How States Run Criminals Without Ever Touching Them.

How States Run Criminals Without Ever Touching Them. No contact. No instructions. No trace. Inside the invisible architecture of state-criminal coordination.

HUMINT-Behavior Analysis Series

Most people who end up serving a foreign state's interests didn't start for money. They started because someone made them feel like they belonged to something.

By the time the money becomes the reason you stay, the ideology has done its job.

In this Q&A, Adrian Alexandru Stinga unpacks the findings from one of the last reports 067 Nexus Grey Series .

The best intelligence operations are the ones nobody knows happened. But what about the ones where even the people inside the operation don't know they're part of it?

After almost two decades monitoring dark web ecosystems, tracking threat actors across underground marketplaces, forums, and Telegram channels. His latest report GN-067, The Handler's Handbook documents something most CTI analysts never look for: the invisible layer where state interests quietly shape criminal behaviour without a single direct instruction ever being given.

Q: Your report opens with the line: "The best handler is the one whose asset does not know they have a handler." That sounds like it belongs in a spy novel. But you're saying this is something you actually observed?

It's not a literary statement. It's an operational description. What I documented across the monitoring period 2014 through 2026 is that the most effective state-criminal relationships are ones where the criminal actor genuinely believes everything they're doing is their own idea. (at first ) They're not lying when they say nobody told them what to do. Nobody did. The environment they operated in was engineered so that their rational self-interest produced exactly the outcomes a state actor wanted. That's not espionage fiction. That's tradecraft.

Q: Let's start with the basics. When we think of a "handler" running an "asset," most people picture secret meetings, coded messages, dead drops. You're describing something completely different.

Because the model most people have in their heads the classic intelligence handler-source relationship involves both parties knowing the relationship exists. Both sides accept the risk. Both understand the exchange. What I observed in the criminal underground is structurally different. The handler cannot afford for the asset to know they're being managed, because the entire point of using a criminal proxy is deniability. The moment the asset knows a state is involved, that deniability is gone. So the handler's craft becomes a negative discipline: not what to do, but what to avoid doing. No direct contact. No explicit instructions. No traceable payments. No persistent infrastructure. Everything that would make the relationship visible has to be eliminated.

Q: So how does the handler actually direct the asset if they can't communicate with them?

Three mechanisms, and they usually work together.

The first is the cutout an intermediary who carries direction from the handler to the asset without knowing they're carrying it. The cutout is typically an established criminal actor with a pre-existing organic relationship with the target asset. The handler influences the cutout's environment what opportunities they see, what information reaches them and the cutout naturally passes that influence forward through normal criminal community interaction. The cutout believes they're pursuing their own business. The asset believes they're hearing from a trusted criminal contact. The handler is invisible to both.

Q: That's a hard claim. How do you know the cutout isn't just a regular criminal doing regular criminal things?

From any single transaction, you can't tell the difference. That's the point the entire architecture is designed to be indistinguishable from normal activity at the transactional level. The signal emerges from longitudinal monitoring. When you track the same actors across years, you start seeing systematic patterns that don't fit pure criminal logic. Opportunities consistent with state objectives keep reaching specific actors. The flow of those opportunities has a directionality and consistency that coincidence doesn't produce. The cutout never wonders why profitable deals keep finding them. But when you map the pattern from the outside, the engineering is visible.

Q: You mentioned three mechanisms. The cutout is one. What's the second?

Incentive engineering. This is the most sophisticated piece, and it's the one that matters most for detection. The handler doesn't tell the asset what to do. The handler calibrates the asset's environment what opportunities reach them, what information they receive, what threats they face, what rewards they get so that the asset's own rational calculation produces the behaviour the handler wants. The asset experiences full agency. Every decision is genuinely theirs. Every success feels earned. What they can't see is that the environment in which they're making those decisions was designed by someone they've never met.

Q: Can you give a concrete example of what that looks like?

Take financial incentive. A transaction reaches the asset through a cutout at pricing that's unusually profitable but not implausibly so. The asset takes it because it's good business. They don't ask why the pricing is generous criminals don't question profit, they capture it. The handler set the pricing to attract the asset's participation in a specific capability development. The asset thinks they found a good deal. The handler achieved a procurement objective.

