Reading view

State Digital Surveillance Risk Landscape

Executive Summary

Insikt Group assesses that government digital surveillance activities pose a high or very high risk in 31 countries, where state actors exploit telecommunications infrastructure, homegrown and commercial spyware, and artificial intelligence (AI)-powered tools to monitor foreign nationals and business travelers with little to no legal accountability. A further 55 countries categorized as medium risk frequently deploy less-sophisticated surveillance capabilities to target political opposition and dissent –– highlighting the need for organizations to adopt appropriate mitigation measures in jurisdictions with limited oversight mechanisms and track records of surveillance targeting foreign entities or supporting domestic repression.

Insikt Group has identified five broad categories of digital surveillance capabilities built in-house or acquired by governments: network interception, endpoint compromise, platform-level access, public space surveillance, and data aggregation. The risk of a government abusing these capabilities is almost certainly higher in jurisdictions lacking independent oversight mechanisms or clear delineations of the legal, necessary, and proportional use of these capabilities, in line with international standards.

Foreign nationals and business travelers who fail to adequately understand and prepare for digital surveillance risks prior to traveling or conducting operations in a given location can face significant personal and organizational damages, including sensitive data breaches, IP theft, targeted intelligence operations, reputational harm, and increased risks from physical threats or detention.

As such, individuals traveling abroad and their respective organizations should implement mitigation measures to protect sensitive data, commensurate with the level of state surveillance risk in the destination country. These measures range from maintaining standard security hygiene in lower-risk environments to using sterile, non-corporate devices when operating in high-risk jurisdictions.

Key Findings

  • Insikt Group assesses that there are “high” or “very high” levels of digital surveillance risk in 31 countries due to their use of advanced surveillance capabilities against foreign businesses, travelers, and government critics, with limited to no oversight.
  • A further 74 countries have “medium” levels of digital surveillance risk. While 55 of these countries are not known to have deployed advanced surveillance capabilities, there is evidence that their governments have deployed less sophisticated surveillance measures for a variety of purposes, which may include monitoring political opposition, human rights activists, and journalists. The remainder (19) of countries in this category possess advanced surveillance capabilities, but are not known to typically use them in violation of national or international laws.
  • By exploiting control over telecommunications infrastructure and online platforms, governments can conduct mass, indiscriminate monitoring of traffic and user data. The risk of abuse of network interception and platform-level access is almost certainly greatest where judicial authorization requirements and procedural safeguards are weak.
  • The proliferation of commercial spyware, AI-powered public security infrastructure, and increasing collection of biometric and personal data almost certainly enables governments to build comprehensive digital profiles of individuals and leverage them for targeted surveillance operations.
  • Digital surveillance that is not subject to robust oversight and does not abide by the principles of legality, necessity, and proportionality very likely incurs heightened operational, reputational, and legal costs for organizations and individuals, including the loss of sensitive data, the proliferation of cyber vulnerabilities, and legal and physical risks.

Components of Surveillance Risk

Insikt Group regularly assesses risks to business travelers and foreign nationals from government-run digital surveillance operations in 193 countries using Recorded Future’s Country Risk analytic framework. Customers can access Country Risk analysis by querying for State Surveillance Notes in the Recorded Future Intelligence Operations Platform. State Surveillance Notes assess the overall level of state surveillance risk in a given country based on three primary categories:

  • Surveillance Capabilities: The ability of intelligence services, law enforcement agencies, or other state-affiliated or directed entities to undertake digital surveillance, and the scope of these digital surveillance capabilities. This category includes the capabilities of a variety of state and state-nexus actors, including specialized surveillance agencies with broad access to digital infrastructure, state-affiliated groups that deploy spyware for cyber espionage, and individual law enforcement units that carry out traditional wiretapping.
  • History of Digital Surveillance Operations: A government’s historical willingness to carry out unlawful, arbitrary, or overbroad digital surveillance operations. This can include surveillance that violates national law — such as government entities monitoring communications without appropriate authorization — but also covers surveillance that may be sanctioned under national legislation but violates international principles of legality, necessity, and proportionality.
  • Oversight Mechanisms: The existence and efficacy of judicial, legislative, or independent oversight bodies that approve and monitor a government’s digital surveillance operations for compliance with domestic and international law.

