Strategic coherence is the most powerful tool we have for cyber proxy accountability

States are increasingly turning to cyber proxies – whether ideologically aligned hacktivists, commercial enablers, or cyber mercenaries – to advance geopolitical objectives. Their appeal is clear: they expand a state’s cyber reach and are difficult to attribute. But as proxy activity grows, tools for responding have lagged behind. 

Some efforts to disrupt cyber proxy activity have been successful, such as the 2025 international Operation Eastwood, which produced arrest warrants for seven suspected members of NoName057(16), the pro-Russian hacktivist group behind numerous DDoS attacks against NATO-aligned targets. There have also been successful efforts to disrupt the broader ecosystem: Operation Cronos, an international taskforce led by the UK’s National Crime Agency, dismantled LockBit – one of the largest ransomware-as-a-service groups – in 2024, seizing servers, freezing cryptocurrency accounts, and exposing its administrator.

The accountability gap

However, these tactical successes have not translated into long-term strategic impact. The enabling ecosystem – bulletproof hosting, cryptocurrency exchanges, and commercial offensive cyber tools – largely persists, and proxy groups still flourish. Sanctions can impose real costs and send a political signal that proxy activity has consequences, but most sanctioned individuals hold few assets in Western jurisdictions, and actors are adept at absorbing and adapting to pressure. 

Law enforcement, sanctions authorities, intelligence agencies, and diplomatic services do coordinate operations, but often in a somewhat fragmented way. Takedowns can happen without preserving evidence for prosecution. Sanctions are sometimes imposed without synchronised operational disruption. The result is that each instrument too often delivers its effect in isolation, and proxies exploit the gaps.

International law generally focuses on states rather than non-state actors, and has limited means of enforcement. Attribution thresholds under the Articles on State Responsibility are high; neither mere tolerance of proxy activity nor financial support is sufficient to hold a state legally responsible. The power of the five permanent members of the UN Security Council (including Russia) to veto substantive council decisions curtails its ability to act. As a result, proxy activity falls within a ‘normative safe zone‘: not quite lawless, but sufficiently ambiguous to limit accountability. States sponsoring or turning a blind eye to malicious cyber activity have shown no inclination to abide by the due diligence principle, which holds that states should not knowingly allow their territory to be used for malicious cyber activity. The current framework does little to hold them to account.

Cyber proxies in practice

Russia’s war on Ukraine provides the most extensive display of proxy-enabled cyber conflict at scale. Since the full-scale invasion in 2022, the impact of Russian-linked proxies has been multipronged. At the tactical level, groups like Killnet and NoName057(16) launched sustained DDoS campaigns against Ukraine and its allies, often coinciding with sanctions announcements and military aid decisions. At the operational level, groups like From Russia With Love deployed ransomware against Ukrainian defence logistics and state agencies, primarily aimed at disruption. At the strategic level, the Doppelganger influence operation  cloned major European news outlets to disseminate fabricated anti-Ukraine narratives to erode trust and amplify Russian messaging beyond the battlefield.

Cyber proxies are also a significant feature of the current US-Israel-Iran conflict. In June 2025, Israel-linked hacker group Predatory Sparrow targeted Iran’s banks in the aftermath of the US and Israel’s attacks on Iranian nuclear facilities. When US strikes on Iran began on 28 February 2026, American cyber forces disrupted Iran’s ability to ‘see, communicate and respond’. Iran hit back through state-linked operatives that had quietly positioned themselves inside US and Israeli networks and through louder hacktivist proxies targeting US critical infrastructure and companies (including the US medical technology firm Stryker, which on 11 March 2026 suffered a major wiper attack, for which the Iranian hacker group Handala has claimed responsibility).

Other states, such as China, have a more decentralised contractor model, with companies such I-soon supporting the state cyber operations, though the state-proxy link is arguably harder to trace.

The case for strategic coherence

How can this accountability gap be plugged? Our new research paper for Chatham House frames accountability as two mutually reinforcing instruments: disruption, which degrades proxy capabilities in real time, and cost imposition, which uses legal, financial, and reputational pressure to constrain future operations. Reinforcement is essential: when a takedown happens without sanctions, proxies reconstitute. When sanctions happen without operational disruption, actors adapt. The two must work in concert. But disruption and cost imposition only produce meaningful accountability – and, ultimately, deterrence – within a sustained, coordinated strategy that establishes predictable consequences and shapes adversaries’ long-term calculus.

In our report, we set out nine recommendations to systematically address the gap, from building the operational capacity to degrade proxies’ capacity to approaches for multilateral governance. Three of those recommendations follow:

Recommendation one: establish a standing minilateral coordination cell 

Like-minded states – the US, UK, EU member states, Australia, Canada, Japan, and others – already coordinate through efforts such as joint attribution statements, the Counter Ransomware Initiative, and Five Eyes intelligence sharing. But these arrangements remain insufficiently integrated across legal, operational, and diplomatic domains. A standing mechanism is necessary to synchronise sanctions designations, criminal prosecutions, and disruption operations in real time. When a takedown happens, this mechanism should trigger the simultaneous preparation of sanctions, ensure the preservation of evidence for prosecution, and coordinate diplomatic messaging. Operation Cronos came closest to this model. It should become the rule rather than the exception. That requires institutional design, not just operational goodwill.

Recommendation two: move public-private cooperation from informal to formal

Close coordination between government agencies and private sector entities – particularly companies such as Microsoft, CrowdStrike, and Mandiant – is already fundamental to threat intelligence, attribution, and disruption operations. But these arrangements are largely voluntary and inconsistent. Clearer rights-respecting frameworks would set out expectations for companies, covering evidence sharing, takedown cooperation, and infrastructure obligations. The Cyber Intelligence Extension Programme between Europol and Microsoft points in the right direction. For companies that persistently refuse cooperation, states should be prepared to impose consequences: loss of government contracts, public disclosure of non-cooperation, or, in serious cases, sanctions designation.

Recommendation three: connect the cyber agendas of the UN’s First and Third Committees 

Cyber proxies fall between the cracks of the two UN processes most relevant to their activities. The First Committee addresses cybersecurity governance and state behaviour; the Third Committee addresses cybercrime activities. Proxies are too state-linked to be treated as pure crime, yet too criminal to be clearly attributable as state action – and the two committees rarely speak to each other. Adversaries exploit this structural accountability gap. Like-minded states should push for joint studies, for instance through UNIDIR, examining how obligations to prosecute cybercrime intersect with obligations to prevent territory from being used for malicious cyber operations. The UN’s First and Third Committees are the only spaces where allies and adversaries sit at the same table, which makes bridging them, however difficult, strategically indispensable.

The equation can change

Strategic coherence does not require new institutions, perfect international consensus, or waiting for better conditions. The evidence from successful efforts shows it is already achievable within existing frameworks, with existing partners.

What all three recommended strategies require is a deliberate shift from reactive, incident-driven responses to a sustained strategic objective pursued consistently across tools, sectors, and jurisdictions. Proxies have thrived in the gaps that fragmentation creates. Closing those gaps does not need a revolution in international cooperation. It requires political commitment to use what already exists – together, consistently, and before the next escalation makes the cost of inaction impossible to ignore.