May 1, 2026

SHARE |

Europe’s Expanding Hybrid Threat: Taking a Page from the Proxy Playbook

AP Photo/Alastair Grant

On Wednesday, two Jewish men were stabbed in Golders Green, a Jewish area of north London, in an attack police declared a terrorist incident. Authorities are still investigating the motive, but the attack fit the broader pattern of recent antisemitic violence and low-level asymmetric activity that has followed the U.S.-Israeli-led war on Iran, and more broadly has followed an increase in antisemitism and Islamophobia across the West since the October 7, 2023, Hamas attacks. The Iran war, alongside weakening ties with the United States, has reshaped not only the UK’s security environment but also that of Western Europe. The conflict appears to have triggered a wave of Iran-linked hybrid activity across Europe, further complicating the already varied European threat landscape. In several cases, Jewish institutions in the UK, France, Belgium, Germany, the Netherlands, and Norway were targeted through low-cost, low-capability attacks allegedly carried out by minors or petty criminals, and presumably digitally recruited by Iranian intelligence services.

These incidents fit one of the most accessible forms of state-backed hybrid activity: outsourcing to expendable local actors, sometimes referred to as “disposable agents,” while preserving deniability linking the state directly to the attack. In October, Ken McCallum, director general of MI5, announced that the organization had tracked “more than 20 potentially lethal Iran-backed plots in the UK in 12 months,” according to the Guardian. Last Tuesday, British police arrested a group for an alleged plot to firebomb Jewish targets, with many security experts suspecting Iranian backing, although there is no direct proof. Following the Golders Green attack this week, Harakat Ashab al-Yamin al-Islamia (HAYI) — described by Shia militia expert Phillip Smyth as an “Iran-crafted front group” — claimed responsibility, though this has not been verified by UK authorities. The same group claimed responsibility for more than a dozen attacks since March, including an improvised explosive device (IED) attack in front of a synagogue in Liége, Belgium, as well as attacks on a synagogue and a Jewish school in the Netherlands. Even if HAYI’s claims are opportunistic, they reflect a broader effort by Iran-linked actors to amplify fear, sow confusion, and further exacerbate communal tensions across Europe.

As attacks on primarily Jewish soft targets continue across Europe, UK Prime Minister Keir Starmer has expressed concern over the proliferation of proxy attacks in Britain, which he said were supported by “a number of countries,” and the UK Home Office has raised its threat level to “severe” in response to the “rising Islamist and Extreme Right Wing terrorist threat.” While Iranian-backed proxy groups remain a serious concern for the West, their methods increasingly mirror a hybrid playbook long refined by Russia. That Russian threat, already pervasive across the continent, has only grown as U.S. President Donald Trump continues to undermine the U.S.-Europe strategic partnership and cast doubt on NATO’s reliability, most recently by railing against the alliance’s reluctance to support U.S. efforts to reopen and secure the Strait of Hormuz. Last week, Dutch intelligence service AIVD warned that the Netherlands was “facing the greatest threat to its national security since the end of World War Two, chiefly from Russia and China,” according to Reuters. UK Chief of the General Staff Gen. Sir Nicholas Carter has similarly identified Russia as “the biggest state-based threat to the UK since the Cold War,” according to The Guardian. Still, it took the UK longer than it should have to identify the Russian threat. Mobilizing to counter the Iranian threat needs to be swift and avoid cumbersome bureaucratic delays that often plague Western counterterrorism responses.

The low-cost proxy playbook now being adopted by Iran has been refined by Russia across a range of European contexts. Some of Iran’s recent tactics mirror those Russia has used extensively in France, where Moscow has sought to exploit existing tensions between national, ethnic, and religious communities. Research by The Soufan Center found that France has been one of the primary European targets of Russian information operations, including efforts to recruit individuals — often third-country nationals — to carry out acts of vandalism against religious sites, particularly Jewish and Muslim targets. More broadly, our research found that from 2023 to 2024, the share of recorded Russian-linked proxy incidents increased by 254 percent across France, Germany, the UK, Moldova, Georgia, and Estonia. More recently, Lithuanian authorities charged 13 people this month over attempted murders allegedly linked to Russia’s military intelligence service, GRU. In the UK, prosecutors argued in court this week that three Ukrainian nationals were offered payment by a Russian-speaking individual to commit arson attacks against houses and property linked to Keir Starmer. These incidents serve as a crucial pillar of Russian operations against the West: cheap, deniable, and scalable, while imposing asymmetrically higher costs on the targeted countries. The more bandwidth states need to dedicate to counter hybrid threats, the fewer resources and manpower are available to deal with conventional threats, as security forces are spread thin.