A comprehensive evaluation of state surveillance risk in a country requires a composite assessment that takes into account all three categories. For example, a country purchasing high-profile spyware may not, by itself, indicate a high level of risk to business travelers or foreign nationals, provided that the government has a good track record of respecting domestic and international privacy protections and has strong judicial and legislative oversight of intelligence and security agencies. In contrast, a country with less advanced capabilities, but strict control over internet infrastructure and few restrictions on the government’s ability to collect user data, likely poses a greater risk to travelers’ and foreign nationals’ data security.

Insikt Group assesses whether a country’s history of digital surveillance constitutes a risk to foreign nationals and travelers based on its alignment with international principles on privacy and digital rights. Article 12 of the United Nations (UN) Universal Declaration of Human Rights establishes that no individual “shall be subjected to arbitrary interference with his privacy, family, home, or correspondence”. A 2022 UN General Assembly resolution on privacy in the digital age states that

“unlawful or arbitrary surveillance and/or interception of communications, as well as the unlawful or arbitrary collection of personal data, hacking and the unlawful use of biometric technologies, as highly intrusive acts, violate the right to privacy” and that states should ensure that any interference with this right is consistent with principles of “legality, necessity, and proportionality.”

“Legality,” in this formulation, requires that surveillance or interception be prescribed by “a legal framework, which must be publicly accessible, clear, precise, comprehensive and non-discriminatory.” Surveillance must also be necessary to further the purposes identified in corresponding law, take the least intrusive form required to do so, and be proportionate in scope to the interest being protected.

Key Components of State Digital Surveillance Risk

Capabilities

Surveillance History

Oversight

What technologies support a government’s ability to conduct surveillance?

Do capabilities enable mass surveillance or data collection?

Who are the primary providers of surveillance technologies?

Which government entities have access to these surveillance capabilities?

Who is monitored, and under what conditions?

Do authorities surveil activists, journalists, foreign diplomats, or business representatives?

Does surveillance align with international and domestic law?

Are government security and intelligence entities linked to rights violations?

Does surveillance require prior judicial authorization?

Do judicial, legislative, or expert oversight bodies review surveillance programs’ compliance with domestic and international law?

Are oversight bodies independent, impartial, and effective?

Table 1: State surveillance risk level is a function of not only a jurisdiction’s surveillance capabilities, but also its history of deployment of those capabilities and oversight mechanisms (Source: Recorded Future)

Applying these criteria, and based on data collected from 2024 to 2026, Insikt Group has assessed the level of risk associated with state digital surveillance in 193 countries:

  • Six countries (3%) –– Belarus, China, Iran, Myanmar, North Korea, and Russia –– are “very high risk,” denoting evidence of advanced surveillance capabilities, a lack of independent oversight, regular surveillance targeting foreign businesses and travelers, and widespread suppression of political opposition or dissent.
  • 25 countries (13%) are “high risk,” indicating evidence of moderate to advanced surveillance capabilities, limited independent oversight, and the use of surveillance tools to repress domestic political opposition, activism, or reporting critical of the government.
  • 74 countries (38%) are “medium risk,” either indicating evidence of advanced surveillance capabilities that are not typically used in violation of national or international laws (19 countries), or evidence of less advanced capabilities that are frequently employed to suppress political dissent and activism (55 countries). While countries in this risk tier may have established systems for oversight or judicial review, government surveillance operations do not always abide by their purview.
  • 65 countries (34%) are “low risk,” indicating evidence of moderate to advanced surveillance capabilities exercised under strong oversight with established records of avoiding unlawful or arbitrary surveillance (39 countries), or evidence of limited surveillance capabilities (26).
  • 23 countries (12%) are “very low risk,” indicating minimal ability to conduct digital surveillance, well-established oversight mechanisms, and no indications of surveillance abuses.
A map of the world color-coded by state digital surveillance risk levels, ranging from medium to very high,
Figure 1: State surveillance risks by country from medium to very high risk based on data collected from 2024 to 2026 (Source: Recorded Future)

