This Article is part of Europe Through 2028 Part Two
Europe eastern frontier isn’t facing a wave of infrastructure attacks. It’s facing something harder to see and harder to stop: access being built and held in reserve, ahead of 2028.
There’s a particular kind of threat that doesn’t show up in incident reports, because nothing has happened yet. No outage. No ransom note. No breach disclosure. Just a foothold quiet, persistent, established inside a system that matters sitting there, doing nothing, waiting.
That waiting is the point. And right now, across Europe’s eastern frontier, it’s the trend worth watching.
In an earlier assessment, I described what I called the build influence infrastructure being assembled well ahead of Europe’s 2028 election supercycle. Aged accounts. Cultivated operators. The slow, patient construction of a perception-shaping capability that wouldn’t be switched on until the moment it mattered. The unsettling part wasn’t any single piece of content. It was the timing: someone was getting ready.
This is the second half of that story. And the build has grown a harder edge.
From narratives to the systems underneath
Over recent months, the same ecosystems I’d been watching curate accounts and recruit operators started orienting toward something else entirely. Not narratives. Systems the physical and digital infrastructure a state depends on to function.
The shift is one of emphasis, not a clean break. The actors are the same. The forums are the same. But the conversation has moved from what people believe to what keeps the lights on. Among groups whose behaviour and targeting line up consistently with a single state’s strategic interests, there’s been a sustained rise in stated intent and observable interest against national-security-relevant infrastructure.
Here’s the logic shift that matters. Influence operations shape perception. Infrastructure targeting shapes leverage the ability to threaten, disrupt, or signal at a moment of your own choosing. Pursued together, they’re not two separate campaigns. They’re two halves of one pressure capability, aimed at the same horizon.
And critically: what’s rising is posture, not yet impact. The interest is up. The recruitment is up. The orientation is up. A wave of destructive events is not. That distinction is the whole game, because it means defenders still hold the initiative for now.
Access is the asset, not the action
This is the idea I most want to land, because it reframes how you should read everything else.
Access to a critical system quietly established, never used is not a failed attack. It’s a capability. It’s a loaded option held in reserve, and it carries strategic weight whether or not anyone ever pulls the trigger. The infrastructure analogue of the aged social media account: valuable precisely because it’s patient.
That changes the defensive question. You stop asking “has anything been disrupted?” and start asking “is anyone already inside, just waiting?” The decisive activity isn’t the disruption. It’s the establishment of access during the quiet build phase which is exactly the window where you can still deny it.
Two targets keep surfacing: sovereign AI and power
When you watch this kind of discourse long enough, you stop chasing individual mentions and start noticing gravity the targets the conversation keeps bending toward. Two keep recurring.
Sovereign AI — national and regional efforts to build independent AI capability is attractive precisely because it’s strategic and new. It concentrates sensitive data, computational dependency, and national prestige into systems that are being stood up fast and haven’t yet earned decades of operational scar tissue. They’re emergent, which means they’re soft. For an adversary, interest in a state’s sovereign AI is interest in that state’s future autonomy. Compromise it early, and you constrain a rival’s independence before it’s fully built a long-horizon move that fits a 2028 mindset exactly.
Power systems are the older, more familiar prize. Their appeal is the cascade. Electricity sits upstream of nearly everything communications, water, finance, healthcare, the state’s own ability to respond to a crisis. You don’t need to cause an outage to extract value. The credible ability to hold power infrastructure at risk is, by itself, a standing instrument of pressure.
Neither is chosen for being easy. Both are chosen for leverage for what their disruption would signal and cascade. That’s the tell that this is coercion logic, not profit logic.
One sponsor, many deniable hands
The groups driving this are best understood as aligned with a single state sponsor not as its employees.
The relationship is rarely a chain of command. It’s closer to alignment and tolerance: nominally criminal crews whose targeting happens, again and again, to serve a state’s strategic interests, operating in an environment where that activity is permitted, encouraged, or quietly nudged while any formal connection stays deliberately blurry.
That blur is a feature, not a bug. Route strategic targeting through ostensibly independent criminals and the sponsor buys plausible deniability, while defenders inherit an attribution problem. An intrusion that looks financially motivated may be strategically directed. Crime, in other words, can be statecraft wearing a criminal coat.
The practical takeaway for defenders is uncomfortable but clarifying: treat alignment as a working hypothesis, not a settled fact. Assume some share of what presents as opportunistic crime is strategically oriented and prioritize the targets a state would value over the ones a purely financial actor would pick.
