Expendable Assets: Russia's New Spy Networks Across Europe

In the spring of 2022, Russian embassies across Europe underwent a sudden and visible contraction. Parking lots in Prague, Warsaw, The Hague, and Berlin emptied. Communications equipment went quiet. Over the following months, more than 600 Russian diplomatic personnel were expelled from European and allied countries in a coordinated wave that dismantled the most extensive intelligence infrastructure Moscow had built since the end of the Cold War. Most of these diplomats were not diplomats at all. They were intelligence officers operating under cover of embassy postings, running agents, collecting information, and managing networks that had taken decades to construct. Their departure was supposed to blind Russian intelligence services across the continent. It did not.

By early 2026, European counterintelligence agencies had identified a structural transformation in Russian espionage operations. The embassy-based model was gone. In its place, a new architecture had emerged, built not on professional intelligence officers but on recruited civilians, third-country nationals, and people who had never set foot inside a Russian diplomatic compound. In March 2026, the German Federal Prosecutor arrested a Romanian woman in North Rhine-Westphalia and a Ukrainian man in Spain, both charged with conducting espionage for a foreign intelligence service. Their alleged target: a German entrepreneur who supplies drones and drone components to Ukraine. The case was not an anomaly. It was a data point in a continental pattern.

The Purge That Changed Nothing

The scale of the 2022-2023 diplomatic expulsions was without precedent in postwar Europe. Germany alone expelled 40 Russian diplomats in April 2022, the largest single action of its kind in the country's history. Poland, the Czech Republic, the Baltic states, France, and the Netherlands followed with their own rounds of expulsions. The coordinated campaign hit all three of Russia's intelligence services: the GRU, responsible for military intelligence; the SVR, which handles foreign political intelligence as successor to the KGB's First Chief Directorate; and the FSB, the domestic security service that also conducts extensive operations abroad, particularly in former Soviet states.

Each of these services had maintained substantial presences inside Russian embassies and consulates. Their officers recruited and handled agents, gathered technical intelligence, conducted influence operations, and in the case of the GRU, planned and executed covert actions. When European governments identified and expelled them, they removed not just individuals but institutional nodes: officers who understood local languages, maintained long-term relationships, and knew how to navigate the operational environment.

The expectation in many Western capitals was that this would cripple Russian intelligence for years. The reality proved different. By 2023, the BfV and its European partner agencies were detecting new recruitment patterns. Russia's intelligence services were rebuilding, but not by the old blueprint.

From Diplomats to Disposables

The new model relies on recruited civilians rather than trained intelligence professionals. The March 2026 arrests in Germany illustrate the pattern. Neither suspect was a Russian citizen. A Romanian and a Ukrainian, they fit the profile of what intelligence professionals term "agents" rather than "officers" - people recruited to perform specific tasks, lacking the training, institutional affiliation, and legal protections of career intelligence personnel.

This distinction matters more than it might appear. An intelligence officer posted to an embassy carries diplomatic immunity, answers to a chain of command, and operates within a professional structure that provides support, extraction plans, and career continuity. A recruited civilian has none of this. If caught, they face prosecution under local law. If compromised, their handler can simply disappear. If convicted, Moscow will not negotiate their return.

The same pattern has appeared across the continent. In the United Kingdom, authorities convicted six Bulgarian nationals in 2025 for operating a Russian spy ring that conducted surveillance on Kremlin opponents, journalists, and Ukrainian troops across Europe. In the Netherlands, the AIVD publicly warned about Russian attempts to recruit agents from diaspora communities. Poland has arrested dozens of individuals, predominantly foreign nationals, for passing information to Russian intelligence. Estonia convicted a university professor in 2024 who had been a GRU asset for decades. In each case, the agents were local nationals or third-country citizens, not Russians operating under diplomatic cover.

For Moscow, the logic is straightforward. Civilian recruits are cheaper to run than embassy-based officers. They attract less counterintelligence attention. They can be recruited in volume through financial incentives, ideological sympathy, or coercion. And when they are arrested, the diplomatic cost is zero. No ambassadors are summoned. No reciprocal expulsions follow. The Russian Foreign Ministry issues no statements. These agents are, in the strategic calculus of Russian intelligence, expendable.

