top of page

Intel Report: Russian armed personnel in European waters

  • gregorio46
  • 10 minutes ago
  • 9 min read

Date: 05/12/2025



ree


Executive Summary

During 2025, reports have been made indicating the presence of uniformed, armed personnel (likely Russian-associated) aboard civilian vessels thought to be part of the vast Russian ‘shadow fleet’ comprising ageing, uninsured oil tankers and cargo vessels registered under flags of convenience and with deliberately confusing ownership structures. These uniformed personnel serve intelligence, surveillance, and command-and-control functions aboard vessels operating in the North Sea, Baltic Sea, and in proximity to critical energy and telecommunications infrastructure. 


This development represents an escalation in Russia's hybrid warfare operations, transforming the shadow fleet from a sanctions-evasion mechanism into an active military intelligence platform with direct implications for North Sea-dependent economies. For North Sea littoral states, this poses an immediate and evolving threat to critical undersea cable infrastructure, offshore energy operations, port security, and maritime commerce. The presence of armed military personnel aboard civilian vessels in European waters, combined with documented drone operations taking place throughout European territory and the use of shadow fleet vessels to damage undersea cables, indicates Russia is preparing for potentially coordinated hybrid attacks on critical European infrastructure.



Details

Who

Highly likely Russian military personnel (reportedly identified as wearing Russian Navy camouflage uniforms); embedded on civilian shadow fleet oil tankers registered under flags of convenience (Panama, Gabon, Comoros, Liberia, etc.); protected by Russian military air assets.

What

Armed personnel installed aboard civilian merchant vessels; observed photographing bridge passages and critical infrastructure during transits; exercising authority over international crews; intimidating maritime pilots and foreign crew members; gathering intelligence on European maritime infrastructure and critical facilities.

Where

  • Baltic Sea (primary focus).

  • North Sea, especially critical infrastructure choke/crossing points. 

  • Danish waters (routes transiting through Øresund Strait and Great Belt).

  • Approaches to German, Polish, Lithuanian, Latvian, and Estonian ports.

  • European Exclusive Economic Zones (EEZs).

  • Approaches to critical oil transfer facilities, LNG terminals, undersea cable landing stations, and port infrastructure.

When

  • July 2025 – DanPilot reports uniformed personnel observations.

  • August 2025 – Swedish Herald reports of spying on Danish critical infrastructure by shadow fleet personnel.

  • September–November 2025 – Further Danwatch investigations.

  • November 2025 – DanPilot confirms pattern of uniformed personnel sightings; ongoing through December 2025.

Why

Intelligence gathering: Russia deploying military observers to map port infrastructure, piloting procedures, security gaps, critical facility locations, NATO military response Tactics Techniques Procedures (TTPs).

Crew control: Maintaining operational security and preventing crew defections or reporting of irregular activities.

Intimidation: Demonstrating Russian state control and deterring pilot cooperation with European authorities.

Diversifying of recent hybrid warfare: Extending Russia's intelligence collection and sabotage preparation into European waters.

Political messaging: Signalling Russian willingness to violate international maritime law with near-total impunity.

How

  • Insertion of Russian military/state security personnel on board civilian ships as ‘ship's officers’ (particularly ‘second mate’ positions with de facto command authority, mirroring Soviet-era political commissar roles).

  • Use of false credentials and opaque crew manifests.

  • Operation under flag-of-convenience vessels with minimal transparency.

  • Coordination with Russian naval and air assets providing protective cover.

  • Exploitation of international crew diversity to conceal Russian personnel among mixed-nationality crews.



What happened?

  • Throughout 2025, several reports have documented an escalating pattern of almost certain Russian military personnel aboard Russian ‘shadow fleet’ vessels transiting European waters. Beginning in mid-2025 and intensifying through November, Danish investigative outlet Danwatch, in coordination with internal reports from DanPilot (Danish state pilotage service), identified seemingly uniformed Russian military or state security personnel embedded aboard civilian oil tankers operating under flags of convenience.

  • These uniformed personnel have been observed conducting apparent surveillance activities, namely photographing bridge passages and critical infrastructure during transits, and exercising command authority over international crews. Pilot reports and internal maritime authority communications indicated that this practice has become increasingly common, with multiple shadow fleet vessels now following similar patterns of embedding uniformed Russian personnel, particularly in senior crew positions such as "second mate" with actual command-level authority over the vessel and crew. These personnel conduct reconnaissance by taking photographs of areas of interest and are likely also able to conduct aerial reconnaissance through the deployment of small drones for surveillance. These tactics, refined during the war in Ukraine, are now being deployed throughout Europe to undermine European societal resilience against potential attacks on infrastructure.


 

Analysis: Why does this matter for government and businesses?