  •  

The Intelligence No One Else Has: Inside Recorded Future’s Proprietary Collection Engine

Four Critical Source Types. One Platform. Recorded Future is the Only Threat Intelligence Vendor that Collects and Analyzes Across Four Types of Data Sources.

When a critical vulnerability emerges, most organizations scramble for answers.

What’s being exploited?
Who’s targeting it?
Are we exposed?

During the emergence of the React2Shell vulnerability, one Recorded Future customer didn’t rely on speculation. Using Recorded Future’s IP scanning intelligence, they identified which IPs were actively scanning for exploitation, analyzed the exact request patterns being used, and immediately assessed their own exposure.

Instead of reacting to headlines, they acted on real-time intelligence.

In the first article in our series covering our unique data sourcing model, we looked at why source scale and diversity are essential for maximum threat protection. Now we’ll explain the four source types in more detail to see how, together, they empower our customers to prioritize, pinpoint, and act faster to stop threats.

This is the power of Recorded Future’s technical collection engine.

Technical intelligence at internet scale

Recorded Future continuously collects and analyzes telemetry from across the internet, including:

  • Network traffic analysis across billions of daily network intelligence records (with over 200 points of presence (PoP))
  • Internet-wide scanning and infrastructure monitoring
  • Malware detonation and behavioral analysis
  • Vulnerability exploitation tracking

This technical intelligence provides direct visibility into attacker infrastructure, behavior, and intent.

Finding what others miss

Technical collection becomes most valuable when it reveals what’s hidden.

In one investigation, Recorded Future identified suspicious traffic on a specific port through its Malicious Traffic Analysis. This insight led a security team to uncover additional command-and-control communication that had been missed due to incomplete logging, expanding the scope of the compromise.

This isn’t just detection—it’s discovery.

Deep malware intelligence through sandboxing

Understanding malware requires more than static indicators.

Recorded Future processes over 1.5 million malware samples daily through its sandbox, enabling deep behavioral analysis of:

  • Command-line execution
  • Process activity
  • Network communication
  • Exploit techniques

This allows analysts to move beyond “Is this malicious?” to:

  • How does it behave?
  • What infrastructure does it use?
  • How can we detect it elsewhere?

Customers consistently highlight this capability as transformative.

In one case, a security analyst identified a unique command-line artifact within sandbox results. By pivoting on that behavior in their environment, they uncovered an additional infection vector that would have otherwise gone undetected—avoiding a far more complex incident response scenario.

Intelligence from the underground

Technical signals alone don’t tell the full story.

Recorded Future augments telemetry with intelligence from criminal forums, marketplaces, and adversary communications, revealing:

  • Stolen data and credentials
  • Emerging attack techniques
  • Threat actor intent
  • Ransomware victimology
  • Telegram

This provides critical context for prioritizing risk and understanding adversary motivations.

Community intelligence: strength in numbers

Recorded Future’s Collective Insights capability aggregates detections across organizations, helping customers identify patterns they might not see alone. This is especially important for preparing for monthly C-suite briefs on the latest threat assessments.

One logistics customer used this capability to investigate a multi-stage intrusion, correlating activity across their environment and linking it to nation-state actors in real time. Another customer uses Collective Insights to provide clear visibility into the specific malware most frequently blocked within their own environment, rather than relying on general trends.

This shared intelligence transforms isolated detections into campaign-level understanding.

