Normal view

State Digital Surveillance Risk Landscape

17 June 2026 at 02:00

Executive Summary

Insikt Group assesses that government digital surveillance activities pose a high or very high risk in 31 countries, where state actors exploit telecommunications infrastructure, homegrown and commercial spyware, and artificial intelligence (AI)-powered tools to monitor foreign nationals and business travelers with little to no legal accountability. A further 55 countries categorized as medium risk frequently deploy less-sophisticated surveillance capabilities to target political opposition and dissent –– highlighting the need for organizations to adopt appropriate mitigation measures in jurisdictions with limited oversight mechanisms and track records of surveillance targeting foreign entities or supporting domestic repression.

Insikt Group has identified five broad categories of digital surveillance capabilities built in-house or acquired by governments: network interception, endpoint compromise, platform-level access, public space surveillance, and data aggregation. The risk of a government abusing these capabilities is almost certainly higher in jurisdictions lacking independent oversight mechanisms or clear delineations of the legal, necessary, and proportional use of these capabilities, in line with international standards.

Foreign nationals and business travelers who fail to adequately understand and prepare for digital surveillance risks prior to traveling or conducting operations in a given location can face significant personal and organizational damages, including sensitive data breaches, IP theft, targeted intelligence operations, reputational harm, and increased risks from physical threats or detention.

As such, individuals traveling abroad and their respective organizations should implement mitigation measures to protect sensitive data, commensurate with the level of state surveillance risk in the destination country. These measures range from maintaining standard security hygiene in lower-risk environments to using sterile, non-corporate devices when operating in high-risk jurisdictions.

Key Findings

  • Insikt Group assesses that there are “high” or “very high” levels of digital surveillance risk in 31 countries due to their use of advanced surveillance capabilities against foreign businesses, travelers, and government critics, with limited to no oversight.
  • A further 74 countries have “medium” levels of digital surveillance risk. While 55 of these countries are not known to have deployed advanced surveillance capabilities, there is evidence that their governments have deployed less sophisticated surveillance measures for a variety of purposes, which may include monitoring political opposition, human rights activists, and journalists. The remainder (19) of countries in this category possess advanced surveillance capabilities, but are not known to typically use them in violation of national or international laws.
  • By exploiting control over telecommunications infrastructure and online platforms, governments can conduct mass, indiscriminate monitoring of traffic and user data. The risk of abuse of network interception and platform-level access is almost certainly greatest where judicial authorization requirements and procedural safeguards are weak.
  • The proliferation of commercial spyware, AI-powered public security infrastructure, and increasing collection of biometric and personal data almost certainly enables governments to build comprehensive digital profiles of individuals and leverage them for targeted surveillance operations.
  • Digital surveillance that is not subject to robust oversight and does not abide by the principles of legality, necessity, and proportionality very likely incurs heightened operational, reputational, and legal costs for organizations and individuals, including the loss of sensitive data, the proliferation of cyber vulnerabilities, and legal and physical risks.

Components of Surveillance Risk

Insikt Group regularly assesses risks to business travelers and foreign nationals from government-run digital surveillance operations in 193 countries using Recorded Future’s Country Risk analytic framework. Customers can access Country Risk analysis by querying for State Surveillance Notes in the Recorded Future Intelligence Operations Platform. State Surveillance Notes assess the overall level of state surveillance risk in a given country based on three primary categories:

  • Surveillance Capabilities: The ability of intelligence services, law enforcement agencies, or other state-affiliated or directed entities to undertake digital surveillance, and the scope of these digital surveillance capabilities. This category includes the capabilities of a variety of state and state-nexus actors, including specialized surveillance agencies with broad access to digital infrastructure, state-affiliated groups that deploy spyware for cyber espionage, and individual law enforcement units that carry out traditional wiretapping.
  • History of Digital Surveillance Operations: A government’s historical willingness to carry out unlawful, arbitrary, or overbroad digital surveillance operations. This can include surveillance that violates national law — such as government entities monitoring communications without appropriate authorization — but also covers surveillance that may be sanctioned under national legislation but violates international principles of legality, necessity, and proportionality.
  • Oversight Mechanisms: The existence and efficacy of judicial, legislative, or independent oversight bodies that approve and monitor a government’s digital surveillance operations for compliance with domestic and international law.

