Novichok, a Russian-developed military-grade nerve agent.

Russia denied involvement in the attempt throughout. However, shortly after, the Dutch Military Intelligence and Security Service (MIVD) thwarted a Russian operation in The Hague on April 18th, 2018, as four GRU officers were attempting to hack into the OPCW network system, possibly to tamper with the integrity of the OPCW’s work. Once apprehended, Dutch authorities declared them personae non gratae and expelled all of them to Russia.

The Salisbury attempt set off a chain reaction, prompting the United States, Canada and another 18 Europe to expel over 100 Russian diplomats in response, and NATO cutting down on its mission by a third. Statistics show there is an increasing trend all over Europe and the US of expelling Russian diplomats over claims of connections to Russian intelligence services, especially since the 2022 invasion of Ukraine. For example, in 2024 the UK expelled a Russian defence attaché who was an undercover military intelligence officer. In 2025, Moldova expelled three Russian diplomats working at the embassy over allegations of aiding a pro-Kremlin lawmaker to escape imprisonment following charges of illegal political funding. Earlier this month, Polish authorities arrested a man working for the defence ministry for over 30 years on the accusation of spying for foreign intelligence services.  

As these expulsions disrupt Russia’s traditional operating model, which relied heavily on diplomatic cover and state-directed operatives, Russian intelligence appears to have adapted its approach. Rather than deploying Russian nationals who risk identification and expulsion, Russian intelligence services have increasingly sought to recruit local actors.

As a result, a different pattern has emerged in recent years. Two years ago, in Bayreuth, German authorities arrested two German nationals who had been preparing a sabotage operation with someone linked to Russian intelligence to target military and industrial infrastructure necessary for providing support to Ukraine. Around the same time, a British man was convicted for participating in the arson of a Ukrainian business in London, recruited by the Wagner Group. More recently, an investigation is currently ongoing in the Netherlands, looking into two Dutch teenager who have been arrested over, allegedly, walking around the offices of Europol, Eurojust, and the Canadian embassy in The Hague with a Wi-Fi sniffer, a tool to identify and intercept Wi-Fi networks and their traffic. Dutch media reported they were approached by hackers linked to Russia via Telegram. Given these circumstances, the testing to be imminently carried out by the OPCW connected to the Navalny case, raises some fundamental question: if state-linked operations increasingly rely on locally recruited individuals rather than officially deployed officers, how might that affect the way such incidents are detected, attributed, and managed within European jurisdictions?

European Insider Risk & Security Strategy 

In light of this, how should European organisations reassess their security posture? From an insider risk perspective, this shift is significant. Traditional counter-intelligence models are built around identifying foreign operatives operating under diplomatic or official cover. The recruitment of local citizens – whether motivated by ideology, financial incentives, coercion, opportunism, or geopolitical stressors such as the invasion of Ukraine – transforms the threat landscape, as malicious actors can already be within country borders and, at times, may as well be in critical positions to cause harm. Lately, Russian services have been recruiting insiders as low-level agents through the promise of quick financial gain rather strong ideological commitment. In some cases, the individuals recruited are minors, and often unaware to be working for the Russian government.

This evolution increases systemic vulnerability across critical infrastructure, defence supply chains, research institutions, and politically sensitive industries. By blurring the line between state action and criminal activity, it complicates detection and attribution processes, delays response, and widens the surface to be defended. While locally recruited actors may lack the tradecraft of trained intelligence officers, potentially making certain activities easier to detect, their very profile creates different challenges.

As the threat perimeter broadens significantly, so does the scope of the protection necessary for critical infrastructure and operations as threats could come from anywhere at any time. While once it may have been efficient to monitor embassy employees, now caution has to be paid even to, for example, staff working in strategic or politically sensitive premises. In addition, the lack of training of low-level agents – sometimes described as “useful idiots” - increases the risk of collateral damage, as inexperienced operatives may act unpredictably, misjudge escalation thresholds, or resort to excessive or reckless methods in pursuit of relatively limited objectives, thereby heightening the likelihood of unintended harm to people, assets, and surrounding infrastructure.

The recent sabotage activities across Europe should therefore not be viewed as isolated incidents, but as components of a broader strategic recalibration by Russian intelligence services. As expulsions constrain traditional intelligence operations, insider recruitment has become a force multiplier and a growing security challenge for European states.

So what can organisations seeking to improve their security posture do against this backdrop?

• Integrate geopolitical risk intelligence into insider risk assessments, moving beyond the concept of insider risk being HR misconduct
• Expand their definition of insiders, clearly mapping access and proximity to assets
• Focus on behavioural detection, as low-level actors may engage in acts that do not set off any digital alarms (e.g. physical reconnaissance)
• Define thresholds for ambiguity, and set up system to react when they get crossed

Interested in reading more about how new sabotage tactics are affecting European organisations?

Read our Insider Risk Trend Report 2026 by clicking on this link