The Cold War Playbook, Updated

The use of agents without official cover is not a Russian invention of the post-2022 era. The Soviet Union operated extensive networks of so-called "illegals" throughout the Cold War, agents who lived under false identities in Western countries without any connection to Soviet diplomatic facilities. The KGB's First Chief Directorate maintained an entire division, Directorate S, devoted to training and managing these networks. Rudolf Abel, arrested by the FBI in New York in 1957, became the archetype. The "Illegals Program" broken by American counterintelligence in 2010, which led to the arrest of ten SVR agents including Anna Chapman, demonstrated that Russia maintained the capability well into the twenty-first century.

But the post-2022 recruitment differs from these precedents in critical ways. Cold War illegals were career intelligence officers who spent years building cover legends, learning languages, and integrating into target societies. They were strategic assets, expensive to produce and carefully protected. The new generation of recruited agents are civilians with minimal intelligence training, often tasked with specific, limited assignments: surveillance of a particular individual, photography of a facility, collection of publicly available but operationally relevant information.

The quality has declined, but the volume has increased. Where the KGB might spend a decade preparing a single illegal for deep-cover placement, today's GRU or SVR handler can recruit multiple agents in a matter of weeks through encrypted messaging platforms. This digital dimension creates new capabilities and new vulnerabilities simultaneously. Encrypted apps allow rapid, remote tasking without physical meetings. They also generate metadata, connection patterns, and digital traces that Cold War dead drops never did.

The Three Services and Their European Territories

Understanding which of Russia's intelligence services likely operated the German network matters for assessing the broader threat. The three agencies maintain overlapping but distinct mandates in Europe, and their post-2022 adaptation has followed different trajectories.

The GRU, as military intelligence, focuses on defense technology, military logistics, and weapons supply chains. Its operational culture is more aggressive and risk-tolerant than the SVR's, a pattern documented across multiple European operations. GRU Unit 29155 has been linked to the attempted assassination of Sergei and Yulia Skripal in Salisbury in 2018, the explosion at an ammunition depot in Vrbětice, Czech Republic, in 2014 (publicly attributed only in 2021), and a series of destabilization operations across the continent. GRU Unit 74455, known as Sandworm, has conducted cyberattacks against Ukrainian and European infrastructure. The targeting of a German drone supply chain entrepreneur fits the GRU's military-technical mandate more naturally than the SVR's political intelligence focus or the FSB's diaspora-oriented operations.

The SVR operates more cautiously, preferring long-term penetration of political institutions and foreign policy establishments. Its post-2022 challenge has been acute: the SVR relied most heavily on diplomatic cover, and the expulsions hit its officer corps disproportionately. The FSB, whose foreign operations concentrate on former Soviet states and Russian-speaking communities, has adapted by intensifying recruitment within diaspora networks, a method that requires less institutional infrastructure than embassy-based operations.

A Continent of Arrests

The German case joins a growing catalog. Across Europe, espionage arrests involving Russian intelligence have surged since 2022, creating a picture that individual national headlines rarely convey.

The Czech Republic's Security Information Service, the BIS, has been among Europe's most assertive agencies in documenting the Russian intelligence threat, driven in part by the revelation that the 2014 Vrbětice ammunition depot explosion was a GRU operation that killed two Czech citizens. Since then, Prague has maintained a posture of active counterintelligence and public attribution that few European governments have matched.

Austria, whose traditional neutrality made it a Cold War intelligence hub, continues to feature prominently in Russian operations. The country's domestic intelligence agency, the BVT, has investigated multiple cases of Russian intelligence activity, though Austria's political establishment has been slower to act than its Central European neighbors.

France's DGSI has documented a persistent Russian intelligence presence despite the diplomatic expulsions, confirming what counterintelligence professionals had warned: removing known officers does not remove the operational imperative. Russia still needs intelligence on European defense commitments, arms transfers to Ukraine, and political decision-making. The demand drives the supply, regardless of the institutional form it takes.