A comprehensive evaluation of state surveillance risk in a country requires a composite assessment that takes into account all three categories. For example, a country purchasing high-profile spyware may not, by itself, indicate a high level of risk to business travelers or foreign nationals, provided that the government has a good track record of respecting domestic and international privacy protections and has strong judicial and legislative oversight of intelligence and security agencies. In contrast, a country with less advanced capabilities, but strict control over internet infrastructure and few restrictions on the government’s ability to collect user data, likely poses a greater risk to travelers’ and foreign nationals’ data security.

Insikt Group assesses whether a country’s history of digital surveillance constitutes a risk to foreign nationals and travelers based on its alignment with international principles on privacy and digital rights. Article 12 of the United Nations (UN) Universal Declaration of Human Rights establishes that no individual “shall be subjected to arbitrary interference with his privacy, family, home, or correspondence”. A 2022 UN General Assembly resolution on privacy in the digital age states that

“unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, hacking and the unlawful use of biometric technologies, as highly intrusive acts, violate the right to privacy” and that states should ensure that any interference with this right is consistent with principles of “legality, necessity, and proportionality.”

“Legality,” in this formulation, requires that surveillance or interception be prescribed by “a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.” Surveillance must also be necessary to further the purposes identified in corresponding law, take the least intrusive form required to do so, and be proportionate in scope to the interest being protected.

Key Components of State Digital Surveillance Risk

Capabilities

Surveillance History

Oversight

What technologies support a government’s ability to conduct surveillance?

Do capabilities enable mass surveillance or data collection?

Who are the primary providers of surveillance technologies?

Which government entities have access to these surveillance capabilities?

Who is monitored, and under what conditions?

Do authorities surveil activists, journalists, foreign diplomats, or business representatives?

Does surveillance align with international and domestic law?

Are government security and intelligence entities linked to rights violations?

Does surveillance require prior judicial authorization?

Do judicial, legislative, or expert oversight bodies review surveillance programs’ compliance with domestic and international law?

Are oversight bodies independent, impartial, and effective?

Table 1: State surveillance risk level is a function of not only a jurisdiction’s surveillance capabilities, but also its history of deployment of those capabilities and oversight mechanisms (Source: Recorded Future)

Applying these criteria, and based on data collected from 2024 to 2026, Insikt Group has assessed the level of risk associated with state digital surveillance in 193 countries:

  • Six countries (3%) –– Belarus, China, Iran, Myanmar, North Korea, and Russia –– are “very high risk,” denoting evidence of advanced surveillance capabilities, a lack of independent oversight, regular surveillance targeting foreign businesses and travelers, and widespread suppression of political opposition or dissent.
  • 25 countries (13%) are “high risk,” indicating evidence of moderate to advanced surveillance capabilities, limited independent oversight, and the use of surveillance tools to repress domestic political opposition, activism, or reporting critical of the government.
  • 74 countries (38%) are “medium risk,” either indicating evidence of advanced surveillance capabilities that are not typically used in violation of national or international laws (19 countries), or evidence of less advanced capabilities that are frequently employed to suppress political dissent and activism (55 countries). While countries in this risk tier may have established systems for oversight or judicial review, government surveillance operations do not always abide by their purview.
  • 65 countries (34%) are “low risk,” indicating evidence of moderate to advanced surveillance capabilities exercised under strong oversight with established records of avoiding unlawful or arbitrary surveillance (39 countries), or evidence of limited surveillance capabilities (26).
  • 23 countries (12%) are “very low risk,” indicating minimal ability to conduct digital surveillance, well-established oversight mechanisms, and no indications of surveillance abuses.
A map of the world color-coded by state digital surveillance risk levels, ranging from medium to very high,
Figure 1: State surveillance risks by country from medium to very high risk based on data collected from 2024 to 2026 (Source: Recorded Future)

