Russia’s ongoing interference in the EU’s Eastern Neighborhood threatens the stability of societies and institutions. It aims to prevent reform processes and hinder EU enlargement. States in this region were forced to adapt to constant pressure and have learned valuable lessons about resilience. As Russia expands its influence operations to the rest of Europe, the EU and its member states would benefit from integrating these learnings into a proactive approach against hybrid threats.

Please download the PDF version to access all Input Papers and citations. 

Societies across Europe have been experiencing foreign interference and increasingly aggressive hybrid warfare for several years now. Through hybrid threats, actors such as Russia aim to undermine and weaken democratic institutions. Especially in the EU’s Eastern Neighborhood, Russia has exploited the legacy of weak governance and low trust in elected officials for decades. It weaponizes infrastructure and energy dependencies. Yet, countries in this region are fighting hybrid threats and defending their institutions – by attributing and responding to them more quickly, raising the costs for Russia, and bringing civil society on board. Featuring examples from the region, this report helps ensure that their best practices can be transferred and EU countries can learn from their experiences.

Russia’s Hybrid Threats Toolkit

Russia’s war against Ukraine and the fundamental shift of US foreign policy under President Donald Trump have changed the security reality in the EU’s Eastern Neighborhood. While Russia has lost much of its direct political influence and hegemony in the region, it remains present by increasingly meddling in the domestic politics of Moldova, Armenia, and Georgia with hybrid instruments. In Ukraine, Russia asserts its presence through military and non-military tools that go hand in hand. For Russia, using a hybrid toolkit to achieve its goals is cheaper and easier to deny than military aggression. Hybrid measures take longer to attribute and keep targeted states under constant pressure, weakening their institutions.

Hybrid attacks are waged across different domains, taking the form of disinformation campaigns, cyberattacks, and acts of sabotage. All are intended to serve the same purpose: weakening governmental institutions in the countries they target and preventing reforms. To this end, Russia aims to keep countries in the EU’s Eastern Neighborhood in the so-called gray zone – a state of conflict or competition that exists between conventional peace and open war – with funding that is ­mostly channeled through illicit financial flows.

Learnings from Three Types of Hybrid Interference in Eastern Europe

There is constant innovation of hybrid tools. While EU member states are slow to adapt, countries in Eastern Europe – which have more experience dealing with Russia – are more agile. They are learning to be a step ahead in, for example, identifying loopholes against cyberattacks or how cryptocurrency is used to circumvent financial regulations and sanctions.

Below, we examine three types of hybrid interference used by Russia and the lessons we can learn from responses by Eastern European countries to them.

1. Exploiting Emotions and Insecurities to Stoke Fear and Nostalgia

Narratives spread by Russia-linked proxies cover a wide range of issues that are sensitive for societies in the EU’s Eastern Neighborhood. In particular, these narratives target vulnerable groups by appealing to their fears and insecurities. One of the most common of them focuses on perceived lack of sovereignty and overreliance on the EU. Others that resonate strongly include fears about the spread of war (in Moldova and Georgia), as well as general concerns about security and territorial integrity (in Armenia) and corruption and the untrustworthiness of government (in Ukraine and Moldova).

The increased use of social media as a news source allows such narratives to spread widely. The use of AI-generated messages and videos multiplies posts on social media exponentially, making content seem personalized and original.

The bot networks that operate to spread these messages are often the same for different countries in the region. The majority of Russian bot networks that operated in Moldova during its elections also operated in Russian and Ukrainian Telegram channels, including in occupied Ukrainian territories. While disinformation is easily amplified through social media, hybrid interference also relies on controlling traditional media and recruiting local or religious actors to act as proxies.

Armenia’s upcoming parliamentary elections – expected to be held in early June – are the next target for Russia to exploit Armenian grievances. Russian-launched narratives will portray the EU and the West as colonial powers with decaying values, especially targeting the country’s pro-EU prime minister, Nikol Pashinyan. Also, Russia often weaponizes the economy and energy. Because Armenia is economically dependent on Russia, it is particularly vulnerable to its influence there. Another Russian tool that could be used is investing in different political parties with different ideologies, swaying votes from the reform-oriented parties.