For North Sea Littoral State Governments


  1. Direct Escalation of Russian Hybrid Warfare in Sovereign and EEZ Waters


The placement of armed Russian military personnel aboard civilian vessels operating in North Sea waters represents an escalation beyond Russia's previous hybrid warfare tactics. This is no longer simple sanctions evasion or passive intelligence collection; it is an active Russian military presence conducting surveillance, infrastructure reconnaissance, and sabotage preparation in European waters, frequently within nations' Exclusive Economic Zones where legal ambiguity complicates response.


The concurrent deployment of Russian military aircraft to protect shadow fleet operations and systematic drone reconnaissance across German, Norwegian, Belgian, and Dutch territory indicates Russia has integrated the shadow fleet into a comprehensive European-wide hybrid warfare campaign combining maritime, aerial, and land-based intelligence collection and potential sabotage platforms.


  1. Challenge to Maritime Sovereignty and Legal Framework


Russia has demonstrated it can:

  • Insert armed military personnel aboard vessels in European waters with near-total impunity.

  • Conduct surveillance and intelligence gathering on European critical infrastructure.

  • Intimidate European maritime officials (pilots) without facing enforcement consequences.

  • Maintain operational security despite NATO monitoring.

  • Operate under flag-of-convenience vessels that complicate jurisdictional response.

  • Coordinate with Russian military assets (aircraft, naval vessels) providing direct protective cover.


This signals that North Sea littoral states lack coherent legal, operational, and political mechanisms to enforce maritime sovereignty against Russian hybrid operations.


  1. Convergence of Multiple Threat Vectors


The shadow fleet armed personnel operations are not isolated, rather, they operate in coordination with:

  • Systematic drone reconnaissance of military installations and critical infrastructure across European territory.

  • increasingly using proxy actors and online recruitment of third-country nationals to carry out sabotage and intelligence gathering in European nations.

  • Several cases of fibre optic cable sabotage throughout Europe since 2022.

  • Russian fighter jet operations in European airspace (Su-35 fly-pasts of Estonian naval vessels attempting to interdict the vessel, JAGUAR, Lithuanian airspace violation October 2025, several Russian drone incursions in Romanian and Polish airspace since 2022).

  • Several incidents since February 2022 are believed to have involved Russian shadow fleet vessels, or those of Russia’s allies, in undersea cable sabotage operations, with such activity necessitating the launch of NATO mission, OPERATION BALTIC SENTRY.

  • The YANTAR (IMO: 7524419) laser-dazzling incident targeting Royal Air Force (RAF, UK) aircraft over critical North Sea cable infrastructure in November 2025. 


This convergence suggests Russia is preparing for coordinated hybrid attacks combining maritime, aerial, cyber, and undersea elements to disrupt European critical infrastructure simultaneously.


  1. Threat to Critical North Sea Infrastructure Interdependencies


The North Sea contains:

  • Approximately 20+ critical undersea fibre optic cables carrying ~90% of North Sea region communications and transatlantic traffic.

  • Multiple energy interconnections and power transmission cables.

  • LNG terminal approaches and offshore oil/gas platforms.

  • Port facilities housing energy transfer terminals.

  • Maritime chokepoints (Øresund Strait, Great Belt) where all Baltic maritime traffic must transit.


These infrastructure systems are critically interdependent: disruption to one cascades across multiple sectors. A coordinated attack on cable landing stations in the Netherlands, Belgium, and UK combined with drone strikes on power distribution and port facilities could simultaneously disrupt communications, energy supply, and maritime commerce across the entire North Sea region and UK-Europe trade.


  1. Financing Russia's War and Intelligence Operations


The shadow fleet finances Russia's war effort to a significant degree. Russian military personnel embedded aboard shadow fleet vessels serve to:


  • Ensure operational security and optimize sanctions evasion efficiency.

  • Gather intelligence on European enforcement capabilities.

  • Pre-position personnel for future sabotage or attack operations.

  • Coordinate with other Russian intelligence and military assets.


This means allowing shadow fleet operations with impunity directly finances Russia's continued military operations in Ukraine and preparations for potential NATO conflicts.



For Critical Energy and Telecommunications Infrastructure Operators


  1. Intelligence Collection Targeting Facilities


Russian military personnel aboard shadow fleet vessels have been systematically photographing:


  • Port infrastructure and facility layouts at critical energy terminals.

  • Pilot procedures and maritime traffic management systems.

  • Security protocols and vulnerability gaps.

  • Undersea cable landing station approaches and infrastructure.


This intelligence will directly inform Russia's sabotage and target development planning. Given Russia's demonstrated interest in undersea cable targeting (YANTAR operations, GUGI capabilities, Baltic Sea cable incidents, etc.), the collection of North Sea port and cable facility intelligence suggests preparation for future attacks.


  1. Operational Vulnerability from Drone and Maritime Coordination


The documented pattern of:


  • Armed personnel aboard vessels gathering infrastructure intelligence.

  • Concurrent drone sightings near military and critical facilities across European territory.

  • Demonstrated Russian capability to launch drone operations from European-based recruits (via Telegram) or maritime platforms.

  • Russian military protection of shadow fleet vessels via fighter jets and naval assets.


