DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
The Record

Incidents

A documented dossier for every mapped event. Search and filter the full record; each entry links to its own page with the assessed attribution and a located minimap.

The record

All incidents

Documented incidents of sabotage and hybrid warfare targeting Western and allied infrastructure. Open any entry for a sourced account, an assessment, and a satellite view of the site.

Loading…
FAQ

Frequently asked questions

Common questions about Sabotage Watch, what the incident record documents, how attribution and sources are handled, and how to contribute.

What is Sabotage Watch?
Sabotage Watch is an open-source intelligence (OSINT) project that documents hybrid-warfare and sabotage incidents targeting the critical infrastructure of Western nations and their allies. Every mapped event has a written dossier summarising what happened alongside an evidence-based assessment, with the aim of raising public awareness of below-threshold threats. More about the project, its mission and its methodology is on the About page.
What is hybrid or gray-zone warfare?
Hybrid or gray-zone warfare is hostile activity kept deliberately below the threshold that would trigger a conventional military response. Its defining feature is ambiguity: actions are designed to be deniable and to fall short of an armed attack, letting a state or its proxies coerce and destabilise an adversary while avoiding open conflict and direct accountability. The pressure is cumulative, exploiting the seams between war and peace, civilian and military, and the physical and digital domains.
What counts as an incident on Sabotage Watch?
An incident is a discrete hostile, or suspected hostile, act against the critical infrastructure or security of Western nations and their allies that sits below the threshold of open warfare and is confirmed or credibly reported by reliable sources. The scope spans the physical, cyber and informational domains: sabotage of energy, transport, maritime and telecommunications infrastructure; drone incursions and airspace violations; electronic interference such as GPS jamming and spoofing; cyber intrusions; targeted arson, parcel-bomb and assassination plots; and influence or disinformation operations. Ordinary crime or accidents with no security dimension are excluded. Each qualifying incident is then sorted into one of the categories listed below.
Which categories of incidents does Sabotage Watch track?
Tracked categories are Airspace Violations, Arson, Cyber, Disinformation/Interference, Drone Sightings, Killing/Poisoning, Kidnapping, Sabotage, Spoofing/Jamming, Submarine Cable Damage, Terrorism and Other. Each incident is colour-coded by category on the interactive map, where submarine cable routes and oil and gas pipelines are also shown as separate layers.
How are incidents verified, and which sources are used?
Sabotage Watch prioritises official sources from democratic states first, such as defence ministries, coast guards, police, cyber agencies and regulators, followed by established news agencies and quality media. Every dossier links its sources so readers can verify each claim independently.
How does Sabotage Watch handle attribution?
Attribution is stated cautiously, and documented facts are kept separate from assessments. Where a perpetrator is not proven, wording such as suspected, assessed or under investigation is used. A state link is asserted only where officials, investigators or courts have established one.
Who is responsible for these incidents?
It varies by case and is always hedged. Many incidents in Europe are attributed by Western governments to Russia, including its military intelligence (GRU) and recruited proxies; around Taiwan and the South China Sea, most reflect China's gray-zone pressure through PLA aircraft and Coast Guard vessels. Other accused states appear case by case, for example Iran or Belarus. Not every incident is state-linked: some are domestic extremism, both right-wing and left-wing. Responsibility is reported as assessed or alleged, never assumed.
Is submarine cable damage always sabotage?
No. Many subsea cable faults are caused by ship anchors, fishing trawls or technical failure, and investigations are often inconclusive. Sabotage Watch records the official cause where stated, frequently under investigation, notes any vessel or actor identified by authorities, and avoids labelling an incident deliberate sabotage unless that has been established.
What is a dossier on Sabotage Watch?
A dossier is the structured write-up attached to each incident. It contains a "What happened" section based only on reported facts and an "Assessment" weighing significance and attribution.
Which regions and countries does Sabotage Watch cover?
Coverage extends to all NATO member states and to Western allies and partners worldwide. The NATO members are Albania, Belgium, Bulgaria, Canada, Croatia, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Lithuania, Luxembourg, Montenegro, the Netherlands, North Macedonia, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Türkiye, the United Kingdom and the United States. It also includes EU partners and Indo-Pacific allies and partners such as Taiwan, Japan, South Korea, Australia and New Zealand. Documented incidents currently concentrate in the Baltic Sea region, the Nordics, Romania and the Black Sea, and around Taiwan and the South China Sea. The interactive map shows every documented incident by location.
Why are there no incidents mapped in Ukraine?
Russia's war of aggression against Ukraine produces near-daily war crimes and related incidents across the country, including its temporarily occupied territories. We cannot presently document that sheer volume with the reliability and depth it demands, so rather than cover it partially we defer to projects dedicated to Ukraine. For comprehensive, continuously updated coverage we recommend:Please also consider supporting Ukraine, for example through United24 or the Come Back Alive Foundation, or by connecting with and volunteering for Ukrainians in your own community.
How accurate are the map coordinates?
All points are best-effort approximations based on the public record and official disclosures rather than surveyed positions.
How current is the data, and how often is it updated?
Incidents are added continuously as cases are confirmed or credibly reported, and existing entries are updated when new official findings emerge.
Can I report or contribute an incident?
Yes. Sabotage Watch welcomes tips and submissions through its contribution page. Suggested incidents are reviewed against the project's standards, namely official-first verification and cautious attribution, before being added as a documented dossier.