OPINION — In the fall of 2021, an FBI informant received a chilling offer: $300,000 to assassinate former U.S. National Security Advisor John Bolton. The would-be hitman posed as a drug cartel enforcer. The client? Shahram Poursafi (a.k.a. Mehdi Rezayi) — a member of Iran’s Islamic Revolutionary Guard Corps (IRGC). Two years later, the U.S. Drug Enforcement Agency (DEA) uncovered an assassination plot targeting a U.S. citizen of Indian origin on U.S. soil. The plot was orchestrated by an Indian government employee who described himself as a “senior field officer” with responsibilities in “security management” and “intelligence,” and Nikhil Gupta, an international narcotics trafficker. These plots are not just far-fetched terror schemes, nor a mere aberration. They represent a glimpse into a darker playbook: sovereign states outsourcing political violence, intimidation, and destabilization to criminal intermediaries, cloaking their hands in the deniability of the black-market chaos.
The strategic use of criminals in geopolitics is neither novel nor exclusive to autocracies. From mafia boss Charles “Lucky” Luciano’s entanglements with U.S. Naval Intelligence in World War II to the CIA’s notorious dealings with gangsters in attempts to assassinate Fidel Castro, history is replete with pragmatic marriages of convenience of this nature. Yet, what distinguishes the current epoch is that these activities that were once peripheral, episodic, and transactional are increasingly becoming strategically normalized and globally diffused.
What we are witnessing is not a moral shift, but a strategic evolution – an expansion of that logic into a more deliberate practice of outsourcing intelligence and covert operations to non-state actors. In the gray zone — the murky space between peace and war — a growing number of states no longer merely tolerate criminal networks. Transnational criminal organizations (TCOs) have become covert instruments of statecraft that states are increasingly weaponizing to coerce, disrupt, and compete in the shadows. Far from incidental allies, TCOs now serve as force multipliers and structural scaffolding upon which these states build their gray zone campaigns, reshaping the global security environment. And their reach is expanding.
To be clear, not every act of violence, sabotage, or criminality is orchestrated by a state sponsor. TCOs often pursue their own agendas, operating autonomously, engaging in coercion, trafficking, and destabilization for profit or power. That is their nature. Relationships between states and such actors are neither transparent nor hierarchical, and the true extent of coordination, delegation, or intent is often difficult to trace. Nevertheless, the overarching trend is undeniable.
Associations between the state and TCOs reflect a more profound transformation in the architecture of power projection, namely the criminalization of statecraft. These alliances allow states to project power cheaply, deniably, and – at times – even effectively, while exploiting the legal and political blind spots of open societies. Operations that were once specifically the domain of state security and intelligence services are increasingly outsourced to cartels, traffickers, cybercriminals, transnational gangs, contract killers, and even unwitting useful idiots. Yet, the very deniability that makes these actors valuable also makes them dangerous. As states increasingly rely on TCOs for sensitive operations, they risk being dragged into confrontations they did not script – with actors they do not fully control.
Further muddying the waters is that states like Iran, Russia, and Venezuela are forming strategic alliances with terrorist organizations, such as the Houthis and Hezbollah. Each, like many other militant actors, engages in a spectrum of criminal activities to finance their operations, disrupt adversaries, and advance ideological or strategic goals.
The consequences of these affiliations are profound. The power, access, knowledge, and infrastructure that TCOs may acquire through these arrangements are not something they would willingly relinquish. Additionally, decades of overt and covert wars in theatres throughout Europe and the Middle East have given a host of violent non-state actors a wealth of lessons and insights into Western weapon systems, intelligence, combat capabilities, and operational vulnerabilities, as well as access to illicit underground infrastructure. Across Africa, Wagner-linked mercenaries provide regime protection and access to critical minerals, while Chinese companies secure infrastructure and market dominance. These lessons are likely to spread across shared networks, benefiting actors hostile to Western interests worldwide.
