Srsly Risky Biz: The cyberespionage gig economy - Risky Bulletin

Summary5 min read

Podcast Summary: Risky Bulletin — Srsly Risky Biz: The cyberespionage gig economy
Date: October 2, 2025
Host: Amberly Jack
Guest: Tom Uren, Policy and Intelligence Editor, Risky Business

Episode Overview

This episode of "Seriously Risky Biz" explores the growing trend of foreign intelligence services leveraging domestic surrogates and outsourced operations for cyberespionage, highlighting cases in the Netherlands and New York, and discussing the broader implications for cybersecurity policy, governance, and risk management. The show concludes with a reflection on governance shortfalls found in the recent government oversight of the Doge platform.

Key Discussion Points and Insights

1. Russia’s Recruitment of Domestic Proxies for Espionage

[00:42–02:26]

New Trend: Russia’s intelligence services are now using domestic (local) proxies to conduct cyberespionage and physical surveillance, continuing tactics established during and after the invasion of Ukraine.
Case in Point: Two Dutch teenagers were arrested for allegedly being recruited via Telegram by Russian operatives to conduct Wi-Fi collection near high-value targets in the Netherlands.
- Previous proxy tasks included graffiti, sabotage, surveillance, or arson.
- The new wrinkle: using locals for cyber (Wi-Fi) data collection, not just physical disruption.

Quote:
"They've been getting them to do things that range from the bizarre, which is like just spray painting graffiti ... but they've also got people to do things like sabotage and physical surveillance ... Now, this is new, though, in that they're getting them to do cyber espionage."
— Tom Uren [01:16]

2. The GRU’s Track Record of On-Site Espionage

[02:27–05:26]

Historic Precedents: Russian GRU officers have a track record of direct, on-site cyber operations with Wi-Fi equipment, as in the 2018 OPCW attempted hack in The Hague.
- Dutch intelligence published detailed evidence, including photos and lists of seized equipment (laptops, cell phones).
- Overlap in physical and cyber operations: The Dutch learned the same agents operated in Brazil and Switzerland, targeting anti-doping agencies.

Quote:
"They arrested them when they were sitting outside the OPCW with a car full of Wi-Fi equipment ... and they publicized it. So, extremely embarrassing."
— Tom Uren [03:23]

3. The Risk-Reward Dynamic of Using Local Proxies

[05:26–09:08]

Outsourcing Lowers Operational Risk for the sponsor country: Local “gig workers” carry the real risk of arrest, while the instigators remain hidden.
- Example: BBC journalist offered money to hand over credentials; demonstrates how attackers’ risks are minimal compared to the on-ground actors.
Detection Difficulty: Routine activity (e.g., walking with a laptop) is much harder to spot than overt sabotage; effective counterintelligence is required for detection.
Strategic Use: Wi-Fi mapping provides entry points for lateral movement toward ultimate targets (“nearest neighbor attacks”).
- Local proxies can walk by targets inconspicuously, gathering data for more sophisticated follow-up attacks.

Quote:
"If you don't have good counterintelligence, how are you ever going to catch teenagers walking around a city with a backpack?"
— Tom Uren [06:22]

[07:11]
"I think ... they're using cheap, low-cost, almost risk-free labor to try and get a head up on other operations ... It's, I think, actually a very low-risk thing to do as well."
— Tom Uren

4. SIM Farms: The Outsourced Infrastructure of Covert Communications

[09:08–12:58]

Incident: U.S. Secret Service dismantled a New York SIM farm (300 SIM boxes, 100,000 SIM cards), initially suspected as a network attack threat.
- Not a DoS (too small): More likely “spam-as-a-service” for bulk messaging across multiple actors—both criminal and nation-state.
- Optimal for “covert comms”: One-time-use SIMs make surveillance and lawful intercept much harder.
Mindset Differences:
- Western agencies unlikely to rely on uncontrolled infrastructure.
- Nation-states with less need for operational control (e.g., China) might accept increased risk for greater reach and deniability.

Quote:
"If you look at it from the point of view of a different nation where they're willing to just ... outsource a whole lot of cyber espionage, what they're giving up is operational control ... but what they get in return is some level of plausible deniability ... and far greater collection aperture."
— Tom Uren [11:14]

Quote:
"If it gets pinged, oh, well, I guess we'll move on and figure something else out ... from a Western point of view, they're outside-the-box thinking."
— Tom Uren [12:31]

5. Governance Failures Exposed by the Doge Oversight Report

[13:21–16:50]

Backdrop: U.S. Congressional and Senate Democrats released a report on the government’s use of Doge (platform), citing whistleblower testimony, press, and oversight visits.
- Indicates “red flags” in basic governance, lack of clear policies, and chain-of-command confusion.
Trade-Off: Prioritizing speed over security isn’t inherently wrong, but must be a conscious, risk-accepted choice—often it’s simply ungoverned.
- No evidence of current breach, but lack of monitoring might mean issues could go undetected.

