EMET NEWS PRESS

Analytical Framework: From the Agent Model to the Proxy Model

Methodological note: the distinction drawn here between an "agent model" and a "proxy model" is an analytical framework used in this report, not an established doctrinal category. Cut-outs, non-official-cover structures, and "agents of influence" have been part of intelligence practice and literature for decades. The shift described here concerns primarily scale, recruitment channels (encrypted messaging, gig-economy platforms, ideological online milieus), and a growing tendency to outsource to criminal networks — not the emergence of a categorically new form of operation.

With that caveat, the "proxy model" can be characterised as follows: hostile states increasingly draw on disposable, transactionally recruitable intermediaries — criminal networks, individuals hired online, members of extremist milieus — to carry out surveillance, intimidation, sabotage, or violence. Operational effect: increased deniability, a lowered threshold for action, and complicated attribution. For security agencies, this shifts the boundary between ordinary law enforcement and national-security response — closing that gap is the stated purpose of the new UK legislation.

UK Legislation: 

The National Security (State Threats) Bill 2026

Primary source: GOV.UK factsheet of 9 June 2026. The bill criminalises support for and funding of designated proxy organisations of hostile states, with penalties of up to 14 years' imprisonment. It extends the offence framework of the National Security Act 2023, allowing designated proxy groups to be treated legally in a manner comparable to a foreign intelligence service.

Justification as stated by the UK government (self-reported, not independently verified): MI5's state-threats investigations rose by roughly 35 percent year on year; around 20 potentially lethal, Iran-linked plots were tracked in the same period. States named by the UK government as using proxies: China, Russia, Iran. This attribution rests on a single source (the UK government) and is not confirmed by an independent third party.

The 22-Nation Statement of 10 June 2026: Condemning Iranian Proxy Operations

A coalition of 22 states — including the US, UK, Germany, France, Canada, Australia, and other European and North American partners — issued a joint statement condemning "lethal plotting" and transnational repression attributed to the IRGC Intelligence Organisation, the Quds Force, and the Ministry of Intelligence and Security, with emphasis on campaigns against dissidents, journalists, and Jewish communities abroad. The statement also names attacks in Europe attributed to Harakat Ashab al-Yamin al-Islamiya (HAYI), a pro-Iranian group whose links to the IRGC are alleged but not substantiated in detail in the statement itself.

Source basis: this section now draws on the official press release of the Australian Minister for Foreign Affairs, which reproduces the full text of the joint statement and the list of signatory states — a primary source, replacing an earlier reliance on a Reuters wire story accessed only via a syndication partner.

Temporal note: the sequence of the UK bill (9 June) and the 22-nation statement (10 June) constitutes a temporal coincidence. Coordination between the two is plausible but not established by the available evidence (confidence: low). No causal link is asserted in this report.

EU-SOCTA 2025: Structural Findings on the Convergence of Organised Crime and Hybrid Threats

Europol's EU Serious and Organised Crime Threat Assessment 2025 (published March 2025, on a four-year cycle) finds that criminal networks increasingly act as proxies for state-aligned hybrid threat actors, in a relationship Europol describes as mutually reinforcing. Identified focus areas: cyberattacks on critical infrastructure and government systems, disinformation, and sabotage.

Methodological note: the report predates the events of June 2026 by roughly 15 months. The link drawn here between the EU-SOCTA finding and the UK/22-nation events is an analytical bridge constructed by this report, not a connection made by Europol itself. The structural finding (convergence of crime and hybrid threats) is assessed with medium confidence to remain valid, as no contrary indicators have been identified.

CSIS Data: Russian Sabotage Operations in Europe

CSIS's database of Russian activity in Europe documents an increase from roughly 3 incidents in 2022 to roughly 12 in 2023 and roughly 34 in 2024 — a near-tripling year on year, coordinated predominantly by the GRU. Methods: explosives, blunt or edged instruments (including anchor strikes against undersea infrastructure), and electronic interference. Target profiles: transportation, government, critical infrastructure, and the defence industry — including BAE Systems, Rheinmetall, the Diehl Group, and EMCO, all linked to weapons deliveries to Ukraine.

