EU reassesses cyber posture amid growing hybrid threats
The European Union is investing heavily in strengthening its cyber-defence capabilities and is now openly debating a shift from a purely defensive posture to preventive and offensive operations. This strategic rethink reflects the mounting challenges posed by Russian state-aligned hackers, whose activities continue to test Europe’s resilience. In this landscape, Russia’s extensive control over Internet Protocol (IP) address resources has become a largely overlooked but highly sensitive vulnerability with direct implications for European cybersecurity.
IP addresses in Europe, the Middle East and parts of Central Asia are allocated and managed by the RIPE Network Coordination Centre (RIPE NCC), a non-profit association headquartered in Amsterdam. Its remit includes the distribution of number resources, operation of public databases, DNS infrastructure management and broader technical coordination. Russia’s full membership in this structure gives it the ability to influence decisions within a body that plays a crucial role in the functioning of the global Internet.
Moscow’s long-term strategy to expand influence inside RIPE NCC
For years, Russian intelligence services have cultivated influence within RIPE NCC by embedding individuals from Russia and Moscow-aligned post-Soviet states across its organisational structure. Former board member Dmitry Burkov, external relations director Maxim Burtikov, programme manager Elena Muravska, community development specialists Alexey Semenyaka and Dmitry Melnik, senior software engineer Konstantin Petrov and several EU nationals with strong affiliations to Russian institutions illustrate the breadth of this network.
These connections help explain RIPE NCC’s frequent engagement with Russian state bodies. In 2017, the organisation signed a memorandum of understanding with the Russian Ministry of Communications, a structure overseen by the FSB’s Special Communications Service. The agreement formally concerned IPv6 deployment and academic exchange but effectively created channels through which Russian security agencies could interact with RIPE NCC under the guise of technical cooperation.
Russian lobbying inside RIPE intensifies after the invasion of Ukraine
At the time of Russia’s full-scale invasion in February 2022, more than 5,000 Russian entities were registered members of RIPE NCC. When Ukraine requested the withdrawal of Russian access to IP resources, the organisation rejected the appeal. Parallel to this, an informal pro-Russian lobby—driven by figures such as Burtikov, Hisham Ibrahim and Athina Fragkouli—worked actively to dilute pro-Ukraine initiatives within the organisation. Their influence extends across government agencies, law-enforcement partners, the European Commission, the International Telecommunication Union and OECD structures, creating opportunities for Russian services to protect domestic providers from Western sanctions.
Burtikov played a central role in a series of concessions to sanctioned Russian companies in 2022 and 2023, including payment deferrals, reinstated services and the removal of “sanctions” notes from RIPE NCC databases. These steps enabled Russian firms to retain access to critical IP resources despite international restrictions, while the organisation publicly advocated a stance of neutrality that excluded geopolitical considerations from its operational decisions.
Stolen Ukrainian IP addresses become a tool of hybrid warfare
As Russia occupied Ukrainian territories, it forcibly seized control of IP resources belonging to Ukrainian telecom operators—sometimes extracting login credentials through physical coercion. After acquiring access, Russian-installed providers applied to RIPE NCC to reassign these address blocks. The organisation, citing neutrality, approved the changes.
The consequences for European cybersecurity are profound. Using stolen Ukrainian identifiers allows Russian operators to disguise cyberattacks and misinformation campaigns as originating from Ukrainian networks. This manipulation complicates attribution efforts, as investigators may trace an intrusion to Ukrainian digital infrastructure without realising the addresses are controlled by Russia’s occupation authorities. Providers such as Vugletelecom, Phoenix and Republican Digital Communications—directly linked to Russian administrations on occupied territory and already sanctioned in the EU—continue to interact with RIPE NCC despite their legal status.
RIPE NCC’s engagement with occupied territories undermines EU sanctions
Russian officials cite RIPE NCC’s cooperation with companies in occupied regions as supposed evidence that Western institutions recognise their territorial claims. This dynamic strengthens Moscow’s propaganda narrative and undermines the integrity of EU sanctions.
When the Dutch Ministry of Foreign Affairs clarified that IP addresses represent an economic resource benefiting the so-called Luhansk and Donetsk “people’s republics”, it concluded that such resources must be blocked under EU law. RIPE NCC insisted that it interacts only with private entities, even when those entities openly identify as state enterprises of occupied territories. It continues to accept documentation issued by occupation administrations, despite the fact that such documents have no legal validity under EU or Dutch legislation.
Many of these operators are already included in the EU’s 19 sanction packages targeting Russia. Continued failure by RIPE NCC to restrict their access risks placing the organisation itself in breach of EU sanctions, potentially triggering criminal liability.
A structural gap in Europe’s cybersecurity governance
The controversy highlights a deeper issue: Europe’s digital security architecture is no longer equipped to handle the demands of hybrid conflict. As war rages in Eastern Europe and hostile cyber activities proliferate across the continent, the role of an Internet regulator such as RIPE NCC cannot remain detached from geopolitical reality.
Greater oversight by European institutions is increasingly viewed as essential to prevent the misuse of Internet resources for hostile state operations. Without stronger governance mechanisms, Europe risks leaving a critical vulnerability unaddressed—one that Russia continues to exploit strategically.
