EASTERN EUROPE GRAY-ZONE NETWORKS

Modern conflict does not always begin with a formal invasion, a declaration of war, or a clear military front. In many cases, conflict now operates in the space between peace and open war, where actors apply pressure without fully exposing themselves. This is the gray zone. It is not completely peaceful, but it is not always conventional war either. It is the space where states, intelligence-linked actors, criminal groups, private businesses, political intermediaries, proxies, hackers, smugglers, and media networks can all operate with some level of ambiguity. That ambiguity is the point. It allows power to move through systems that are difficult to attribute, difficult to punish, and difficult to explain to the public in a simple way. NATO describes hybrid threats as a mix of military and non-military, covert and overt methods, including disinformation, cyberattacks, economic pressure, irregular armed groups, and regular forces, all used to blur the line between war and peace and destabilize societies.

What stands out to me about the gray zone is that it forces us to rethink what conflict actually looks like. A shipment can look like normal commerce. A cyberattack can look like criminal activity. A propaganda campaign can look like ordinary political debate. A shell company can look like a legitimate business. A paramilitary group can present itself as a local security organization, a patriotic movement, or a political defender of some community. In reality, these pieces can be connected through a much larger operating system. This matters because the modern security environment is not only defined by tanks, missiles, or battlefield gains. It is increasingly defined by pressure systems that move through borders, markets, digital platforms, political institutions, and criminal infrastructure. In my view, that is what makes gray-zone networks so difficult to study but also so necessary to understand.

Eastern Europe is one of the most important regions for studying gray-zone activity because of its geography, history, and political position. It sits between Russia, the European Union, NATO, the Black Sea, the Balkans, Ukraine, the Caucasus, and major routes for energy, trade, migration, and military movement. That location gives the region strategic value, but it also creates constant vulnerability. Eastern Europe is not just a buffer zone in the old Cold War sense. It is a contested operating environment where state power, organized crime, corruption, border weakness, energy politics, migration pressure, and foreign influence all overlap. The Munich Security Conference has described Eastern Europe as a gray-zone region shaped heavily by Russia’s war against Ukraine and by the pressure placed on countries positioned between Russia on one side and the EU and NATO on the other. That being said, this project should not reduce Eastern Europe to Russia alone. Russia is central to many of the region’s gray-zone systems, but it is not the only actor and not the only explanation. The region is shaped by local political elites, criminal networks, weak enforcement points, unresolved historical grievances, energy dependency, borderland economies, and the practical limits of international institutions. Some actors are state-backed. Some are profit-driven. Some are ideological. Some are opportunistic and will work with almost anyone if the incentives are right. This is where the region becomes analytically interesting. Eastern Europe is not only a place where external powers compete. It is a place where local vulnerabilities can be turned into regional systems. A corrupt official, a port operator, a trucking company, an offshore account, a Telegram channel, or a political party with outside backing may seem small by itself. But in the gray zone, small access points can become part of a much larger network

Sanctions evasion is often discussed as a financial issue, but that view is too narrow. In practice, sanctions evasion is a logistical ecosystem. It involves shell companies, front businesses, intermediaries, false documentation, altered shipping routes, third-country transshipment, offshore finance, dual-use goods, and weak points in enforcement. The European Commission has continued to focus on Russia’s access to dual-use goods and advanced technologies because these goods can support military and industrial capacity even when they appear civilian on paper. This is one of the most important parts of the gray-zone problem. The issue is not always that goods are openly illegal from the start. The issue is that legal supply chains can be bent, redirected, disguised, or layered until the final destination becomes harder to identify. This is where enforcement becomes difficult. A sanctioned component may not travel directly from an EU company to Russia. It may move through a distributor, then a third country, then a small intermediary, then a company that was created only recently or has no real commercial history. On paper, every step may appear disconnected. In reality, the route can be coordinated. Europol has warned about sanctions-evasion activity involving vehicle exports to third countries for possible onward transfer to Russia and Belarus, with forged paperwork, complex diversion routes, and money-laundering indicators connected to organized commercial attempts to evade EU measures. That example matters because it shows that sanctions evasion is not just about banks or oligarch accounts. It is about routes, paperwork, logistics, customs gaps, and the ability to move goods through normal commerce. From my perspective, this is one of the core ideas behind the project. Sanctions evasion works because it hides inside the ordinary movement of the global economy. Ports are busy. Border crossings are crowded. Companies subcontract. Banks process enormous volumes of transactions. Customs officials cannot inspect everything. This creates space for actors who understand the system better than the institutions trying to police it. The Financial Action Task Force has also warned that sophisticated sanctions-evasion and proliferation-financing schemes often use front companies, procurement networks, and complex financial channels to access the global financial system and bypass export controls. So the real question is not only whether sanctions exist. The deeper question is whether states and institutions can trace the networks designed to get around them.

