Exposing Sabotage Financing with Decision Intelligence

Today’s Financial Services' Institutions (FSIs) are having to become increasingly attuned to complex risks across money laundering, sanctions evasion, and terrorism financing, ever vigilant for indicators that could point to illicit activity as part of regulatory obligation. Now, they increasingly face a new dimension: sabotage financing, a phenomenon that is already reshaping the global national security landscape. 

What exactly does sabotage financing mean? In this context, it refers to the funding or payment of hostile, often state-aligned actors or groups to act in ways that undermine security, infrastructure, and cohesion of targeted entities. The Royal United Services Institute (RUSI) reports that sabotage operations focus on predominantly “soft,” civilian targets, and may include direct actions (such as arson, attempted bombings or cyber-attacks) as well as symbolic actions (including strategic vandalism of historic or cultural sites). These acts are designed to inflame social tensions or erode trust in public institutions.  

It’s important to note that sabotage actions do not always include physical damage and encompass far more than the end result of an operation; supporting activities such as photographing infrastructure, reconnaissance, or couriering supplies and cash are integral to these hostile operational chains.  

When successful, the sum of these sabotage activities affects an array of damaging outcomes, up to and including the destabilization of institutions and governments. Therefore, it is absolutely vital for public and private organizations, particularly FSIs and government intelligence agencies, to develop robust and interconnected strategies to identify and disrupt these hostile campaigns. As such, financial intelligence can yield an important avenue for doing so. 

An opaque and fragmented compensation system 

 Despite the increasing prevalence of state-sponsored hybrid campaigns across Europe, in 2024 alone, NATO nations reported three times the number of these attacks as in the prior year, research on sabotage and its financial underpinnings remains limited. However, these threats are already being reflected in policy: The European Union’s ProtectEU strategy and the UK’s National Security Strategy 2025 both underscore the growing risks posed by sabotage within a shifting threat landscape. Europol has similarly warned that geopolitical tensions are creating space for criminal networks to act as proxies for hostile states, further blurring the line between organized crime and national security threats.  

The unfortunate reality is that the numbers and scale of these attacks are almost certain to increase in the coming years. And crucially, a growing marketplace of willing participants is making it easier than ever for hostile actors to outsource acts of sabotage and similar to organized criminals, create as much distance and space between the act and the initiator/benefactor. RUSI finds that these actions are often perpetrated by proxies operating on a “gig economy” model; these actors are recruited online, communicate through encrypted messaging apps, work remotely, and are paid through cryptocurrency or other channels with lighter oversight.  

This compensation model leaves behind intentionally opaque, fragmented, and low-value financial trails, making them much harder to capture and trace within the current of everyday transaction flows; in this way, financial support for sabotage is able to stay largely under the radar. 

Yet, with new technological solutions and the transparency they bring, these financial flows are becoming a greater vulnerability for malevolent state actors as they can present the breadcrumbs needed to start identifying, disrupting and preventing this activity, along with enabling better underlying attribution. As an additional benefit, research shows that detecting and disrupting sabotage financing may also help expose and dismantle connected strands of organized criminal activity and national security threats, neutralizing an array of criminal operations simultaneously and giving more bang for the buck. 

A need for sharper detection strategies 

FSIs are uniquely positioned at the vanguard of national strategies for detection and prevention of sabotage. However, while EU and UK banks have procedures in place for detecting and reporting terrorism and criminal activity financing, there is no discrete regulatory category for sabotage financing.  

In practice, this financing would be lost within general money laundering or fraud risk identification, if found at all, viewed as a subset of terrorist financing, or a separate category of criminal activity financing. This comes as the sabotage financing characteristics appear to resemble many of the strategies and characteristics employed in sanctions/tariff circumvention, money mules, TBML, and illicit usage of hawala to circumvent traditional controls. Some of these include, but are not limited to: 

• Blended legitimate and illicit multi channels: Research indicates that payments linked to sabotage often move through legitimate businesses, contractors, gig platforms, freelance marketplaces, crowdsourcing sites, and digital labor networks, making them hard to distinguish from normal commercial or personal transactions. These flows frequently involve micro-payments, fictitious contractors, shell accounts, mule networks, cross-border digital wallets, and even traditional cash.  

• Reliance on crypto-assets and informal channels: Digital currencies and cash-based conversion services (including over-the-counter exchanges) allow for fast, low-cost cross-border transfers with minimal transparency, making detection and monitoring significantly more challenging. 

• Fragmented legal and regulatory frameworks: Sabotage is defined and attributed inconsistently across jurisdictions, limiting the reach of existing measures that could be deployed such as those in CFT and leaving gaps in overall oversight. RUSI emphasizes that tracing responsibility and therefore having consistent attribution is particularly difficult, as actions are often routed through intermediaries or proxy entities, complicating both investigative and legal responses. 

