Russia’s Proxy Cyber War: How youths and foreign nationals are being recruited for espionage

In its latest assessments, the Metropolitan Police has flagged an alarming trend: Russia and other hostile states are attempting to recruit children and adolescents in the UK to perform espionage, sabotage, and reconnaissance tasks.

This effort forms part of a broader strategy in which Moscow leverages social media and manipulation to enlist youth or foreign nationals as assets.

The Met’s warning is stark. In statements cited by media, Commander Dominic Murphy, head of the Met’s counterterrorism unit, said that schoolchildren - some as young as 13 - are being approached online by Russia, Iran and China and offered money or other incentives to carry out clandestine tasks.

The Met emphasises that efforts to recruit minors in the UK reflect a shift in tradecraft: adversarial intelligence services no longer need to rely solely on hardened agents when they can exploit youth with digital skills, minimal oversight, and a craving for quick gain or recognition.

This pattern resonates with the recent arrests of two 17-year-old Dutch teenagers suspected of gathering wireless scanning data near Europol and Eurojust. Dutch authorities believe these youths were directed via encrypted messaging to perform reconnaissance for Russian hacker groups. In effect, the same playbook of recruit remotely, give limited tasks, and maintain plausible deniability is being deployed across borders.

A potential enabler of this strategy is the proliferation of affordable, potent hacking and wireless tools. Devices such as the Flipper Zero are publicly sold on global platforms and marketed for hobbyist use, but carry capabilities sufficient for reconnaissance, wireless scanning, and spoofing of RFID/NFC systems. Their ubiquity, coupled with ready access to tutorials and hacking communities, lowers the barrier for youths to become operational proxies.

The tactic is not purely digital. In the UK, prosecutors recently secured convictions in an arson attack against a warehouse storing aid for Ukraine. Investigators linked the operation to Russia’s Wagner group, carried out through intermediaries recruited specifically to do the damaging work in a deniable fashion.

Similar arrests across Europe of foreign nationals accused of spying for the Kremlin indicate a concerted campaign to flood the operational space with proxies who leave little trace back to Russia.

At the same time, the Kremlin currently benefits from an overlapping cyber-crime ecosystem, where Russian criminal groups and Russian state actors increasingly converge a trend that poses profound risks for European security.

Europe has already seen the encroachment of Russian-linked cyber-crime groups, with young collectives such as Scattered Spider and Lapsus$ Hunter maintaining ties to major Russian ransomware operations like Qilin, AlphV, and RansomHub.

The overlap is not hypothetical: the Conti leaks revealed significant crossover between a leading ransomware syndicate and the Russian state. With More western cybercrime groups forming partnerships or adopting Russian Ransomware-as-a-Service (RaaS) for their attacks it’s a realistic possibility that the Russian state could get its tendrils into these English-speaking cybercrime communities and manipulate them to do its bidding.

Taken in sum, the Met’s warning is not isolated but part of a converging pattern: intelligence actors increasingly exploiting youth and foreign nationals, empowered by consumer hacking devices and remote recruitment, to conduct espionage, sabotage, and reconnaissance with minimal exposure.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).