Smuggling and illicit logistics are another major part of Eastern Europe’s gray-zone environment. These networks can involve weapons, fuel, electronics, counterfeit goods, people, cash, drugs, stolen goods, and sanctioned components. The exact commodity can change, but the underlying mechanism is often similar: actors exploit routes, weak enforcement, corruption, and jurisdictional gaps. The OECD defines illicit trade as illegal production, movement, and sale of goods and services that can exploit global supply chains and trade infrastructure while weakening public safety, institutions, the rule of law, and tax systems. This is why smuggling should not be seen only as a criminal justice problem. In a gray-zone environment, illicit logistics can become a security problem. Eastern Europe matters here because it connects multiple trafficking and transit corridors. The Balkans, for example, remain a major route into Europe. UNODC has described the Balkan route as a continuing pathway for drug trafficking, stretching from Afghanistan through Iran and Türkiye and splitting into several branches that lead into Europe. Europol has also reported migrant-smuggling activity through Bosnia and Herzegovina, Croatia, and Slovenia, including criminal networks using dangerous transportation methods and adapting to enforcement pressure. These examples are not the same as sanctions evasion, but they show the broader point. Once a route exists, and once corrupt relationships or logistical methods are developed, the route can be repurposed. A network that moves migrants today may help move forged documents tomorrow. A route that carries narcotics may later support weapons, cash, or restricted components. The commodity changes. The infrastructure remains. This matters because gray-zone systems are adaptive. They do not always need a single command structure. They need access, protection, trust, and profit. Criminal groups already know how to move goods quietly. State-linked actors may need exactly that capability. At the same time, criminal actors may benefit from political protection, intelligence relationships, or tolerated space to operate. That creates a dangerous overlap. It does not mean every criminal group is a proxy, and it does not mean every smuggling route is controlled by a government. That would be too simplistic. But it does mean that organized crime can become useful to state interests when the goal is deniability, disruption, or covert logistics. Europol’s 2025 serious and organized crime assessment identifies organized crime as a major threat to Europe and focuses on the dynamics of criminal networks and emerging trends that shape law enforcement priorities.

Financial laundering sits underneath much of this activity. It is the connective tissue that allows illicit profits, sanctioned wealth, criminal payments, and covert financing to move through the system. In many ways, money laundering is what turns illegal activity into usable power. A smuggling network can make money, but that money must still be cleaned, stored, transferred, invested, or used to buy influence. This can happen through real estate, shell companies, trade-based laundering, cryptocurrency, offshore jurisdictions, false invoicing, consulting arrangements, or layers of accounts designed to make the origin of funds harder to trace. The gray-zone element comes from the way financial systems can support both criminal and political objectives at the same time. A laundering network may serve drug traffickers, corrupt officials, sanctioned elites, hackers, or intelligence-linked actors. That does not mean all clients share the same goals. They may not. But they can still use the same financial infrastructure. This is where enforcement becomes difficult because the network is not always ideological. It is service-based. It moves value for whoever can pay or provide protection. Recent reporting on Russian-linked laundering networks has described systems that allegedly supported organized crime groups, cybercriminals, sanctioned elites, and espionage-related activity, showing how financial channels can connect profit-driven and political activity in the same hidden system. In my view, this is one of the most important parts of understanding gray-zone power. Money is not just a resource. It is movement. It allows actors to rent infrastructure, buy silence, fund political media, support friendly parties, pay intermediaries, hire hackers, move goods, and reward officials. When money is hidden well enough, responsibility becomes harder to prove. That is the strategic value. It is not just about getting rich. It is about making power harder to trace.