Become a Medium member
(A note I keep on every assessment of this kind: “state-aligned” is an analytic read on behaviour and targeting, not a legal attribution. I name no state here, and that discipline matters more than ever when the whole adversary model depends on ambiguity.)
The recruitment surge is the tell
Ambition needs operators. And the clearest signal that the infrastructure orientation is meant to last not flare up once and fade is who’s hiring.
Across Telegram and dark web forums, nearly all the ransomware-as-a-service operations in the aligned cluster are visibly scaling their recruitment. Where the influence layer ran on selective, reputation-based recruiting, the infrastructure layer looks broader and more urgent. The pattern reads like staffing for volume and continuity building bench depth for sustained operations against hard targets, not hand-picking a couple of trusted hands for a one-off.
And here’s what makes it intelligence rather than noise: the rise is cluster-wide. Individual crews expand and contract constantly that’s normal underground churn. But an entire aligned ecosystem increasing its intake in the same window, oriented at the same target categories, points to a shared driver behind all of them. That simultaneity is the signature of directed pre-positioning.
The honest caveat: most of this is inferred from surface activity. The real tempo is almost certainly higher than what shows openly. Recruitment that runs through private, trust-mediated channels stays, by design, below the line.
Why this is a sovereignty problem, not just a security one
The reason this deserves attention isn’t the prospect of one dramatic, made-for-headlines event. It’s the compounding effect of access being quietly established across exactly the systems a state can’t afford to lose control of.
Cascade. Power sits upstream of everything. Access converts a narrow technical foothold into broad societal leverage.
Signal. Even held in reserve, demonstrated capability against strategic systems is a message. It shapes the calculations of decision-makers under pressure — coercion that works without ever being used.
Sovereignty. Shaping or compromising emergent national capability sovereign AI above all is a way to constrain a rival’s future autonomy before it’s fully established.
Together, those move the infrastructure front out of the security bucket and into the strategic one. This is leverage over how a society functions and what it can become which is why the response has to be owned at the level of national resilience, not left to individual operators to figure out alone.
Two fronts, one horizon
Read the narrative build and the infrastructure build together and you get the real picture: a combined coercion capability maturing toward the same fixed date.
Perception-shaping makes a population more susceptible at the precise moment infrastructure pressure is applied. Infrastructure pressure lends weight to narratives that would otherwise be dismissed. A campaign that can do both at once, at a chosen moment, is worth more than the sum of its parts and the build phase is the only phase where it stays stoppable.
What an accelerating front looks like
No single indicator proves anything. Their value is cumulative convergence across several, over time, is what separates directed pre-positioning from ordinary underground activity. The things I’m watching for, in combination:
A simultaneous, cluster-wide rise in recruitment across aligned groups.
Target-category drift in discourse sovereign AI, power, and grid displacing purely financial chatter.
An access-not-action posture: footholds established and held rather than immediately cashed out.
Proxy proliferation new “criminal” groups whose targeting keeps lining up with one state’s interests.
Cross-border simultaneity comparable infrastructure targeted across several frontline states at once.
Front convergence the same ecosystems active across both the narrative and infrastructure layers.
The window is the build
If there’s one thing to take from all of this, it’s that the decisive activity is the establishment of access not its use. Which means the highest-leverage defensive moves are anticipatory:
Hunt for quiet, persistent footholds on the assumption that someone is already establishing and holding them. Apply national-resilience-grade protection to sovereign AI and power as the strategic assets they are. Defend against the state-relevant hypothesis where “criminal” targeting aligns with a state’s interests. Track recruitment as a leading indicator. Coordinate across borders now, while there’s still time to make detection mature. And analyse the two fronts together, because separately neither one tells you the truth.
Quiet, persistent access to a strategic system is not a failed attack. It’s a capability waiting for the moment it’s needed and it’s being built now, in the one phase where it can still be denied.
The defender’s advantage hasn’t changed since Part One. It’s time, spent now, on denying access before it becomes leverage.
This is a strategic forecast describing patterns, intent, and trajectories observed across monitored dark web and Telegram ecosystems, interpreted through more than a decade of HUMINT and open-source experience in Eastern European, Russian-language, and hybrid-warfare environments. It names no state, actor, group, infrastructure, or jurisdiction, and contains no operational or technical detail. “State-aligned” reflects an analytic assessment of behavioural and targeting alignment not legal attribution. Published TLP:CLEAR for the broadest defensive benefit.
Almost all the ops start recruiting from underground/dark web/telegram
Top comments (0)