Warsaw’s top security official alleges Moscow used digital tokens to fund hybrid attacks across Europe as investigators race to follow the money

Poland’s national security chief has accused Russia of paying proxy operatives in cryptocurrency to carry out a wave of hybrid attacks across the European Union, a financing method he says is designed to stay a step ahead of Western intelligence services. The allegation, made by Sławomir Cenckiewicz in comments reported on Monday, adds a volatile financial dimension to what European officials describe as a sprawling campaign of sabotage, arson and cyberattacks stretching from the Baltics to the North Sea.

Cenckiewicz, who heads Warsaw’s National Security Bureau, did not publish forensic details of the transfers. But he said the pattern emerging from Polish investigations—and from information shared with partners—suggests Russia’s military intelligence agency, the GRU, has turned to digital assets to move small payments to deniable cut‑outs. The aim, he argued, is two‑fold: to evade conventional banking controls and to exploit the speed and borderlessness of crypto rails, where funds can be split, hopped across chains, and cashed out through lightly regulated venues.

The claim arrives amid a documented uptick in so‑called hybrid activity: drones straying into NATO airspace, GPS jamming, attempted arson at logistics hubs, disruptive hacks on hospitals and water systems, and plots involving disguised explosives shipped through parcel networks. Over the summer, Polish prosecutors charged several suspects with sabotage on behalf of foreign intelligence services, while allied governments from Germany to the UK announced arrests and prosecutions tied to alleged Kremlin‑linked operations.

European security services have long warned that Moscow’s wartime tradecraft leans heavily on plausibly deniable proxies—cheap, disposable recruits found on encrypted channels, paid small amounts to start fires, scout rail lines, or place dummy devices that sow fear disproportionate to the damage. Those realities make forensic attribution difficult. Payments are typically modest—hundreds or low thousands of euros—precisely the range where consumer exchanges, peer‑to‑peer markets and prepaid cards intersect. Crypto, investigators say, is now part of that toolkit.

Analysts note that the allegation does not prove the specific use of any single token. But it lands in a market where one instrument dominates illicit flows: Tether’s USDt, a dollar‑pegged “stablecoin” that has become the de facto cash of the cryptosphere from Buenos Aires street exchanges to East Asian gray markets. Law‑enforcement bodies and independent researchers have repeatedly flagged the token’s role in scams, money laundering and sanctions evasion. For Russian actors seeking fast, cross‑border payments that feel like dollars but settle like crypto, USDt offers both ubiquity and instant finality.

Poland’s charge also dovetails with a broader European debate about how to harden critical infrastructure and financial choke points ahead of winter. Energy officials worry that even limited sabotage—say, an undersea cable incident or a drone‑related shutdown near a refinery—could ripple through supply chains and spike prices. NATO commanders, meanwhile, have been weighing more assertive rules of engagement to deter incursions without stumbling into a direct confrontation with a nuclear power.

Moscow denies orchestrating a sabotage campaign. But recent intelligence briefings shared by European and Ukrainian officials have highlighted what they call a “shadow fleet”—aging oil tankers and auxiliary vessels, often operating with obscure ownership and insurance, that skirt sanctions and may double as reconnaissance or launch platforms for drones. The maritime dimension adds another layer of complexity to attribution and response, including legal questions about interdicting suspect vessels in international waters.

If crypto is, as Cenckiewicz alleges, a financial lubricant of this hybrid ecosystem, the operational playbook is familiar. Investigators describe handlers who assemble one‑off teams via Telegram or dark‑web forums, provide GPS pins and shopping lists, and settle up with transfers that route through offshore exchanges or over‑the‑counter brokers. From there, money can be cashed out at a kiosk, moved into a prepaid card, or atomized across wallets in minutes. The same rails can also be used to purchase drones, SIM cards and anonymizing services.

The prospect of crypto‑funded sabotage puts fresh pressure on regulators. The EU has already moved to tighten its anti‑money‑laundering regime for crypto‑asset service providers and to enforce “travel rule” data sharing on transfers. Poland, for its part, has signaled additional measures to raise compliance standards and penalize non‑cooperative platforms. But experts caution that enforcement capacity—not just legal frameworks—will determine whether these rules bite. The hardest problems sit where legitimate liquidity meets gray markets: peer‑to‑peer swaps, small OTC desks, and payment gateways that blur the line between fiat and tokens.

Tether, the company behind USDt, frequently counters that it cooperates with law enforcement and can freeze funds linked to illicit activity. In March, following EU sanctions actions, the company blocked wallets associated with a sanctioned Russian exchange, leading that venue to suspend services. Those takedowns underscore both the visibility of the largest stablecoin and the paradox at the heart of the debate: USDt is simultaneously traceable enough for targeted freezes and pervasive enough to be a first‑choice instrument for bad actors until they are caught.