Quote:
"There's always going to be this kind of trade-off between speed and security ... And foregoing security at the expense of speed, that's not necessarily the wrong answer. Like, it really depends on the situation."
— Tom Uren [15:38]

Quote:
"It does make you wonder whether you would even know if you haven't set up the right kind of protections and monitoring ... It doesn't appear that anything's happened. So all we can do is hope that nothing does happen."
— Tom Uren [17:00]

Notable Quotes & Memorable Moments

“In one sense, this is just an extension of what Russia has been doing over the last couple of years.”
— Tom Uren [01:16]
“I think that ... they're using cheap, low-cost, almost risk-free labor...”
— Tom Uren [07:11]
“If you don't have good counterintelligence, how are you ever going to catch teenagers walking around a city with a backpack?”
— Tom Uren [06:22]
"From a Western point of view, they're outside the box thinking."
— Amberly Jack [12:58]

Key Timestamps

00:42 — Introduction to Russian recruitment of local proxies and the Dutch teenage case
02:27 — Russian GRU’s hands-on cyber ops history in the Netherlands
05:26 — Why local proxies reduce risk for foreign intelligence (case: BBC journalist)
09:08 — Analysis of New York SIM farm; implications for nation-state and criminal use
13:21 — Discussion of the Doge oversight report and the endemic speed/security trade-off

Final Takeaways

The cyberespionage gig economy is real: Foreign actors, especially Russia, are scaling out operations by using local “contractors” for risky or covert tasks—dramatically altering risk profiles and detection strategies.
Operational outsourcing is rising: Nation-states willing to accept some loss of control in exchange for plausible deniability and broader reach are leveraging “as-a-service” models for everything from spam to covert communications.
Governance gaps remain a persistent risk: The Doge report underscores the need for clear governance and risk acceptance in adopting fast-moving tech—security must be recognized as a managed trade-off, not an afterthought.

For further reading and to subscribe to the Seriously Risky Business newsletter, visit Risky Biz.