Cyber operations add another major layer to Eastern Europe’s gray-zone networks. Cyber activity can involve espionage, ransomware, distributed denial-of-service attacks, data theft, sabotage, election targeting, and attacks against critical infrastructure. The EU cybersecurity agency ENISA reported analyzing 4,875 cybersecurity incidents from July 2024 through June 2025, showing how large and active the cyber threat environment has become for Europe. Microsoft’s 2025 Digital Defense Report also states that nation-state actors have evolved their cyber and influence operations with more advanced, targeted, and scalable tactics, including the use of AI to support large-scale influence campaigns. What makes cyber activity especially useful in the gray zone is that it creates pressure without always requiring visible force. A cyberattack can disrupt a government service, leak sensitive data, damage public trust, or create confusion before an election. At the same time, attribution can be slow and politically contested. Even when experts have strong evidence, public response is still difficult because cyber operations often sit below the threshold of war. That gives attackers room to test limits. They can probe systems, steal information, harass institutions, or amplify political division without triggering the same response that a conventional military strike might cause. This is why cyber activity should not be separated from the rest of the project. It is not just a technical subject. It connects to logistics, sanctions, propaganda, and organized crime. Hackers may steal data that later becomes part of an influence campaign. Cybercriminal groups may overlap with state interests. Ransomware payments may move through laundering networks. Disruption against energy, transport, banking, or government systems may create political pressure at exactly the moment when a state is already dealing with border incidents, protests, or disinformation. In the gray zone, cyber operations are not always about destroying systems outright. Often, they are about weakening confidence, slowing decision-making, and making institutions look incapable.

The influence dimension may be the hardest part to measure, but it is one of the most important. Disinformation, propaganda laundering, hacked materials, political pressure, fake media ecosystems, manipulated narratives, election interference, and Telegram networks all operate by targeting trust. The European External Action Service describes foreign information manipulation and interference, including disinformation, as a growing security and foreign policy threat to the European Union, and it has built up capabilities since 2015 in response to Russian disinformation campaigns connected to aggression against Ukraine. EUvsDisinfo, the EEAS East StratCom Task Force project, was also created in 2015 to forecast, address, and respond to ongoing Russian disinformation campaigns affecting the EU, its member states, and neighboring countries. What stands out to me is that influence operations are not always designed to make people believe one clear lie. Sometimes the goal is more subtle than that. The goal is to exhaust the public. Make citizens doubt every institution. Make every election look rigged. Make every court ruling look political. Make every news story feel like propaganda. Make every government response seem either too weak or too aggressive. That kind of pressure does not need to win a debate in the normal sense. It just needs to make democratic societies slower, angrier, more divided, and less confident in their own systems. Telegram is especially important in this area because of its role in the Russia-Ukraine war and broader Eastern European information space. Research from the Atlantic Council has described Telegram as a major platform in Eastern Europe and a central space for Russian efforts to influence perceptions in occupied Ukrainian territories. This matters because Telegram does not function like a traditional newspaper or broadcast outlet. It is fast, fragmented, anonymous, and difficult to fully monitor. Narratives can move through channels, reposts, screenshots, and influencer-style accounts before governments or journalists can respond. This creates an advantage for actors who want confusion more than credibility. In my view, that is one of the defining features of the modern gray zone. Speed often beats accuracy, and uncertainty becomes a weapon.