Currency note: the underlying CSIS figures cover the period through 2024. Whether more recent data (2025/2026) shows continuation, deceleration, or further acceleration of the trend was not assessed for this report. The trend statement applies only to the 2022–2024 period.

Iran, Russia, China: Asymmetric Use of Proxies

The three states are not treated here as equivalent case categories, but as an asymmetric comparison with differing evidentiary bases:

Iran (evidence base: well documented for transnational repression) — proxy use primarily directed at dissidents, journalists, and diaspora communities; intermediaries with loose, not precisely substantiated links to IRGC structures.

Russia (evidence base: quantitatively documented via the CSIS database) — proxy use primarily directed at sabotage of critical infrastructure in the context of the war in Ukraine, carried out by locally recruited operatives under GRU remote direction.

China (evidence base: insufficient for this report) — the source material reviewed contains no comparable incident database or case-level documentation. Coverage in EU-SOCTA occurs within the general hybrid-threat framing, without China-specific proxy case figures. China serves in this report as a contrast case, not as an equally evidenced third case.

Assessment

High confidence: the UK legislative initiative and the multinational condemnation of Iranian proxy activity mark a tightening of the legal and diplomatic toolkit against proxy-based hostile-state operations.

Medium confidence: the EU-SOCTA 2025 finding (convergence of criminal networks and hybrid threats) and the CSIS trend on Russian sabotage operations are mutually reinforcing and point to a structural, rather than isolated, development.

Low confidence / not established: direct coordination between the UK legislation and the 22-nation statement; a China-specific proxy evidence base comparable to Iran or Russia; continuation of the CSIS trend line beyond 2024.

Indicators to watch: adoption of the UK's proxy-designation model by other EU states; updates to the CSIS dataset for 2025/2026; Tehran's response to the 22-nation statement.

Glossary

Proxy Model — An analytical framework used in this report (not an established doctrinal category) for operations in which criminal networks, hired individuals, or ideologically aligned but organisationally separate groups act on behalf of a state, with the effect of increased deniability and a lowered threshold for action.

Agent Model — The classic intelligence reference model: trained state officers, often under diplomatic cover, directly recruiting and running human sources.

Confidence Level — A standardised grading of the reliability of an assessment (high/medium/low) based on the volume, independence, and consistency of underlying sources.

Temporal Coincidence — The co-occurrence of two events in time without an established causal or coordinating relationship.

National Security (State Threats) Bill 2026 — UK legislation of 9 June 2026 criminalising support for and funding of designated proxy organisations of hostile states, penalties of up to 14 years, extending the National Security Act 2023.

IRGC Quds Force — The external operations branch of Iran's Islamic Revolutionary Guard Corps, responsible for extraterritorial intelligence and paramilitary activity.

EU-SOCTA — The EU Serious and Organised Crime Threat Assessment, an Europol strategic report on a four-year cycle; the 2025 edition (March 2025) identifies criminal networks as proxies for hybrid threat actors.

GRU — Russia's military intelligence service; per CSIS, the principal coordinator of sabotage operations against European targets, 2022–2024.

References

GOV.UK — National Security (State Threats) Bill 2026: Overarching Factsheet.
gov.uk/government/publications/national-security-state-threats-bill-2026-factsheets/national-security-state-threats-bill-2026-overarching-factsheet

GOV.UK — New Powers to Crack Down on Hostile Foreign State Organisations.
gov.uk/government/news/new-powers-to-crack-down-on-hostile-foreign-state-organisations

Australian Minister for Foreign Affairs — Joint Statement on Iranian State Threats and HAYI-Claimed Attacks (10 June 2026). Primary source: full text of the joint statement of the 22 signatory states.
foreignminister.gov.au/minister/penny-wong/media-release/joint-statement-iranian-state-threats-and-hayi-claimed-attacks

Europol — EU Serious and Organised Crime Threat Assessment 2025 (Executive Summary).
europol.europa.eu/cms/sites/default/files/documents/EU-SOCTA-2025-Executive-Summary.pdf

CSIS — Russia's Shadow War Against the West.
csis.org/analysis/russias-shadow-war-against-west