Cyber-Enabled Maritime Sanctions Evasion

11 June 2026 at 02:00

Executive Summary

Iranian and Russian shadow fleet vessels, along with multiple sanctions evasion networks (SENs), are using online infrastructure likely designed to facilitate sanctions evasion. The infrastructure consists of inauthentic websites impersonating ship registries, national maritime administrations, seafarer training and certification organizations, protection and indemnity (P&I) clubs, and ship classification societies, effectively replicating key layers of the maritime compliance stack. The websites are likely being used to circumvent maritime compliance mechanisms by generating and corroborating false documents and certificates.

The online infrastructure is consistent with a service-provider model in which threat actors offer reusable digital infrastructure, documentation, and identities, rather than operating as centrally coordinated, country-specific networks. Three identified clusters of online activity –– designated as Alpha, Bravo, and Charlie for the purposes of this report –– have several technical overlaps, suggesting these clusters may form a broader, loosely connected ecosystem of online infrastructure supporting multiple SENs. This activity also aligns with prior reporting by Bellingcat and Lloyd’s List and demonstrates potential links between the two reports across these three clusters.

This infrastructure blends established sanctions evasion practices, such as exploiting weak jurisdictional oversight in under-resourced jurisdictions to conduct fraudulent ship flag registrations, with increasingly cyber-enabled tactics such as automated document generation and layered infrastructure to produce fraudulent documents and credible front companies, complicating detection and enforcement.

Cyber-enabled SENs almost certainly undermine sanctions compliance mechanisms by developing credible but fraudulent maritime organizations, increasing the risk of due diligence failures and regulatory exposure. Organizations in the maritime and shipping sectors should integrate independent verification and cyber threat intelligence into compliance workflows to proactively identify fraudulent online infrastructure. Governments whose authorities are regularly impersonated by SENs and associated service providers should prioritize coordinated identification and disruption of fraudulent infrastructure, particularly where threat actors claim multi-jurisdictional legitimacy.

Key Findings

  • SENs tied to the Iranian and Russian shadow fleets are likely using over 36 inauthentic websites in three distinct clusters. Insikt Group identified explicit connections between these websites and seventeen vessels, the majority of which have already been sanctioned by the United States (US) Department of the Treasury (USDT)’s Office of Foreign Asset Control (OFAC) and by other countries.
  • Inauthentic websites identified as part of these clusters routinely impersonate national maritime administrations and ship registries from countries such as the Comoros and Benin, as well as Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia.
  • Other websites also aim to establish fictional ship classification societies as credible registered organizations (ROs), in addition to several websites acting as fictional seafarer training and certification organizations and P&I clubs.
  • One website impersonates the Benin Maritime Administration and provides a self-service tool to generate fraudulent seafarer documents from the governments of Benin, the Comoros, and Nicaragua.
  • Attribution for at least two of the clusters documented in this report includes Cluster Alpha, which is likely to have been at least partially developed by an Indian web development company, Oceaniek Technologies. Cluster Bravo is linked to two Syrian nationals, one of whom has previous historical involvement in illicit activity. Cluster Charlie remains unattributed, although it shares technical and design characteristics with Cluster Bravo.

Background

Three partially overlapping clusters of online infrastructure are likely being used by both the Iranian and Russian shadow fleets to evade sanctions (Figure 1). The three clusters (designated Alpha, Bravo, and Charlie) are connected through shared infrastructure, consistent domain registration patterns, and recurring operational security (OPSEC) mistakes.