Proactive defense in practice

This combination of technical, underground, and community intelligence enables proactive defense.

Customers often use Recorded Future’s Threat Map to identify an emerging threat actor and deploy detections in advance. Weeks later, when the actor launches a phishing campaign, customers can immediately detect and block the activity—preventing compromise before it begins.

Where open source fits

Open-source intelligence provides valuable context, but on its own it’s incomplete. Without technical telemetry, behavioral analysis, and external digital risk monitoring, organizations risk seeing only part of the threat landscape.

At Recorded Future, open sources are one part of a broader intelligence ecosystem that also supports data leakage detection, code repository monitoring, social media monitoring, and analysis of web infrastructure and content—including HTML and DOM elements—to identify brand abuse, exposed data, impersonation, and other external threats.

The bottom line

Recorded Future’s technical collection engine doesn’t just gather data. It reveals:

  • Who’s attacking
  • How attacks are executed
  • Where infrastructure is operating
  • When action is required

One platform for comprehensive threat intelligence

While some platforms focus on immediate detection, the Recorded Future Platform maintains years of historical data to reveal long-term patterns. And it automatically connects intelligence from diverse sources, turning separate data streams into unified insights.

From initial reconnaissance through criminal planning, active infrastructure attacks, and malware deployment, our four intelligence source types work together to enable proactive defense across the entire attack lifecycle.

In the next blog in our series, we’ll show how human experts connect the dots, validating our intelligence and making it actionable so you can prevent threats.

To see our four types of data sources in action in the Recorded Future Platform, request a custom demo.

  •  

Recorded Future Launches Impact and Metrics Dashboard

Today, Recorded Future is announcing the Impact and Metrics Dashboard, a new way for every Recorded Future customer to see the value their intelligence program generates without building reports by hand. The dashboard pulls data from your environment, alerts, integrations, threat detections, and analyst activity, then surfaces the metrics that map to the business and security outcomes your leadership cares about.

Security teams have always known that intelligence drives better outcomes. The hard part has been proving it in the language of the business. Boards, CFOs, and CIOs aren't asking for threat counts. They want measurable risk reduction tied to business context, and they want it in numbers they can defend.

Our 2025 ROI Report, validated across nearly 300 customers, puts numbers to what security teams already know. Recorded Future customers have reported achieving 351.3% ROI annually. 57% say the platform has substantially reduced their overall cyber risk. 96% would recommend it to a peer.

But the numbers that resonate most are not the averages. They are the attacks that your team was able to get ahead of. Ransomware stopped before detonation. Credentials reset before an adversary could use them. Fraud campaigns contained before they could reach customers. Until now, capturing that story meant pulling data from across the platform, stitching it together by hand, and rebuilding the same readout every quarter.

The most powerful version of that story is yours and that is what the Impact and Metrics Dashboard is built to show.

What the dashboard covers

Platform-Wide Security Value: Your headline number. Aggregate risk reduction and intelligence coverage across your environment, built for leadership conversations.

Threat Prioritization: See which threat actors and malware families are relevant to your organization, and how Recorded Future AI cuts noise so your team focuses on what matters. Customers who aligned their alerting to PIRs reported identifying new threats 65% faster.

Threat Detection: Understand how intelligence is moving through your security stack, from malware detected in your telemetry to integrations and threat hunting activity. Customers often receive critical alerts hours or days earlier than from other vendors.

Digital Risk Protection: Quantify exposure reduced from fraud, brand impersonation, and credential threats. For organizations with significant brand or customer risk, this is where ROI becomes immediately tangible and immediately explainable to a CFO.

Account & Credential Monitoring: See identity threats surfaced and remediated before they became incidents.

Recorded Future AI & Insikt GroupⓇ Research: Recorded Future’s expert Intelligence team & AI does the work for you, providing deeper insights than most teams could do alone. Measure analyst hours recaptured through AI-powered automation and the volume of expert research your team has put to work. Your efficiency case, in your own numbers.