These identified indicators can act as advanced warnings for several stakeholders. This activity suggests Russia is preparing for coordinated attacks combining maritime-based sabotage with drone strikes on land-based infrastructure. For North Sea operators, this means a single infrastructure disruption event could be accompanied by drone attacks on backup systems, power distribution, or personnel.


  1. Threat from Amphibious Drone Operations Originating from Shadow Fleet Vessels


The legal ambiguity surrounding vessels' freedom of navigation in EEZs creates an operational vulnerability: shadow fleet vessels can position themselves near critical infrastructure, disable AIS beacons, and launch drone operations into European territory with minimal risk of immediate interception. Key factors enabling this threat:


Drone range: Commercial and military-grade drones have varying ranges, with many being able to fly over 12Nm (22km), allowing launch from offshore vessels to target facilities kilometres inland.

  • Unverified cargo: Many ships' cargoes are not checked when transiting from Russian ports through European waters, meaning vessels could carry drone systems, explosives, other materiel without detection.

  • Vessel ID/ownership opacity: Opaque ownership and management structures make assignment of responsibility extremely difficult.

  • AIS spoofing/shutdown: Shadow fleet vessels often disable tracking systems (AIS; Automatic Identification System) and operate more covertly while positioning for operations. The vessel can also have its position artificially altered, showing it in a location where it currently is not.

  • Legal ambiguity: Foreign vessels enjoy freedom of navigation in EEZs, making it difficult to legally challenge their presence even when armed personnel are visible.


  1. Coordination with Land-Based Russian Recruitment Networks


Russia maintains networks across European territory of individuals motivated by financial needs ("useful idiots") recruited via social media and messaging platforms (Telegram) to conduct drone reconnaissance of sensitive sites. The October 2025 timing, when Putin laughingly stated he would not send drones into Europe, immediately followed by drone sightings over German military installations, suggests deliberate coordination between:


  • Maritime-based personnel and platforms (shadow fleet vessels).

  • Land-based reconnaissance networks (recruited European operatives).

  • Russian intelligence services coordinating operations.


This means attacks on North Sea critical infrastructure could be preceded by drone reconnaissance conducted by European-based operatives, with targeting data shared with Russian military and maritime assets, enabling coordinated strike planning.


  1. Cascading Failure Risk in North Sea Region


The interdependence of North Sea critical infrastructure means:


  • Disruption to undersea cables affects communications, energy control systems, and financial networks simultaneously.

  • Power system disruption affects port operations, LNG terminals, and offshore platform operations.

  • Port disruption affects energy exports, maritime commerce, and supply chains.

  • Coordinated disruption combining maritime sabotage with drone strikes could cascade across multiple interdependent systems.


A single well-planned, coordinated attack could simultaneously disrupt energy supply, communications, maritime commerce, and financial systems across the entire North Sea region. Moreover, if these events happened on the borders of littoral nations’ EEZs, significant delay could be seen whilst nations identify who is responsible for reacting to the incident and repairing damaged assets.




Conclusion

Incidents taking place throughout Europe such as arson, sabotage, and cyberattacks will almost certainly continue albeit at a slower pace given that European intelligence and security agencies are becoming more aware of these tactics. However, more attention is highly likely to be placed on exploiting the power the Russian state has over a vast and murky maritime fleet that allows it to navigate and evade the rigidity and slow bureaucratic nature of Western authorities’ responses.


The documented presence of armed Russian military personnel aboard shadow fleet vessels transiting North Sea waters represents an immediate and evolving threat to the security, sovereignty, and critical infrastructure of North Sea littoral states. This threat operates in coordination with drone reconnaissance operations across European territory, Russian military escort of shadow fleet vessels, and preparation for potential coordinated hybrid attacks on critical energy and telecommunications infrastructure.


The North Sea region is uniquely vulnerable due to:


  • Concentration of critical undersea cables and energy infrastructure.

  • Geographic interdependence creates cascading failure risks.

  • Legal ambiguity surrounding military activity in EEZs.

  • Fragmented European response mechanisms.

  • Russia's demonstrated operational skill and willingness to escalate.


However, North Sea littoral states possess legal, operational, and strategic tools to respond decisively if political will exists. UNCLOS (United Nations Convention on the Law of the Sea), MARPOL (The International Convention for the Prevention of Pollution from Ships), SOLAS (The International Convention for the Safety of Life at Sea), and national maritime laws provide authority to board, inspect, detain, and exclude shadow fleet vessels. NATO coordination enables unified threat response. Critical infrastructure operator participation enables security hardening and redundancy.


The narrow window of opportunity to establish effective enforcement and deterrence will close if Russia successfully integrates the shadow fleet as a routine presence in European waters. Acting decisively now is essential to defend North Sea sovereignty and critical infrastructure. Failure to act decisively can signal to Russia that shadow fleet armed personnel operations can continue with impunity, likely encouraging further escalation and increasing the risk of major incidents affecting European energy security, communications infrastructure, and maritime commerce.




bottom of page