In Georgia, the Georgian Dream (GD) party has relied on a campaign that sows fear of war among the population. It has erected billboards portraying bombed Mariupol that allude that this can happen in Georgia if another government is elected. As the Georgian campaign is similar to one used in Russia, it shows how authoritarian actors learn from each other. Georgian Dream also relies on social media. Bots operating on Telegram and Vkontakte, the largest social media network in Russia and several other countries in the region, were especially active in the run-up to Georgia’s parliamentary elections in October 2024. At that time, 70 percent of bot comments referred to the Russian war in Ukraine as a warning; they also highlighted the risks of the West meddling in Georgian politics. Narrative-wise, the opposition failed to address the population’s war fears. Their campaigns did not resonate with the whole of society.

Lessons to Learn from Moldova

Measures taken in Moldova around the parliamentary elections in September 2025 prove that such negative narratives can be countered successfully. The Moldovan government and civil society shifted toward spreading positive narratives, communicating what the country stands for and not only what it rejects. They also shifted their focus to pre-bunking, which has proven to be more effective than pure debunking. Building a positive narrative and focusing on the achievements of Moldova-EU relations helped to build hope. EU support emphasized that Moldova will not be left alone.

Moldova’s strength has been its ability to involve society in the process of countering electoral interference. Moldova addressed Russian interference in multiple sectors through cooperation among different actors, including law enforcement, the justice system, civil society, and independent media. Investigative journalists infiltrated the networks financed by the sanctioned Moldovan oligarch Ilan Shor, who resides in Russia, and publicly disclosed the schemes.

One message that the Moldovan authorities communicated consistently centered around the concept of a militant democracy, which is defined by “the use of legal restrictions on political expression and participation to curb extremist actors in democratic regimes.” While there is debate about how democratic this concept truly is, it – coupled with the fear of Kremlin interference – was a strong mobilizing factor for the September 2025 elections. It led to a strong victory of the governing party, PAS, despite the resources invested by Russia.

2. Exploiting Loopholes for Illicit Financial Flows

Russian hybrid operations are mostly funded through illicit money. In Moldova, significant funding was channeled through the sanctioned Moldovan oligarch Ilan Shor. In 2024, Moldovan authorities seized the equivalent of $1 million in cash – approximately €843,000 – from individuals returning from meetings with Shor in Moscow. Overall, it is estimated that Russia invested €200 million to influence the 2024 elections. For the 2025 parliamentary elections, Russia invested approximately €350 million, around 2 percent of Moldova’s GDP. This increase highlights the rising costs for Russia to exert its influence. As Russia’s messaging resonates less with the Moldovan population and the costs of interference increase, it must invest more to participate in electoral corruption.

During the 2025 parliamentary elections, illicit money transfers were mainly done using cryptocurrency. However, the digital footprints left by cryptocurrency helped trained investigators to trace and unravel criminal networks – one confiscated wallet alone contained more than €1 million. After the elections, Moldova’s Security and Intelligence Service (SIS) recommended introducing additional legal regulations around cryptocurrencies, which are currently being drafted and discussed in parliament. Recently, it was revealed that Shor’s cryptocurrency company is associated with a business in Budapest, highlighting potential implications for Hungarian elections.

The breakaway region of Transnistria remains a major blind spot for Moldovan authorities. Banks operating there are tied to Russia and non-sanctioned. The territory and its electricity supply are used for crypto mining centers, resulting in complete opacity of the financial flows inside that region.

In terms of the use of illicit funds to pay for acts of sabotage, it should be noted that there is a trend away from using trained Russian operatives for such activities to a “gig-economy” sabotage model. This is especially true in EU member states. Ordinary citizens, often Ukrainian or Belarusian nationals, are recruited through online job platforms to serve Russian security interests and undermine support for Ukraine. Sometimes, even those carrying out larger acts of sabotage are not aware of who they work for. Other times, targeted people are tasked with smaller assignments such as photographing critical infrastructure or monitoring security. They are mostly driven by personal economic need rather than ideological ambition.

Lessons to Learn, Especially from Moldova and Ukraine

Across the EU’s Eastern Neighborhood, but particularly in Moldova and Ukraine, law enforcement, investigative journalists, and international partners have adopted the “follow the money” principle, which helps attribute hybrid activities to Russia.