Or take protection signalling. Competitors who become problems for the asset start encountering difficulties law enforcement attention, infrastructure takedowns, community reputation damage. The asset notices they seem to have better luck than their competitors. They attribute it to skill or connections. They don't consider that someone is clearing the path ahead of them.

Q: That sounds almost impossible to detect.

It's the hardest form to detect because the visible behaviour of the asset is genuinely their own. You're not looking for deception. You're looking for an environment that produces predictable behaviour in a self-interested actor. The detection methodology has to focus on what I call behavioural inconsistency the systematic divergence between what the actor does and what their visible interests alone would predict.

Q: What does that look like in practice?

Four layers. First, self-interest divergence: does the actor consistently behave in ways that don't serve their visible financial or operational interests? Second, opportunity pattern analysis: does the actor's opportunity flow show systematic bias toward outcomes aligned with state objectives? Third, protection signal analysis: does the actor enjoy risk reduction that has no visible source? And fourth, network composition: do the actor's contacts include clusters of other actors who display similar inconsistency signals?

Any single inconsistency could be coincidence. Multi-layer inconsistency across sustained observation is a different signal entirely.

Q: You mentioned a third mechanism criminal mimicry.

When the handler absolutely must communicate something that can't be engineered through incentives alone, the communication is structured to be indistinguishable from ordinary criminal-to-criminal interaction. The handler operates through a persona that presents as a criminal actor with compatible business interests. The communication discusses business in criminal community terms. On the surface, it looks like two criminals doing a deal.

Q: How do you spot the fake?

The persona leaks. Not immediately these are well-constructed identities. But over time, longitudinal monitoring reveals patterns that don't fit. Selective transaction interest the persona engages with state-aligned opportunities but ignores equally profitable criminal ones that have no intelligence value. Information sharing asymmetry the persona gives more than it takes, which violates criminal community reciprocity norms. Discourse register anomalies occasional slips into formal or analytical language, especially on the topics that matter most to the handler. And operational continuity gaps disappearances that don't match criminal community patterns, followed by seamless returns. Real criminals don't go silent for three months and come back as if nothing happened without someone in the community noticing.

Q: This all comes from direct observation? You were watching these patterns form in real time?

Over years. Not weeks, not months. The patterns I'm describing are only visible from sustained longitudinal monitoring of the same actors, the same communities, the same infrastructure. That's what my work at Aether Intel has been for over a decade tracking approximately 50 actors continuously through manual collection, without commercial tooling, watching their behaviour evolve across pseudonym changes, platform migrations, and jurisdictional shifts. The handler's fingerprint is in the shape of the activity over time. You can't see it from a snapshot.

Q: What's the counterintelligence takeaway?

That the most dangerous state-criminal coordination doesn't look like state-criminal coordination. It looks like a successful criminal having a good run. The detection challenge isn't technical it's analytical. You need analysts who can hold a longitudinal behavioural baseline in their head and notice when reality diverges from what pure criminal logic would predict. That's not something an automated platform does well. It requires the kind of pattern recognition that comes from years of watching the same ecosystem evolve.

Q: Final question. The report's conclusion says the best handlers you observed were the ones you couldn't actually observe at all. If they're invisible, how do you know they exist?

Because I could see everything around them. I could see the assets they managed. I could see the cutouts they used. I could see the opportunity flows, the incentive patterns, the protection signals. I could see the systematic shape of activity that doesn't have a pure criminal explanation. The handler is the absence that explains the pattern. Detecting that absence seeing what isn't there where it should be is what counterintelligence analysis actually is. It's solvable. It's not easy.

Adrian Alexandru Stinga is the founder and Lead Analyst of Aether Intel, an independent Cyber Threat Intelligence practice based in Romania. GN-067 "The Handler's Handbook" is part of the GREY NEXUS deep dive intelligence series (GN-061 through GN-070), available at aether-intel.com.

The full report includes MITRE ATT&CK technique mapping, a composite operational illustration, and a four-layer detection framework for handler presence identification.

If you've observed cutout patterns in monitored criminal communities — actors whose behaviour deviates systematically from their apparent self-interest — these are high-value counterintelligence signals. Report to your national counterintelligence service.

🔗 Full report 067 and catalogue: [aether-intel.com]