The activity described in this report also overlaps with two previously unconnected activity clusters described by Bellingcat and Lloyd’s List –– the first tied to Indian web development company Oceaniek Technologies, and the second to a cluster of fraudulent ship registries centered around the domain marinegov[.]net. This activity also aligns with prior reporting from independent researcher Christian Panton, who collaborated with both Bellingcat and Lloyd’s List.

Unlike traditional intrusion sets, these websites enabling maritime fraud and sanctions evasion form a complex network involving front companies, individuals, and vessels. However, Insikt Group has established initial attribution to one of the clusters to two Syrian nationals, with one individual having a record of previous involvement in illicit activities.

diagram showing three partially overlapping clusters—labeled Alpha, Bravo, and Charlie
Figure 1: Clusters identified by Insikt Group (Source: Recorded Future)

Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars

9 June 2026 at 02:00

Executive Summary

Since Russia’s full-scale invasion of Ukraine in February 2022, and the subsequent increase in Western sanctions on Russian individuals and firms, Russia’s economy has become increasingly skewed toward the defense sector. This has very likely led Russian political elites to increasingly draw patronage flows from defense-related expenditures. The wide range of sanctions has likely made it difficult for elites to diversify the sources of their graft, leaving them increasingly dependent on defense contracts for illicit funds.

As Russian President Vladimir Putin uses the distribution and withdrawal of patronage flows as a key way to maintain elite loyalty, a steady stream of defense expenditures has likely become an increasingly important cornerstone for Putin’s ability to maintain domestic political stability. Since maintaining domestic political stability is critical to Putin’s political survival, he very likely sees maintaining current defense expenditures as not only a foreign policy priority, but also a domestic political imperative. A decrease in defense expenditures would likely result in a decline in patronage flows to elites, thereby raising the prospect of elite discontent and greater difficulty in maintaining political stability.

Insikt Group therefore assesses that Putin is likely incentivized to engage in conflict abroad, not only for geopolitical purposes, but also to maintain high levels of defense spending. Should the war in Ukraine end without sanctions abatement –– and thus without providing a pathway for economic and patronage flow diversification –– Putin would likely seek alternative venues for mobilization to ensure defense-related patronage flows continue. Likely target states include non-NATO states close to Russia, including Moldova.

Public- and private-sector entities based in Europe and those with investment in Russia or users there are therefore likely to face a high-risk, unpredictable Russia-nexus cyber, physical, and economic threat environment, as long as sanctions preclude diversification of patronage flows beyond the defense sector.

As such, political settlement in Ukraine, coupled with sanctions rollbacks and security guarantees for Ukraine and other non-NATO states close to Russia, such as Moldova, likely would raise the cost of starting a conflict elsewhere while providing Putin with a pathway to diversify his elites’ patronage flows, thereby reducing his incentive to fund Russia’s patronage networks via mobilization.

Key Findings

  • Since the 2022 invasion of Ukraine, Russia’s economy has become increasingly dependent on military spending, with defense expenditures reaching an estimated 7.2% of GDP and 32% of the federal budget by 2025.
  • The military-industrial complex now employs approximately 3.5 million Russians, accounting for roughly 5% of the total labor force, while the production of civilian goods, such as cars and home appliances, has stagnated or declined.
  • Systematic Western sanctions have limited the avenues Russian elites have to accumulate illicit wealth, forcing Russian political and business elites to rely increasingly on defense contracts for patronage and graft.
  • As a decrease in defense spending would likely reduce the patronage flows necessary to maintain elite loyalty and domestic stability, Putin is likely incentivized to maintain high levels of military mobilization, even if the war in Ukraine were to end.
  • Putin’s likely domestic political motivation to maintain military mobilization –– whether in Ukraine or elsewhere –– means that dissuading Putin from pursuing further interventions abroad likely would require not only negotiating a peace in Ukraine and providing security guarantees for Kyiv, but also alleviating sanctions on Russia, thereby providing Putin a pathway to diversify the sources of elite patronage

❌