Executive Summary 

We assess that the seeming increase in the past few years in exposure of intelligence services’ covert actions is driven, at least in part, by those agencies’ increased reliance on untrained proxies, as well as targeted nation states’ improved defensive exploitation of digital footprints. Though Russia, Israel, and the U.S. remain highly visible players in the covert action landscape, China and Ukraine are becoming increasingly active and recent operations by Iran, India, and the United Arab Emirates make for a crowded field. We do not see any indication that nation states’ reliance on the so-called “third option” will decline in the coming years, and we cannot rule out covert action becoming a more readily relied upon tool of statecraft in the next decade.

Key Judgements 

KJ-1. Continuing longstanding and robust covert action programs by established intelligence services in the U.S., Russia, and Israel are now joined by similar efforts by China and state players in South Asia and the Middle East, and we do not see any indications that this trend will reverse course.

1. Iran. On 13 November 2025, the Canadian Security Intelligence Service (CSIS) reportedly foiled lethal Iranian operations against individuals perceived as Tehran’s enemies in Canada. On 8 November 2024, the U.S. Department of Justice (DOJ) charged an Iranian Revolutionary Guard Corps (IRGC) asset with the attempted assassination of Donald Trump. In late 2024, Mexican security services disrupted an IRGC plan to assassinate Israel’s ambassador to Mexico. DOJ in 2022 charged two IRGC assets with plotting the assassination of an outspoken critic of Iran’s government in New York City and charged an IRGC member with plotting to assassinate former U.S. National Security Advisor John Bolton. [source, source, source, source, source]
2. India. In early November, international press reporting revealed that communications intercepted by British and Canadian intelligence implicate high level Indian government officials in the assassination of a Sikh leader in British Columbia in 2023; FBI foiled a similar plot against a Sikh activist in New York that same year. Since 2021, India’s Research and Analysis Wing (R&AW) has executed a program to take out India’s enemies in Pakistan. Since 2020, Disinfo Lab, founded by former R&AW officer, coordinated smear campaigns through disinformation, fake accounts on social media, and dossiers, to target U.S. voters and legislators of Indian origin, including domestic critics of Modi’s government. [source, source, source, source, source, source]
3. UAE. As of February 2025, according to an assessment by the Transnational Institute, the UAE served as a base for “financing, logistics, media, PR and political activities” for the paramilitary Rapid Support Forces (RSF) involved in the ongoing conflict in Sudan. An Al Jazeera investigation in 2020 claimed UAE involvement in Yemen, including “commercial aircraft for arms transfers and charities as a façade for military and intelligence operations.” [source, source]
4. China. NewsGuard in 2024 reported that pro-China social media and blog accounts spread propaganda that an experimental U.S. military weapon was at fault for the August 2023 Maui wildfires.The following month, 85 identical posts falsely stated that British Foreign Intelligence, MI6, had confirmed the story. [source]
5. Ukraine. Kyiv’s intelligence services’ covert actions deep inside Russia, including assassinations and the now famous Operation Spiderweb, are well documented in international press. Ukraine has also actively engaged in covert action against Russian interests in Africa, including in Sudan, Mali, and Libya, according to international press and an assessment by the Carnegie Endowment for International Peace. [source]
6. Israel. Mossad in September 2024 targeted Hezbollah operatives in Lebanon and Syria via thousands of exploding pagers and hundreds of exploding hand-held radios, which were compromised in a supply-chain operation. Mossad’s assassination of Iranian nuclear scientists, black-bag operations to steal Iranian nuclear documentation, and other covert activities to disrupt Tehran’s nuclear program are widely reported. [source, source]
7. Russia. On 18 November 2025, Polish Prime Minister Donald Tusk accused two Ukrainian citizens of blowing up a railway line in Poland on the behalf of Russian intelligence. Between January and April 2025, 122,607 flights in Swedish, Finnish, Polish and Baltic airspace were affected by GPS disturbance, later linked to devices in Kaliningrad, St. Petersburg, Smolenk and Rostov. On 4 September 2024, the U.S. justice department seized over 30 domains used in Russian disinformation campaign, Doppelganger, where Western media outlets were impersonated to spread narratives undermining Western support for Ukraine. [source, source, source]
8. The U.S. Reuters, citing two U.S. government sources, on 23 November reported that U.S. operations toward Venezuela were moving into a new phase and would likely involve covert operations; President Trump earlier publicly announced that he authorised CIA covert action inside the country. The Washington Post this month revealed that the CIA executed a decade-long covert action program to modify poppy seeds in Afghanistan in an attempt to weaken the potency of the country’s billion dollar opium crop. [source, source]

KJ-2. Some state-sponsored covert action operations are coming to light due to a reliance on untrained, amateur proxies. 