Loading summary

Transcript34 lines

[00:00]
A
Foreign.
[00:05]
B
Hey, everyone, and welcome to Seriously Risky Biz. This is our podcast all about cyber security policy and intelligence. My name is Amberly Jack, and in just a moment, I'll bring in our policy and intelligence editor, Tom Uren, to chat about the Seriously Risky Business newsletter that he's put together today. And you can of course, read that and subscribe over at our website, Risky Bizarre. But first, though, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work, and also Lawfare, who syndicate his newsletter and publish it on the LawFair Media website. And finally, we do have a corporate sponsor this week as well, so big thanks to Authentic for that. G', day, Tom.
[00:41]
A
G', day, Amberly. How are you?
[00:42]
B
I'm good, thanks. And you've written a couple of pieces in the newsletter today that kind of indicate that foreign intelligence services are maybe testing out, using domestic proxies to facilitate overseas operations. And the first example that you've used is a couple of teenagers have been arrested in the Netherlands, allegedly recruited on Telegram by Russian spies and were tasked with wi fi collection in the Netherlands. So tell me a bit about that first up.
[01:17]
A
Yeah, so in one sense, this is just an extension of what Russia has been doing over the last couple of years. So Russia has been recruiting people on Telegram since, like the invasion of Ukraine, essentially. And they've been getting them to do things that range from the bazaar, which is like just spray painting graffiti, like stories of people getting paid hundreds of euros to spray paint stuff that they don't really understand. They're just given a picture, go spray paint it. But they've also got people to do things like sabotage and physical surveillance. They've given them maps of military bases and said, you know, given them quite specific directions of look, look for this. How do we get around? Look for that. And then also things like throwing Molotov cocktails. So mostly it's at the level of low level annoyance. Nothing that is like strategically significant. Now, this is new, though, in that they're getting them to do cyber espionage.
[02:26]
C
Yeah, Right.
[02:28]
A
And yeah, the story is they were to walk past certain areas where they're potential high value targets. So Russia has expressed interest in quite a few things that are in the Netherlands. So previously they were interested in the Organization for the Prohibition of Chemical Weapons. They've been interested in the International Criminal Court, which is also in the Hague, and the Russians, the GRU in particular, which is Russian military intelligence, they actually have a track record of conducting on site operations. If they have not been Successful, just like with traditional remote cyber espionage. Most Interestingly, back in 2018, four of them were pinged by Dutch intelligence. And the backdrop to that was that Sergei Skripal, a former Russian, I think he was KGB officer, had defected to the UK some time ago. There was an attempted nerve agent poisoning of Skripal, which also, like, collected his daughter. His daughter was poisoned. And the opcw, that Chemical Weapons Organization, was investigating that incident. And the four GRU officers, the Dutch really did a number of them on them in that they had photos of them at all stages of the operation. They arrested them when they were sitting outside the OPCW with a car full of WI FI equipment and they publicized it. So extremely embarrassing. They.
[04:17]
B
That car full of WI FI equipment, it's kind of hard to talk yourself out of, I'm assuming as well.
[04:22]
A
Yeah. There was also laptops and cell phones and other equipment the Dutch seized anyway, so they've got this track record of doing that kind of thing. From some of the laptops that were seized, the Dutch were able to tell that they had also conducted on site operations in Brazil and also in Switzerland. And so that was because the Russian Federation had been banned for organized doping. And so they were targeting the World Anti Doping Agency and the US Anti Doping Agency and other sports organizations to try to try and find material. So this is a thing that they do, I guess. And so it kind of makes sense that these two, I guess, trends would align, that you'd get the recruitment on Telegram. Plus, we like to have people on site to do things for, to facilitate cyber espionage.
[05:27]
B
And you sort of mentioned in the newsletter as well. I mean, yes, it's great to have people on site. And then when you're hiring locals, the risk is so much less because obviously your people are not on site. You kind of have your lackeys to do it for you. And it, I mean, slightly different situation. But I mean, Adam and I were talking yesterday about the BBC journalist who was offered money to basically hand over his creds so that BBC could be ransomed. And when we were talking about it and sort of saying, you know, the risk for the attackers is so low, but it's never going to end well for the person on site. And you kind of saw that with these Dutch teenagers as well. I mean, everyone's fine in Russia, but these kids, there's no way you're not going to get caught, surely?
[06:23]
A
Well, I wonder, because the reason they got caught was that the Dutch intelligence tipped off the police.
[06:30]
C
Right.
[06:31]
A
And so it was a counterintelligence victory, I guess. But if you don't have good counterintelligence, how are you ever going to catch teenagers walking around a city with a backpack? So that really makes me wonder about, obviously, sabotage and surveillance. There's something to see, like there's a person who's thrown a Molotov cocktail or is hanging around outside your military facility. There's something suspicious.
[07:00]
B
Spray painting some very bad graffiti.
[07:03]
A
That's right. There's something suspicious that will trigger an investigation. Whereas just walking around like no one knows if you've got a laptop in your backpack.
[07:11]
C
Yeah, right.
[07:12]
A
Or whatever. So that makes me think that this is actually perhaps the tip of an iceberg. So typically in these operations, what has happened is that WI fi has provided a less protected entry point. So on the on site operations, they would compromise a WI fi and then they would get to their actual target and then they would hand that target over to the team back in Russia. And so what the Russians have done also since 2022 is that they've hopped from one network to another to get to a place where they can then jump onto the ultimate target's WI fi. And so this vexity called it a nearest neighbor attack. And so that seems like a lot of work. But you can imagine that if you had a person walking around mapping out the WI fi, that might give you a better plan for how to get to where you actually want to go to. Okay, this building across the street, they've got WI fi. They're not a target network per se, but if we can hop through them and get onto a device there, that can then bridge to the target's WI fi, I think you can see how reconnaissance of WI FI networks around your targets would be useful. And so I think that that to me makes sense, is that they're using cheap, low cost, almost risk free labor to try and get a head up on other operations. That would be expensive in terms of the time and effort required. And I can't see how without that intelligence tip off, you would ever pick up people walking around a city because they don't have to be suspicious. They can just walk past, they can go sightseeing, whatever, as long as they've got their laptop collecting what needs to be collected. It's, I think, actually a very low risk thing to do as well.