For intelligence services, the alleged crypto pivot is a mixed bag. On the one hand, blockchain ledgers create permanent records that can be mined, correlated with messaging data, and enriched with exchange subpoenas. On the other, the sheer volume of on‑chain activity, the proliferation of cross‑chain bridges and mixers, and the rise of privacy tools complicate rapid interdiction. Agencies can follow the money—but often too late to stop an arson attempt or a drone flight. “Crypto is not untraceable; it’s just fast,” one European investigator said recently. “In this threat model, speed is the point.”

Legal scholars point out that even if crypto is used, the locus of control often lies off‑chain: Know‑Your‑Customer files, IP logs, device fingerprints and travel data. That has led governments to intensify cooperation with compliant exchanges and to push non‑compliant ones out of the European market. It has also revived interest in “secondary sanctions” and joint task forces that combine financial‑intelligence units, cyber commands and police. The model echoes the playbook used against ransomware gangs, with more overt geopolitical stakes.

The societal impact is harder to measure but no less consequential. Hybrid operations aim to erode trust—between governments and citizens, within alliances, and in the everyday assumption that public spaces are safe. Even failed plots can achieve that effect. In countries that have absorbed large numbers of Ukrainian refugees, Russian tradecraft that recruits vulnerable migrants to carry out low‑skill tasks risks inflaming social tensions and fueling disinformation campaigns that portray allies as chaotic or incompetent.

None of this makes crypto the cause of the problem. Digital cash is a tool, and most of its global use is lawful or mundane. Still, as the European winter approaches and the security services warn of elevated risk, the financial plumbing of sabotage will attract sharper scrutiny—especially if more cases reach court with on‑chain evidence attached. For now, Cenckiewicz’s charge is a warning shot, not a verdict. It highlights an uncomfortable reality for policy makers: the EU’s defenses against hybrid threats will be only as strong as its ability to police the gray zones where statecraft, crime and code meet.

What comes next? Expect Brussels to push member states to fully implement new anti‑money‑laundering standards, to expand information‑sharing through Europol and the European External Action Service, and to increase funding for specialized blockchain analytics within national police. NATO allies are likely to deepen maritime and air surveillance around critical nodes, while courts in several countries move forward with sabotage cases that may, for the first time, surface detailed financial forensics. Those cases—rather than press statements—will be where the question of which tokens, which wallets and which intermediaries were used is settled.

Context: What is Tether and why does it matter?

Tether’s USDt is a “stablecoin” designed to track the US dollar. Its scale and liquidity make it a default instrument for many lawful traders—and, according to multiple law‑enforcement assessments, for some illicit actors who prefer a dollar‑like token that settles instantly across borders. Unlike privacy coins, USDt circulates on public blockchains and the issuer can freeze addresses, which has aided investigations. But its ubiquity on lightly regulated exchanges and peer‑to‑peer markets also makes it attractive for quick payouts to disposable proxies. Poland’s allegation does not name a specific token. However, investigators across Europe say stablecoins feature prominently when covert operators need fast, small‑value transfers with global reach.

Sources and further reading

• Financial Times — “Russia pays Europe’s saboteurs in crypto, says Polish official,” Oct. 13, 2025. https://www.ft.com/content/21579555-bf32-4b22-930d-79387bfe8817

• Reuters — “Russian hybrid warfare could leave Europe’s energy consumers in the cold,” Oct. 13, 2025. https://www.reuters.com/business/energy/russian-hybrid-warfare-could-leave-europes-energy-consumers-cold-2025-10-13/

• Reuters — “Sanctioned Russian crypto exchange suspends services as Tether blocks wallets,” Mar. 6, 2025. https://www.reuters.com/technology/sanctioned-russian-crypto-exchange-suspends-services-tether-blocks-wallets-2025-03-06/

• The Guardian — “These people are disposable: how Russia is using online recruits for a campaign of sabotage in Europe,” May 4, 2025. https://www.theguardian.com/world/ng-interactive/2025/may/04/these-people-are-disposable-how-russia-is-using-online-recruits-for-a-campaign-of-sabotage-in-europe

• Economist 1843 — “How Tether became money‑launderers’ dream currency,” Jul. 4, 2025. https://www.economist.com/1843/2025/07/04/how-tether-became-money-launderers-dream-currency

• RFE/RL — “Report: Russian Sabotage Operations In Europe Have Quadrupled Since 2023,” Aug. 20, 2025. https://www.rferl.org/a/russia-sabotage-europe-hybrid-attacks/33508179.html