Today the dashboard surfaces key metrics to start the conversation and give your team something concrete to point to. Over time the calculations will get more personalized, the benchmarks more specific to your organization, and the integration with your business context deeper.

The Impact and Metrics Dashboard is available now for every customer. To find it, navigate to Dashboards > Impact and Metrics in your Recorded Future instance. For setup help or questions, contact your Technical Account Manager (TAM).

Screenshot of the Recorded Future Impact and Metrics Dashboard, displaying key security metrics, risk reduction data, and actionable intelligence insights.

  •  

Cyber-Enabled Maritime Sanctions Evasion

Executive Summary

Iranian and Russian shadow fleet vessels, along with multiple sanctions evasion networks (SENs), are using online infrastructure likely designed to facilitate sanctions evasion. The infrastructure consists of inauthentic websites impersonating ship registries, national maritime administrations, seafarer training and certification organizations, protection and indemnity (P&I) clubs, and ship classification societies, effectively replicating key layers of the maritime compliance stack. The websites are likely being used to circumvent maritime compliance mechanisms by generating and corroborating false documents and certificates.

The online infrastructure is consistent with a service-provider model in which threat actors offer reusable digital infrastructure, documentation, and identities, rather than operating as centrally coordinated, country-specific networks. Three identified clusters of online activity –– designated as Alpha, Bravo, and Charlie for the purposes of this report –– have several technical overlaps, suggesting these clusters may form a broader, loosely connected ecosystem of online infrastructure supporting multiple SENs. This activity also aligns with prior reporting by Bellingcat and Lloyd’s List and demonstrates potential links between the two reports across these three clusters.

This infrastructure blends established sanctions evasion practices, such as exploiting weak jurisdictional oversight in under-resourced jurisdictions to conduct fraudulent ship flag registrations, with increasingly cyber-enabled tactics such as automated document generation and layered infrastructure to produce fraudulent documents and credible front companies, complicating detection and enforcement.

Cyber-enabled SENs almost certainly undermine sanctions compliance mechanisms by developing credible but fraudulent maritime organizations, increasing the risk of due diligence failures and regulatory exposure. Organizations in the maritime and shipping sectors should integrate independent verification and cyber threat intelligence into compliance workflows to proactively identify fraudulent online infrastructure. Governments whose authorities are regularly impersonated by SENs and associated service providers should prioritize coordinated identification and disruption of fraudulent infrastructure, particularly where threat actors claim multi-jurisdictional legitimacy.

Key Findings

  • SENs tied to the Iranian and Russian shadow fleets are likely using over 36 inauthentic websites in three distinct clusters. Insikt Group identified explicit connections between these websites and seventeen vessels, the majority of which have already been sanctioned by the United States (US) Department of the Treasury (USDT)’s Office of Foreign Asset Control (OFAC) and by other countries.
  • Inauthentic websites identified as part of these clusters routinely impersonate national maritime administrations and ship registries from countries such as the Comoros and Benin, as well as Bhutan, Cameroon, Chad, Equatorial Guinea, Gambia, Haiti, Malawi, Nicaragua, and Zambia.
  • Other websites also aim to establish fictional ship classification societies as credible registered organizations (ROs), in addition to several websites acting as fictional seafarer training and certification organizations and P&I clubs.
  • One website impersonates the Benin Maritime Administration and provides a self-service tool to generate fraudulent seafarer documents from the governments of Benin, the Comoros, and Nicaragua.
  • Attribution for at least two of the clusters documented in this report includes Cluster Alpha, which is likely to have been at least partially developed by an Indian web development company, Oceaniek Technologies. Cluster Bravo is linked to two Syrian nationals, one of whom has previous historical involvement in illicit activity. Cluster Charlie remains unattributed, although it shares technical and design characteristics with Cluster Bravo.