A key lever for success lies in taking concrete steps to stop the money flows that enable malign actors to pose threats against public institutions and civil liberties. This entails investing in up-to-date monitoring and investigative capabilities, as well as the political commitment to continuously update legal frameworks at the national and international level that allow law enforcement bodies to operate as fast and as stringently as necessary. Understanding the use of cryptocurrency and cooperating with private actors in this field can also be beneficial. Proactive legal action and assertive attribution would help countries across Europe to not be trapped in the ambiguous gray zone that characterizes hybrid warfare. In the run-up to elections, when foreign interference can be expected, coordination and engagement with social media and blockchain companies is key.

While it is impossible to stop all illicit financial flows, raising the costs and risks of interference can significantly hamper an adversary’s success rate. Crucially, any legal and institutional loopholes that malign actors continue to exploit should be closed. Available tools include fines for passive corruption and stricter laws related to campaign funding, as well as exposing and investigating those involved in electoral corruption. Curtailing illicit financial flows is a powerful way for governments to demonstrate that the rule of law is functioning.

3. Targeting Cyber and Infrastructure Domains

Cyberattacks often precede or accompany other hybrid attacks to exploit known and unknown vulnerabilities. In the cyber field, Ukraine is at the forefront of Russian attacks – in 2025, 25 percent of Russia’s cyber operations targeted the country. However, despite the increased number of attacks, the number of critical incidents has decreased. Ukraine has significantly improved its defense capabilities, including through the IT Army of Ukraine and public-private partnerships. Ukraine’s bill to create a dedicated military cyber branch further emphasizes the importance of tackling ongoing cyber threats.

In Moldova, cyberattacks have become a major challenge since 2022, particularly around elections. The number of cyber incidents rose from 173 in 2018 to more than 1,340 in 2024. On the day of parliamentary elections in 2024 alone, the Moldovan Central Election Commission (CEC) experienced a series of concentrated, high-volume (DDoS) attacks with more than 898 million malicious requests directed at the CEC. Yet, the CEC website could withstand the attacks due to earlier risk assessments and swift reactions.

Lessons to Learn from Moldova

Resilient digital infrastructure and sufficient resources for cybersecurity are important, but the “human factor” is similarly, if not more, relevant. Best practice standards need to be understood and implemented by state employees at all levels; therefore, they require well-designed training. The demand for training provided by international partners should be beneficiary-driven and address long-term structural questions. It must offer sustainable opportunities to improve the resilience of institutions instead of providing easily implementable and measurable exercises from the perspective of donor organizations – as was previously too often the case in Moldova.

Another crucial factor is ensuring cooperation among different actors, including state-run and private companies, with support from the international community and cyber experts. Moldova’s response increasingly relies on a multisectoral model: legislative measures, education, technical capacity, staff retention, and coordination with local authorities.

Conclusions and Recommendations

At a time when Europe finds itself threatened by increasing hybrid warfare, the development of both expertise and capabilities to defend its democracies is lagging. Countries like Ukraine and Moldova, which have long experience dealing with Russian tools and adapting to them, can provide lessons on how to identify and respond to Russian interference. The aim should not be to replicate the same responses, but rather to work together to recognize vulnerabilities that can be exploited and close existing loopholes.

An Initiative like the European Democracy Shield is useful. Yet, it needs to better integrate lessons learned from Eastern Europe and provide a more robust enforcement mechanism to avoid becoming a merely consultative body. Moreover, the EU must deliver on its enlargement promise to remain a credible actor in its Eastern Neighborhood.

In particular, national governments have the opportunity to push for joint European initiatives to improve and harmonize regulations about foreign interference while they simultaneously coordinate (and finance) subnational and private actors to focus on the practical elements of resilience, e.g., infrastructure protection or support for disenfranchised groups of the population. A strong EU framework – as well as further development of central coordinating hubs such as the European Centre for Democratic Resilience – will be key to countering transnational networks responsible for foreign interference.

Moving forward, it will be crucial to overcome feelings of helplessness and instead mobilize decision-makers for the joint effort of preserving liberal democracy. The success of democratic, pro-European forces in the two recent Moldovan elections should serve as positive examples of what is possible when the relevant international and local actors come together with a common goal and clear political priorities. Improving resilience against hybrid threats is achievable if the effort is supported by sufficient resources and sustained attention.