[09:08]
B
Wow, interesting. And Tom, in a sort of a similar vein, you've spoken about a New York sim farm which has been dismantled and also seems to indicate that there's a bit of foreign intelligence fingers in that Particular pie as well.
[09:25]
A
Yeah, so my take on that, and Pat and Rob Joyce mentioned this on the main show last week and the short story is that there were the Secret Service discovered 300 SIM boxes and 100,000 SIM cards. And so I've been thinking about it over the last week. That's the perfect size for a spam operation. The Secret Service played up the risk to the telecommunications network and it's actually just too small to make a significant dent in like a denial of service or something like that. And so that doesn't seem like that was the real purpose. And if you're after specific VIPs, if it's a nation state run operation after, you know, spear phishing or like sending anonymous threats, like why would you bother doing that? It's like way too big. So to me it makes sense as essentially sort of spam as a service operation. And I think it has to be as a service because there were other actors on there the Secret Service tells us that were sending messages. And the implication is that they were like trying to use it covertly. So they talk about a nation state and also criminal act. And so if you've got 100,000 different essentially phone numbers, like you could rent them out to other people to send messages. And that would be a form of COVID comms that it is hard for law enforcement to intercept because the numbers or the phone, the SIM cards are only used once. And so there's no building a pattern of communicating devices. And so it's quite hard to detect and it's quite hard to use lawful intercept against it.
[11:14]
C
Yeah, right.
[11:14]
A
So to me that makes sense. That's my hypothesis. And it also is the sort of thing that a Western intelligence agency would never say. Okay, there's this spam farm out there, let's put some of our secret communications on that spam farm, because that'll be good. They're control freaks. There's too many risks. But if you look at it from the point of view of a different nation where they're willing to just, you know, do things, and I guess the example I was thinking of was Chinese cyber espionage. They're willing to outsource a whole lot of cyber espionage. What they're giving up is operational control. So, you know, how stealthy are you being? What exactly are you doing? But what they get in return is some level of plausible deniability that's eroded over time. But I think in at the beginning that was part of the benefit. And they're also getting far greater collection aperture. They've Got more people doing more stuff, collecting more intelligence. So it's kind of reach and breadth, just less control. And if you come with that mindset, I think using a service like a spam farm for covert comms actually makes sense. Like, you know, we're willing to outsource some of this stuff. It's a bit riskier, but if it gets pinged, oh, well, I guess we'll move on and figure something else out. So it's just, to me, struck me as interesting that we've got these two different stories of foreign actors trying. I mean, would I call them audacious, maybe I wouldn't call them audacious, but from a Western point of view, they're outside the box thinking, yeah, yeah, but.
[12:59]
B
The Wester side is outsourcing, maybe the future of COVID comms and espionage.
[13:07]
A
I think there's always different ways of approaching things that until you see them, seem like they're unthinkable. And then once you see them, you go, oh, well, of course that's what they'll do.
[13:20]
C
Yeah.
[13:21]
B
And finally, Tom, in the newsletter today, you've discussed a report looking into Doge and sort of indicates a few security lapses there, I guess. But your. Your sort of main takeaway here seems to be that there's always going to be this kind of trade off between speed and security, and that's possibly what's happened here.
[13:42]
A
Yeah. So the story is that, I guess the backdrop is it's no secret that Doge has been unpopular in some sectors, and the Senate Democrats, and I think it was the House Government Affairs Committee, something like that, issued a report into what they had found out about Doge. So they took whistleblower testimony, public reporting, and they also undertook oversight visits to the federal. Three federal agencies, so the Social Security Administration, the General Services Administration, and the Office of Personnel Management. And basically this is a report that wraps up all of those sources. So usually these are the kind of reports that I find are fantastic because usually they occur after an incident's happened and they've got the clout, I guess, to get people to cooperate and say, this is the way things were. And what I find really interesting about them is that inevitably there's some kind of governance failure that leads to a really significant hack.
[14:50]
C
Yeah, right.
[14:51]
A
So, like, there may be technical issues along the way, but it's like the rolling up of technical issues because essentially no one really cared. There was a lack of governance. And so what this report, I mean, it says all sorts of different things. It's hard to know what to make of it because there is some sort of political motivation behind it. But what struck me is that just that they're all these governance, I guess you'd call them red flags, where when they talk to people, the authors, the report authors talk to people in the different federal government departments, it's really unclear. Like, things. Pretty basic things like who's in charge, who's setting or allowing this policy, where are the limits, what can be done, what can't be done? Now, the. As you sort of mentioned right at the beginning, the fundamental trade off here is you can do things really fast, but if you're doing things really fast, you can't be really careful about security. It's just incompatible. And foregoing security at the expense of speed, that's not necessarily the wrong answer. Like, it really depends on the situation. And so from a security professional's point of view, like, your job is to argue against that and say, this is terrible. Here are the ramifications, here are the potential risks. And then it's up to someone else to say, well, I accept that risk or not. And so to me, this seems like a story about choices. It's not clear whether it was a deliberate choice to. I don't know that they're ignoring security, but they just don't have the governance structures around it to reassure you that they're doing it really well.
[16:40]
C
Yeah. Yeah, for sure.
[16:43]
A
And so it doesn't surprise me at all that governance doesn't look to be particularly robust.
[16:50]
B
And as for now, there hasn't been a significant kind of legal breach, and we're just hoping that hasn't been the case. Is that.
[17:00]
A
Yeah. So, I mean, it does make you wonder whether you would even know if you haven't set up the right kind of protections and monitoring and that sort of thing. It's unclear. It doesn't appear that anything's happened. So all we can do is hope that nothing does happen.
[17:15]
B
On that note, Tom, I think we might leave it there, but thank you so much for joining me again this week. And of course, you can read and subscribe to Tom's newsletter, seriously risky Business over at our website, Risky Biz. But, Tom, we will catch you the same time next week.
[17:31]
A
Thanks, Emily.