Background

Three partially overlapping clusters of online infrastructure are likely being used by both the Iranian and Russian shadow fleets to evade sanctions (Figure 1). The three clusters (designated Alpha, Bravo, and Charlie) are connected through shared infrastructure, consistent domain registration patterns, and recurring operational security (OPSEC) mistakes.

The activity described in this report also overlaps with two previously unconnected activity clusters described by Bellingcat and Lloyd’s List –– the first tied to Indian web development company Oceaniek Technologies, and the second to a cluster of fraudulent ship registries centered around the domain marinegov[.]net. This activity also aligns with prior reporting from independent researcher Christian Panton, who collaborated with both Bellingcat and Lloyd’s List.

Unlike traditional intrusion sets, these websites enabling maritime fraud and sanctions evasion form a complex network involving front companies, individuals, and vessels. However, Insikt Group has established initial attribution to one of the clusters to two Syrian nationals, with one individual having a record of previous involvement in illicit activities.

diagram showing three partially overlapping clusters—labeled Alpha, Bravo, and Charlie
Figure 1: Clusters identified by Insikt Group (Source: Recorded Future)

  •  

2026 FIFA World Cup: What Public Safety Officials Need to Know

Starting tomorrow, millions of people will gather in sixteen host cities across the United States, Canada, and Mexico to cheer on their teams in the 2026 FIFA World Cup. Securing the tournament will require preparing for a mix of physical security risks, cyber threats, scams, protests, politically motivated activity, and reputational disruption tied to one of the world’s most visible sporting events.

The World Cup’s global profile creates an attractive target environment for a wide range of threat actors. Cybercriminals are already exploiting tournament demand through fraudulent domains, fake stores, credential-harvesting sites, and advertising campaigns. Hacktivists and influence operators will likely try to use the event’s visibility to amplify political narratives or claim responsibility for disruptive activity. At the same time, public safety officials must manage the physical security challenges associated with large crowds, soft targets, protests, transportation hubs, hospitality infrastructure, and fan zones.

Together, these risks create a blended cyber-physical threat environment that requires coordination across public safety, cybersecurity, fraud, legal, communications, brand protection, executive protection, travel security, and third-party risk teams.
An assessment of physical, cyber, and fraud threats to the 2026 FIFA World Cup, visualizing various risk categories associated with the event

Figure 1: Assessment of physical, cyber, and fraud risks affecting the 2026 FIFA World Cup

(Source: Recorded Future)

  •  

China's Noncombatant Evacuation Operations: 2005–2025

Over the past two decades, noncombatant evacuation operations (NEOs) have emerged as an important tool for protecting China’s overseas interests. To assess China’s NEO capabilities for the US Army War College China Landpower Studies Center’s 2026 Carlisle Conference on the PLA (People’s Liberation Army), Insikt Group built an original dataset of 37 Chinese NEOs carried out between January 2005 and August 2025. This blog post has been adapted from Insikt Group’s conference paper, and our “China 2005–2025 Noncombatant Evacuation Operation Dataset” is attached as a PDF.

One of Insikt Group’s most notable findings is that, over the past twenty years, China has consistently mobilized civilian resources to facilitate NEOs, demonstrating China’s reliance on these resources for NEOs and its capability to call upon diverse instruments of national power to protect overseas interests. During this period, at least 65% of China’s NEOs involved support from Chinese state-owned enterprises (SOEs), private enterprises, or United Front/civil society organizations located in the host country, third-party countries, or China. The contributions of SOEs, private enterprises, and United Front/civil society organizations to China’s NEOs include:

  • Organizing evacuation efforts on the ground
  • Communicating official instructions
  • Providing air, land, and maritime transportation
  • Providing relief to evacuees once they arrive in neighboring countries or return to China-


The Chinese Communist Party (CCP) and the Chinese government have continued to take advantage of civilian resources for NEOs since August 2025 — such as for its Iran NEO in early 2026 — and will almost certainly continue to mobilize these resources in the future.