What emerges are the deepening relationships among authoritarian powers, TCOs, mercenaries, and terrorist organizations, exploiting weak governance, and eroding Western influence. While these may not be formal alliances, they represent a loose, resilient architecture of malign cooperation. The long-term corrosion of norms, institutions, and stability stemming from activities orchestrated by states through TCOs can have irreversible, lasting effects, particularly in instances where states have lost or lack control over actors they empower. In other words, once the genie is out of the bottle, putting it back may not be quite so easy. Therefore, understanding — and countering — the strategic use of criminal networks by states in international relations must become a central pillar of 21st-century Western security thinking.
Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.
Friends with Benefits and Their Tools
It would be an error to view the relationship between states and criminal networks solely as a byproduct of weakness, desperation, or decay. For some regimes, it is a deliberate feature of strategic design. The logic is indeed compelling. TCOs offer states global reach, operational flexibility, built-in revenue streams, and – most critically – an arm’s length deniability that insulates governments from direct blame. Whether the goal is to destabilize a rival, evade sanctions, project influence, or obscure state fingerprints from a brazen operation, these alliances provide scalable, adaptable tools of coercion.
The relationships between states and TCOs are neither hierarchical nor transparent. The mechanics vary widely, from deeply embedded alliances to tactical, one-off collaborations. Yet, across cases, the operational means appear to fall into three overlapping categories: logistical enablers, coercive subcontractors, and deniable disruptors. These roles are not static. They evolve in response to shifting geopolitical pressures and the relative strength or weakness of the state and the actor. Understanding these fluid dynamics is essential to grasping their long-term strategic consequence.
Logistical enablers provide the infrastructure for covert actions – they move cash, weapons, people, and information across borders and sanctioned regimes with speed and deniability and pad the black budget. North Korea, isolated by sanctions and global opprobrium, effectively bankrolls its regime through hacking, cyber heists, and smuggling — so much so that U.S. officials have described it as “a criminal syndicate with a flag.” In 2021, for example, the U.S. indicted three North Koreans affiliated with the military intelligence services, specifically the Reconnaissance General Bureau, in cyber-enabled heists on four continents, targeting over $1.2 billion. China-linked triads have been implicated in intimidating dissidents and journalists abroad while simultaneously laundering cartel proceeds through China.
Russian security services have long relied on mafia-linked facilitators to procure illicit goods, smuggle sanctioned materials, and manage dark-money flows through Europe’s financial hubs. In the UK, law enforcement recently disrupted a Russian TCO connecting Russian elites, crypto-rich cyber criminals, and UK drug gangs laundering money and reportedly channeling funds to Russian intelligence services. In Spain, law enforcement have documented how Russian mafia syndicates with ties to senior Kremlin figures were involved in arms deals, money laundering operations, and property purchases across Europe.
Coercive subcontractors carry out the dirty work and repression. These are not traditional intelligence agents developed and groomed for extended periods, but rather expendable enforcers with local knowledge or operational reach. Tehran has for decades been honing its coercive use of transnational criminals and terrorist actors to subvert, surveil, harass, abduct, and assassinate dissidents or defectors abroad. Its use of TCOs is more punitive – a blend of deterrence and revenge characterized by persistence and unpredictability. In 2021, U.S. authorities uncovered what they said was an IRGC orchestrated a plot to abduct a U.S.-based Iranian journalist relying on members of an Eastern European crime syndicate with links to Iran. Tehran, according to the British Home Secretary, is “increasingly using proxies, violent thuggish proxies … very elusive, quite sophisticated, very brutal European-wide gangs who don’t obviously have a connection or a sympathy or a natural allegiance to the Iranian regime and those global criminal networks are conducting assassinations around Europe … .”