The vast diversity and volume of data supporting these behaviors make traditional rule-based or typology-driven monitoring, as well as isolated analytic approaches, largely inadequate. Organizations must integrate their data, interpret it in context, link seemingly isolated events, and uncover hidden patterns all at a scale and pace that not only detects but also enables proactive disruption. 

Decision Intelligence as a strategic differentiator 

 Decision Intelligence (DI) moves beyond isolated analytics toward integrated, context-aware decision-making. Within the scope of sabotage financing, DI offers a structured approach to consolidate data, leverage advanced graph analytics, and operationalize intelligence across detection, investigation, and prevention. Here’s a bit of insight into how DI works to detect and disrupt otherwise low-visibility threats: 

• Entity and network intelligence are connected.  

At its core, DI enables the resolution of entities across dispersed and fragmented datasets—including individuals, companies, beneficial owners, transactions, trade records, and adverse media—to build a unified view of networks. Sophisticated entity resolution methods allow institutions to connect seemingly unrelated records and activities, revealing proxy arrangements, layered intermediaries, and concealed relationships. This network-focused approach is critical for mapping the financial structures that research indicates support sabotage operations. 

• Graph analytics to reveal hidden structures.  

Once entities are linked, graph analytics offer robust tools to map relationships, uncover clusters, and detect unusual network patterns. These graph-based methods can reveal hidden connections between criminal actors, sanctioned individuals, and commercial fronts, giving investigators a more complete picture of hybrid threat networks. In the case of sabotage financing, graph analytics can expose proxy procurement networks, intermediary payment flows, and influence structures that would often go undetected by conventional transaction monitoring systems. 

• Contextual decisioning is integrated into investigative workflows. 

Contextual decisioning integrates analytics directly into operational workflows, allowing investigators to focus on the highest-risk cases and respond quickly. By bringing together transaction data, network intelligence, external sources, and investigator expertise, it ensures alerts are assessed within context rather than as isolated events. This approach is especially critical for sabotage financing, where single transactions may be small and seem harmless but take on significance when analyzed within larger networks or behavioral patterns.  

Operational use-cases for FSIs 

 Financial services institutions (FSIs) have a variety of ways to leverage Decision Intelligence to uncover and counter sabotage financing. One key application is monitoring critical infrastructure supply chains. By combining connected data and graph analytics, FSIs and government agencies can map financial and operational relationships across sectors such as energy, defense, and telecommunications, enabling the detection of unusual funding flows or patterns that may indicate sabotage planning or proxy procurement networks. 

Another important use case is the identification of proxy actors and contractors. Graph analytics can expose hidden links between criminal entities, sanctioned individuals, and newly-formed companies receiving suspicious payments, revealing networks employed in hybrid operations.  

Furthermore, public-private intelligence collaboration is strengthened through privacy-preserving analytics and federated learning, allowing institutions to share risk signals and collectively detect systemic threats across the financial ecosystem without compromising sensitive data. 

Policy and regulatory implications 

Sabotage financing exists at the cross-roads of financial crime, national security, and critical infrastructure protection; consequently, it occupies a vastly important yet insufficiently addressed criminal sub-sector. FSIs are uniquely positioned at this intersection to detect, analyze, and help mitigate these emerging threats—but they need the right regulatory instruments and data-driven tools. 

Part of the problem is jurisdictional, one endemic to many (non-illicit) cross-border operations: a lack of consistent legal frameworks across NATO and EU countries, which hampers the financial intelligence community’s ability to respond effectively to sabotage threats. Regulators and policymakers across the EU are increasingly advocating for stronger, more resilient mechanisms for data sharing, more stringent oversight of cryptocurrencies, and more robust public-private cooperation. 

Decision Intelligence offers a practical approach to achieving these goals, by integrating data, facilitating collaboration, and speeding up decision-making across institutions and sectors. By leveraging Decision Intelligence, FSIs can not only navigate these legal and operational gaps but also turn fragmented information into actionable insights, proactively protecting both their organizations and the critical systems that underpin broader economic and national security interests.  

From compliance to strategic offense 

 Sabotage financing is emerging as a frontier threat at the intersection of financial crime, geopolitical tension, and economic disruption, exploiting gaps between traditional financial controls and national security measures. Decision intelligence equips financial institutions and government organizations to go beyond reactive compliance, offering a framework to unify fragmented data, illuminate hidden networks, and provide investigators with actionable, context-rich insights. 

As hybrid threats from state actors not only increase in number but in sophistication, organizations, particularly FSI’s must leverage connected data foundations, graph-based analytics, and contextual decisioning. Doing so will prepare them not only to safeguard their own operations, but also to strengthen the critical infrastructures and systems that underpin modern economies and societies. 

Explore more about Quantexa's Decision Intelligence capabilities.