The conviction rate for espionage in European courts remains low. Intelligence agencies resist exposing sources and methods in open judicial proceedings. Evidence gathered through signals intelligence or human penetration of foreign services is difficult to present without compromising ongoing operations. The result is a gap between detection and prosecution that favors the attacker. Many identified agents are quietly expelled or allowed to leave rather than prosecuted.

Hybrid Warfare by Accumulation

Espionage arrests are one visible element of a broader Russian hybrid campaign against Europe that has intensified since the full-scale invasion of Ukraine. The spy networks do not operate in isolation. They function alongside sabotage operations, cyberattacks, disinformation campaigns, and interference with critical infrastructure.

Suspected Russian-linked arson attacks have targeted defense-related warehouses and logistics facilities in Germany, Poland, and the United Kingdom, with investigations ongoing in several cases. GPS jamming and spoofing incidents in the Baltic region, attributed to Russian military electronic warfare systems, have disrupted commercial aviation and maritime navigation. Cyberattacks by Russian state-sponsored groups, notably APT28 (Fancy Bear) and Sandworm, have targeted European government systems and critical infrastructure. Disinformation campaigns aimed at eroding public support for Ukraine have been documented by the EU East StratCom Task Force across multiple member states.

NATO's Strategic Communications Centre of Excellence has classified these activities not as isolated incidents but as elements of a coherent hybrid strategy. The strategic logic connecting them is consistent: degrade Europe's capacity and political will to sustain support for Ukraine. Espionage gathers the intelligence needed to target supply chains and identify vulnerabilities. Sabotage exploits those vulnerabilities. Cyber operations disrupt coordination. Disinformation erodes the political consensus that enables the entire effort. Each tool serves a distinct tactical function within a unified strategic framework.

The Escalation Calculus

Hybrid warfare operates below the threshold of armed conflict, but the threshold is not a fixed line. It is a zone that shifts with perception and response. Each Russian operation that goes unanswered tests where that zone ends and what, if anything, lies beyond it.

No European country has invoked NATO's Article 5 mutual defense clause in response to hybrid attacks, though Baltic states have raised the possibility in alliance consultations. The EU's hybrid threat instruments, including the Hybrid Toolbox established in 2022 and the Hybrid Rapid Response Teams framework approved in 2024, provide coordination mechanisms between member states but lack the enforcement capacity to impose meaningful consequences. Several European countries have tightened their espionage legislation in response to the threat. Germany increased penalties for intelligence agent activity under Section 99 of its criminal code. Poland moved to strengthen penalties for intelligence-related offenses, proposing sentences of up to 30 years for the most serious cases. But legislative reform without institutional capacity to enforce it remains largely symbolic.

The pattern suggests that Russia is calibrating its operations based on observed European responses. Where consequences are swift and concrete, operations shift to softer targets or different methods. Where responses are fragmented, slow, or purely declaratory, operations continue or intensify. This is not speculation. It is the observable behavior of a state actor engaged in systematic adversarial testing of an opponent's tolerance threshold.

The Logic of Expendability

The Romanian and the Ukrainian arrested in Germany will face prosecution, likely conviction, and prison sentences. Moscow will not acknowledge them. There will be no diplomatic incident, no spy swap, no state media coverage of their plight. This silence is not accidental neglect. It is the system working as designed.

When Russia negotiated vigorously for the return of the ten SVR agents arrested in the United States in 2010, it did so because those were trained assets representing years of institutional investment. The new generation of recruited agents does not warrant that investment. They are recruited through financial incentives that range from modest payments to tens of thousands of euros, tasked through encrypted channels, and discarded when compromised.

This disposability carries a strategic message that extends beyond the individual cases. Russia has accepted that a certain percentage of its operations will be detected and disrupted. It has built this attrition into the model. The question is not whether European counterintelligence can catch individual agents. It can, and it does. The question is whether it can catch them at a rate that exceeds Russia's capacity to recruit replacements. So far, the evidence suggests it cannot. Every arrest announced by a European prosecutor's office is a confirmed detection. But the agents who never appear in press releases, who complete their assignments and return to ordinary life, who deliver their reporting through channels that counterintelligence has not yet identified - those are the ones that define the actual balance of this intelligence contest. The arrests are the visible failures of a system that measures success by what remains unseen.