Russian operations in Europe extend beyond scalable proxy activity. Moscow is also known to conduct surveillance, espionage, and sabotage inside target countries. One key domain is cyberspace, where Russia, alongside Iran and China, can generate disruption, confusion, and insecurity among its adversaries. Richard Horne, head of the UK’s National Cyber Security Centre (NSCC) warned that the UK faces its largest cyber risk from these three countries, warning that Britain is living through “the most seismic geopolitical shift in modern history.” Russian hackers have targeted critical infrastructure across Europe, including in Sweden, Poland, Denmark and Norway. Last week, Swedish authorities announced that they had been the target of a Russian-linked cyber-attack on a heating plant last year. Heat and power plants were also the subject of cyber-attacks in Poland, Denmark and Norway. At the same time, the European Union imposed sanctions against Chinese and Iranian companies in March for reported cyber-attacks against EU member states.

Russia also often probes military and defense spaces, seeing how far it can push boundaries without retaliation, while also gathering important reconnaissance. According to The Soufan Center’s research, Russia does this most frequently in powerful NATO states such as Germany and the UK. Our research found that territorial water violations and naval incidents make up the lion’s share of publicly reported Russian incidents against the UK. To combat this threat, Keir Starmer warned, in March, that the UK military would board any ship that was suspected to be a part of Russia’s shadow fleet, its network of aging, obscurely owned tankers used to evade Western sanctions on Russian oil exports. Nearly a month after the announcement, British media reported that at least 98 Russian vessels had transited British waters, and that despite Starmer’s warnings, the UK military had not announced any boardings or ship detentions during that period.

Nevertheless, the UK’s Royal Navy has developed various programs, in collaboration with other countries in the North Atlantic, to combat Russian activity in territorial waters. In 2025, the UK and Norway signed a defense pact to operate a combined fleet that is dedicated to hunting Russian submarines in their seas. Most recently, the UK announced a new partnership of “northern navies” to combat Russian activity. This multinational partnership “would have the ability to substitute, swap or mix equipment, parts, ammunition and personnel” in its operations against Russia, according to The Times. These policies and responses, however, also provide Iran with a live case study in how Western states manage grey zone maritime pressure. Tehran has its own experience with shadow shipping, sanctions evasion, and maritime coercion, even giving the Russians tips in the early days of the Ukraine war. Russia’s activity around NATO waters shows how a hostile state can use persistent naval probing to test legal thresholds.

Additionally, European states, already struggling to combat Russia’s hybrid threat, must now face a growing and more visible Iranian hybrid threat as Tehran scales its activity across the continent. Europe is facing overlapping pressure from two states that rely on many of the same low-cost tools: proxy actors, criminal networks, cyber operations, and the exploitation of social cohesion. Iran has an adequate and growing cyber capability and could seek to increase its operations in this domain going forward. There is growing concern among security experts that Iran is using Europe’s already strained security environment to expand the reach of its hybrid campaigns to its own advantage. Historically, many European states have been slow to adapt to the Russian threat and to recognize the need for rapid response and public transparency. As the threat from Iran grows, it is vital that Europe avoid repeating those same mistakes. European nations must therefore move quickly to apply the lessons learned from Russian hybrid operations to their response to Iran, particularly as the two playbooks increasingly mirror one another. The Soufan Center’s research has found that building resilience through transparent attribution, when possible, and inoculating populations against the most common methods used to target them are among the most effective ways to combat hybrid threats.