1. Europol’s European Union – Serious and Organised Crime Threat Assessment (EU-SOCTA) 2025 reports that criminal networks are, for financial gain, increasingly directly and indirectly connected to external hybrid threats from state actors. [source]
2. The Center for European Policy Analysis (CEPA) in October 2025 reported that Russian children have been increasingly linked to attempted acts of sabotage since 2022. Minors in Russia are routinely recruited for sabotage operations, namely, arson, setting fire to railway equipment, and explosions on military bases. [source]
3. The Irregular Warfare Center (IWC) warned in December 2024 that state continued involvement with non-state actors often backfires as the criminal, untrained nature of these networks opens the floor to investigations, interdiction, and, in extreme cases, betrayal. [source]
4. Iran reportedly used Swedish gangs as criminal proxies to carry out violent attacks against other European countries, groups or individuals, as of December 2024. [source]
5. MI5 Director General Ken McCallum in October 2024 stated that 20 Iranian backed plots against the UK involved IRGC’s and Iranian Ministry of Intelligence and Security (MOIS)’s use of “criminals as proxies.” [source, source]
6. In September 2024, Russia’s Federal Security Services (FSB) arrested a pair of sixteen year olds who admittedly accepted $20,000 from an unknown man on Telegram to carry out an arson attack on a helicopter at a military airbase in Omsk, Western Siberia. [source]

KJ-3. Digital footprints increasingly offer insight into covert actions, likely exposing these operations more frequently than in the past. 

1. Former United States Assistant Secretary of Defence for Special Operations and Low Intensity Conflict explained during the 2025 event hosted by the Center for Strategic and International Studies (CSIS) that some of the US’s “less sophisticated” adversaries have a social media presence, a digital presence that can be tracked and analysed. [source]
2. Google Threat Intelligence Group Chief Analyst John Hultquist in 2023 told MIT Technology Review Magazine that a Chinese false flag operation in which a cyberattack was made to look like it was coming from Iranian actors was uncovered using online patterns from other internet espionage investigations. [source, source]
3. Hultquist also stated that the analysis of recurring covert action incidents will identify “pieces that will distinguish the operator or their sponsor”; once these pieces are connected to other operations, deception loses effectiveness over time. [source]
4. A joint investigation in 2019 by Bellingcat, German newspaper Der Spiegel, and The Insider Russia exposed a Russian assassination operation by tapping into ubiquitous technical surveillance (UTS) data, accessing passport databases and visa records. The killer used a non-biometric Russian passport in the name of Vadim Andreevich Sokolov, provided by the Russian state to kill Zelimkhan Khangoshvili, a Georgian citizen living in Germany, one of Russia’s enemies. Bellingcat also used publicly accessible digital data to expose Russian intelligence assassins involved in the plot against Sergei Skripol in the U.K. in 2018. [source, source]

Statement on Analysis 

We have high confidence in our assessment as the information used was collected from threat intelligence experts, Europol, and declassified intelligence reports. The strengths of this report lie within the use of first-hand information from actors in the field, as well as the primary examples of (failed or uncovered) covert operations that have found their way to the public knowledge domain. 

We acknowledge that the secretive nature of covert actions, and efforts to investigate such, preclude public access to some information, which could leave gaps in our understanding of the full situation. We cannot rule out the possibility that the recent exposure of some covert action was due to poorly executed operations, beyond choosing untrained proxies. Likewise, we cannot rule out the possibility that increased exposure of covert actions reflects an increase in the actual number of such operations worldwide (a lack of reliable baseline data precludes a sound assessment on this front).

Intelligence Cut-off Date: 23 November 2025