Overview of China’s NEOs

China carried out at least 37 NEOs in 28 different countries between 2005 and 2025 (see image below). China carried out eleven NEOs in Africa, nine in the Middle East, and nine in Asia, with the other eight occurring in the Caribbean, Pacific Islands, Europe, and North America. China conducted multiple NEOs in the Central African Republic, Haiti, Iran, Israel, Kyrgyzstan, Lebanon, Libya, and South Sudan.

Map highlighting 28 countries in which China carried out Noncombatant Evacuation Operations (2005-2025)
The 28 countries in which China carried out a NEO between 2005 and 2025 (Source: Recorded Future)

  •  

Russia’s Defense-Based Economy Risks Forcing Putin to Fight Wars

Executive Summary

Since Russia’s full-scale invasion of Ukraine in February 2022, and the subsequent increase in Western sanctions on Russian individuals and firms, Russia’s economy has become increasingly skewed toward the defense sector. This has very likely led Russian political elites to increasingly draw patronage flows from defense-related expenditures. The wide range of sanctions has likely made it difficult for elites to diversify the sources of their graft, leaving them increasingly dependent on defense contracts for illicit funds.

As Russian President Vladimir Putin uses the distribution and withdrawal of patronage flows as a key way to maintain elite loyalty, a steady stream of defense expenditures has likely become an increasingly important cornerstone for Putin’s ability to maintain domestic political stability. Since maintaining domestic political stability is critical to Putin’s political survival, he very likely sees maintaining current defense expenditures as not only a foreign policy priority, but also a domestic political imperative. A decrease in defense expenditures would likely result in a decline in patronage flows to elites, thereby raising the prospect of elite discontent and greater difficulty in maintaining political stability.

Insikt Group therefore assesses that Putin is likely incentivized to engage in conflict abroad, not only for geopolitical purposes, but also to maintain high levels of defense spending. Should the war in Ukraine end without sanctions abatement –– and thus without providing a pathway for economic and patronage flow diversification –– Putin would likely seek alternative venues for mobilization to ensure defense-related patronage flows continue. Likely target states include non-NATO states close to Russia, including Moldova.

Public- and private-sector entities based in Europe and those with investment in Russia or users there are therefore likely to face a high-risk, unpredictable Russia-nexus cyber, physical, and economic threat environment, as long as sanctions preclude diversification of patronage flows beyond the defense sector.

As such, political settlement in Ukraine, coupled with sanctions rollbacks and security guarantees for Ukraine and other non-NATO states close to Russia, such as Moldova, likely would raise the cost of starting a conflict elsewhere while providing Putin with a pathway to diversify his elites’ patronage flows, thereby reducing his incentive to fund Russia’s patronage networks via mobilization.

Key Findings

  • Since the 2022 invasion of Ukraine, Russia’s economy has become increasingly dependent on military spending, with defense expenditures reaching an estimated 7.2% of GDP and 32% of the federal budget by 2025.
  • The military-industrial complex now employs approximately 3.5 million Russians, accounting for roughly 5% of the total labor force, while the production of civilian goods, such as cars and home appliances, has stagnated or declined.
  • Systematic Western sanctions have limited the avenues Russian elites have to accumulate illicit wealth, forcing Russian political and business elites to rely increasingly on defense contracts for patronage and graft.
  • As a decrease in defense spending would likely reduce the patronage flows necessary to maintain elite loyalty and domestic stability, Putin is likely incentivized to maintain high levels of military mobilization, even if the war in Ukraine were to end.
  • Putin’s likely domestic political motivation to maintain military mobilization –– whether in Ukraine or elsewhere –– means that dissuading Putin from pursuing further interventions abroad likely would require not only negotiating a peace in Ukraine and providing security guarantees for Kyiv, but also alleviating sanctions on Russia, thereby providing Putin a pathway to diversify the sources of elite patronage

  •  
❌