In 2016, the U.S. intelligence community assessed, with a high confidence level, that the Russian Government would continue to use intelligence services and “other loyal entities” to assassinate suspected terrorists and those deemed threats to the regime abroad. In 2019, for instance, German and U.S. intelligence agencies assessed that Zelimkhan Khangoshvili, a Georgian-Chechen exile, was assassinated in Berlin by Vadim Krasikov, a contract killer with ties to the Russian FSB. Maksim Kuzminov – a Russian pilot who, to Moscow’s chagrin, defected to Ukraine in 2023 – was assassinated in Spain in February 2024 by two killers the Spanish police believed were professional contractors, possibly organized crime. Kuzminov was shot six times and run over by a car, which was later found torched.
Even India has allegedly adopted the playbook, emulating these revisionist states’ tactics to target dissidents abroad.
Deniable disruptors specialize in chaos. They are agents of confusion, subversion, sabotage, and influence, blurring the line between criminal and intelligence activities and covert action. The Kremlin has been using mobsters, mercenaries, terrorists, and cybercriminals to destabilize governments, sow chaos, and wage war by proxy for decades. A high-profile trial in the UK revealed a web of private spies and an espionage supply chain run by Jan Marsalek, the fugitive former COO of Wirecard and a freelance broker for Russian intelligence services. They bugged vehicles, cloned IDs, surveilled NATO military installations in Germany, and targeted people for assassination.
In the Tri-Border Area of Paraguay, Brazil, and Argentina, Hezbollah, which serves both as a proxy and a service provider, has entrenched itself in lucrative narcotics and contraband markets, according to U.S. and regional authorities. Hezbollah’s presence in the Western hemisphere presents a persistent and underappreciated security risk to the United States and its regional interests.
The IRGC and Hezbollah are also accused of involvement in the production and distribution of narcotics, such as captagon, primarily trafficked across the Levant and into Gulf states. The flooding of the Saudi market with this narcotic serves not just as a lucrative revenue stream but also as a form of irregular pressure – a means to destabilize and weaken a rival through non-military means. History is replete with examples in which a state weaponized narcotics. While the new Syrian leadership may claim to have intensified efforts to stem the captagon production and smuggling, it would be naïve to assume that this estimated annual global trade worth $10 billion will simply perish.
Beijing’s approach is multitiered. Its opaque partnership with triads and money launderers enables economic and social coercion, diaspora surveillance, and synthetic drugs production on a global scale. Speaking about the triad’s role in Hong Kong in the 1990s, a Chinese official explained that Chinese “security organs” had “broad links and ties with different strata in society, including such groups.”In one U.S. Treasury investigation, the notorious 14K triad – whose former leader in Macao, Wan Kuok Koi is affiliated with the Chinese Communist Party – was implicated in cartel money laundering and billion-dollar so-called “pig butchering” scams — sophisticated crypto investment frauds. In the Mekong River region, Chinese criminal groups controlling drug trafficking routes have been associated with political influence efforts that align with Beijing’s growing regional ambitions.
Meanwhile, some states focus their efforts more regionally. Serbia, Venezuela, and Turkey, for example, are all accused of relying on criminal organizations to project power, intimidate and attack regime critics, preserve regime control, and undermine rivals. Yet, even regionally confined activities can easily metastasize into broader strategic patterns, with global consequences.
What emerges is not just an opportunistic alignment but a pattern of calculated, strategic synergies. In what might be called a form of strategic parasitism — borrowing from Robert Cox’s notion of “parasitic symbiosis” to describe exploitative relationships between state power structures and illicit actors — states increasingly exploit criminal networks not necessarily through command-and-control, but through informal, deniable, and mutually opportunistic relationships.
Everyone needs a good nightcap. Ours happens to come in the form of a M-F newsletter that keeps you up to speed on national security. Sign up today.
Countering Criminalized Statecraft
The West's inability to confront the criminalization of statecraft stems not merely from a lack of resources or legal limitations but from conceptual ones. Western governments are equipped to fight conventional wars, prosecute criminals, and sanction rogue states and individuals – but not all at once or in unison. Today’s adversaries exploit this rigidity. The U.S. intelligence community’s declassified 2025 Annual Threat Assessment makes no mention of the synergies between major adversaries – Russia, China, Iran, or North Korea – and transnational criminal networks in international relations, although all are referenced separately. The British Government inquiry into state threats also noted that it was not clear whether the Government’s strategies were aligned or who was responsible in addressing these threats, and that the government was over-complicating its structures and strategies.