Paramilitary and proxy networks need to be handled carefully. They should not be glorified. They are not romantic resistance actors just because they use flags, slogans, or ideological language. In gray-zone systems, these groups can function as tools of coercion, intimidation, recruitment, territorial influence, and deniability. They can pressure communities, protect illicit routes, threaten political opponents, recruit fighters, and create local facts on the ground without always exposing the state or political sponsor behind them. NATO includes the deployment of irregular armed groups within the broader set of hybrid methods used to blur the line between war and peace. The strategic value of these groups comes from separation. A state or political actor can benefit from their actions while claiming limited control over them. That separation does not have to be perfect. Everyone may suspect who is backing whom. But suspicion is not always enough for legal or military response. That is the logic of deniability. It raises the cost of response for the target while lowering the immediate cost for the sponsor. At the same time, paramilitary and proxy networks can create long-term instability because they do not always remain obedient. Armed groups develop their own leaders, funding sources, grievances, and survival interests. Once they become embedded in local politics or criminal economies, they can become harder to control than the sponsor originally expected. This is where hybrid warfare theory becomes useful, but only if we keep it grounded. The point is not to make the concept sound more complicated than it is. The basic pattern is direct enough: actors use unofficial or semi-official tools to gain leverage while avoiding direct responsibility. That can mean armed networks, cyber proxies, criminal logistics, disinformation outlets, or political intermediaries. In Eastern Europe, these tools matter because the region contains contested borders, post-Soviet political legacies, unresolved territorial disputes, and deep competition over alignment with Russia, NATO, and the EU. In that environment, proxy networks do not need to win open battles to matter. They only need to intimidate, destabilize, recruit, or create uncertainty.

Gray-zone conflict is not always about immediate control. Often, it is about institutional exhaustion. That means making governments spend time, money, credibility, and political energy responding to constant pressure. A cyberattack here. A corruption scandal there. A border provocation. A suspicious shipment. A disinformation spike. A migrant-smuggling incident. A leaked document. A protest amplified online. Each event may appear separate, but together they can drain institutional focus. This is why gray-zone activity is so difficult for democracies to respond to. Democratic governments are built around law, procedure, transparency, and public justification. Gray-zone actors exploit those same requirements by moving faster than institutions can explain what is happening. This does not mean democracies should abandon accountability or rule of law. That would only help the actors trying to weaken them. But it does mean that institutions need to understand patterns faster. They need to treat suspicious events not only as isolated cases but as possible parts of a broader system. The EU has created sanctions frameworks targeting destabilizing Russian activities, including actions that undermine security, stability, independence, and integrity of the EU, its member states, partners, third countries, and international organizations. That kind of response matters because gray-zone threats are not only military. They are political, financial, informational, and social. In my view, the most dangerous part of gray-zone activity is that it attacks the trust required for institutions to function. A country does not collapse only because an enemy defeats its army. It can also weaken when citizens no longer believe courts are fair, elections are real, borders are controlled, media is reliable, or leaders are capable. That is the deeper objective behind many pressure campaigns. The goal is not always conquest. Sometimes the goal is paralysis.

The purpose of “Eastern Europe Gray-Zone Networks” is to map patterns, identify mechanisms, connect local events to regional systems, and understand how conflict functions when it is spread across borders, markets, digital platforms, and political institutions. This project is not just about collecting examples. It is about asking how those examples connect. A sanctions loophole may connect to a shipping route. A shipping route may connect to a shell company. A shell company may connect to a political donor, a corrupt official, or a procurement network. A cyberattack may connect to a disinformation campaign. A disinformation campaign may connect to an election, a protest, or an effort to weaken support for Ukraine. The goal is to see the structure beneath the event. This project should also avoid a narrow one-actor explanation. Russia is a major factor, especially because of its war against Ukraine, its pressure against NATO’s eastern flank, and its long history of influence operations. NATO has stated that Russia remains the most significant and direct threat to Allied security and has strengthened its eastern flank as a response to Russia’s pattern of aggressive behavior. But Eastern Europe’s gray-zone systems are also shaped by organized crime, local corruption, border vulnerabilities, energy dependency, economic pressure, and actors who may not care about ideology at all. Some networks exist because they are profitable. Some exist because the state is weak. Some exist because foreign powers find them useful. Usually, the reality is some mixture of all three. In practice, this means the project should study mechanisms more than slogans. Who moves goods? Who controls routes? Who benefits from weak enforcement? How do financial flows move? Which platforms spread narratives? Which actors gain from public distrust? Where do criminal and political interests overlap? What institutions are being tested? These are the kinds of questions that make the project more than a general regional security overview. They turn it into actual analysis.