TCOs are not simply criminal enterprises. When backed or tolerated by hostile regimes, they become covert instruments of state power – force multipliers that move money, arms, people, and data across borders with deniability, capable of manipulating, subverting, and systematic destabilization. They are harder to detect than proxies and harder to deter than state actors. TCOs are also more volatile. Their motivations – profit, reputation, survival, power – do not always align with those of their sponsors.
Countering this kind of threat requires a new strategic logic. That means rethinking national security architecture, expanding the scope of deterrence, and targeting entire ecosystems rather than just specific criminal actors to blunt the impact of criminalized statecraft.
1. Rethink National Security Architecture
Intelligence, law enforcement, financial regulators, and diplomats must treat TCOs not merely as security nuisances but as vectors of geopolitical competition and foreign influence in the gray zone. This calls for specialized interagency task forces. Post-9/11 counterterrorism fusion centers offer a useful model: real-time intelligence sharing, multi-domain targeting, and a unified strategic mission.
2. Strengthen Attribution and Exposure
Governments should consider lowering the attribution threshold for hybrid attacks involving criminal actors. While courtroom-level evidence remains ideal, waiting for a “smoking gun” in the gray zone is strategically self-defeating. Intelligence-based attribution — acknowledging publicly when criminal operations serve state interests, even absent smoking-gun evidence — should become a norm. Naming, shaming, and strategic leaks can impose reputational costs, disrupt ongoing operations, and shape public awareness. Exposure itself is a deterrent.
3. Disrupt the Enablers
Target state-criminal alliances as continuing criminal enterprises — even when cloaked in diplomatic immunity or sovereign — cover and the financial and logistical infrastructure that sustains the collaboration. Go after arms brokers, crypto facilitators, money launderers, and logistics nodes – accountants, lawyers, real estate facilitators, and shell firm registrars that provide infrastructure – rather than just the gangsters caught red-handed. “Sanctions 2.0” should hit entire ecosystems, making it more disruptive and harder to evade.
4. Develop a Counter-Gray Zone Strategy for Criminalized Statecraft
The fusion of state and criminal power demands a coherent doctrine for gray zone competition — one that addresses the strategic logic behind criminalized statecraft. Such a strategy should include: i) preemptive disruption through offensive cyberspace and counterintelligence operations to infiltrate and degrade the networks that states use to mobilize criminal actors; ii) cognitive deterrence that signals that the use of criminal proxies will trigger asymmetric responses — including economic retaliation, digital sabotage, and exposure campaigns; iii) doctrinal codification that formally acknowledges and outlines how democracies will interpret and respond to covert criminalized aggression.
5. Shift the Strategic Narrative
Autocracies weaponize ambiguity. Democracies must weaponize exposure. Reframing criminal actors as pawns of authoritarian strategy, not isolated actors, delegitimizes them in both political and criminal ecosystems. The narrative shift transforms them from feared villains to manipulated patsies, disrupting networks and diminishing their influence. Elevating this issue at the G7, United Nations, NATO, and other global forums — and building norms around the non-weaponization of crime — can help efforts to stigmatize and delegitimize the practice.
The bottom line is that countering criminalized statecraft is not merely a matter of policing crime or naming villains. It requires a strategic overhaul of how the West conceives of foreign intelligence activities, power projection, and geopolitical rivalry. In this new kind of geopolitical game, crime-as-statecraft must become costly, exposed, and ultimately, strategically self-defeating. If liberal democracies fail to adapt, they risk ceding the gray zone to regimes that have learned to fight wars not with soldiers or diplomats, but with gangsters, fixers, ghosts, and the “little green men.”
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
