Global Risk Hub | S-RM

Qtr 2, 2026 | Outsourcing violence: The rise of transnational VaaS networks

Written by Shannon Lorimer | Jul 1, 2026 3:22:18 PM

Violence as a Service (VaaS) networks have proliferated over the past year, in which kidnapping, extortion and assassinations, among other crimes, are commissioned, brokered and carried out transnationally. Shannon Lorimer argues that these fragmented chains complicate law enforcement detection, exposing private companies to new security and commercial risks.

In April 2026, European law enforcement authorities announced the arrest of around 280 people across 11 countries over suspected links to transnational violence‑as‑a‑service (VaaS) networks. VaaS has proliferated through a convergence of factors, including increased digitisation, the operational deniability afforded to those commissioning attacks, and the transnational nature of these networks. This makes them highly scalable, and leaves local authorities poorly positioned to detect or disrupt their activity. As a result, VaaS models are being increasingly adopted by a diverse range of criminal actors to carry out various crimes, including assaults, arson, intimidation, and in extreme cases, contract killings. In addition to exacerbating organised crime dynamics in regions such as Europe and North America, the expansion of VaaS networks has significant commercial implications, as companies and businesses face a growing risk of being targeted.

From instigator to assailant

The complex and decentralised nature of VaaS – which European authorities define as the outsourcing of violent acts to criminal service providers – is typically organised around four key roles. An instigator first commissions and finances the crime, often from abroad. The task is then picked up by a recruiter who uses coded language, memes, and gamified tasks across social media, messaging apps, and the dark web to identify an enabler. The enabler mobilises the crime by providing the perpetrator with tools, logistical support and finances to carry out the act. The use of encrypted and anonymised platforms makes it significantly harder for law enforcement to trace and link these actors. In many cases, recruiters deliberately target minors with no prior criminal record to avoid triggering adult criminal thresholds, and perpetrators are sometimes brought in only days before an attack with limited understanding of the underlying motive. This increases the risk of collateral damage to bystanders or nearby property, as attacks are often carried out by inexperienced individuals unfamiliar with the target area or intended victim. Meanwhile, instigators remain insulated from both the operational stages of the plot and the legal risks borne by perpetrators, protected by the opaque chain of intermediaries involved.

 The VaaS process  

VaaS instigators range from organised crime groups and state‑linked proxies, including those associated with Iran, to individuals with personal or commercial grievances against specific companies and organisations. On the other end of the operating chain, there have been cases of would‑be perpetrators advertising their services to potential recruiters on online forums; on one Russian‑language forum, an individual offered services including grievous bodily harm for USD 5,000, while another offered USD 10,000 to carry out an arson attack on a target’s apartment. In neither case was it clear where these individuals were located, underscoring the difficulty of pinpointing and disrupting the various stages of the VaaS process.

VaaS across borders

Law enforcement agencies have identified growing VaaS networks across northern and western Europe, often linked to criminal networks in Sweden, Belgium, the Netherlands, and Germany. The online nature of these services allows actors to operate across multiple jurisdictions, creating enforcement gaps that are difficult for locally bound police forces to address. In response, Europol has established the Operational Taskforce (OTF) GRIMM, supported by authorities in countries such as Sweden, Belgium, Denmark, France and Germany, highlighting the scale and cross‑border nature of the threat.

In parallel, VaaS activity has expanded in the US over the past two years, where networks have used similar methods to target commercial entities – particularly in the retail, hospitality, and professional services sectors – through robberies, vandalism, and coordinated harassment and extortion campaigns, often orchestrated from overseas and exploiting the same jurisdictional and attribution challenges.

Case Studies

Chicago, US

In late 2024, a restaurant chain in Chicago, Illinois, was repeatedly targeted with extortion demands, with the perpetrators posting adverts on darknet VaaS boards threatening physical attacks if the chain failed to pay a USD 15,000 fee per location. Two sites reported smashed windows and threatening messages spray-painted on their walls, prompting closures and the deployment of heightened security measures. The disruption led to lost revenue and emergency board-up costs exceeding USD 60,000. The FBI later traced the adverts to a criminal cell operating out of Eastern Europe. The incident appears to have been primarily financially motivated.

Hamburg, Germany

In January 2026, police arrested a 15‑year‑old assailant and a 26‑year‑old facilitator from the Netherlands in connection with the shooting of a Russian‑linked target in a restaurant in Hamburg, Germany. The target was allegedly connected to a Chechen organised crime ring attempting to seize control of a human trafficking operation. According to investigators, the 26‑year‑old coordinated the assassination attempt, while the 15‑year‑old, who had been recruited via social media and received unexplained deposits into his bank account in the months before the attack, carried out the shooting. Police are continuing to investigate the facilitator’s role and to map any links to higher‑level recruiters and networks.

Debugging the VaaS threat

The growth of VaaS networks presents new challenges for law enforcement, requiring closer cooperation with digital platforms to detect and disrupt recruitment activity. While some platforms have begun engaging with Europol’s OTF GRIMM, others have yet to cooperate, limiting the task force’s ability to operate effectively. Addressing the threat will also require more consistent real‑time coordination between national police forces, alongside deeper collaboration with businesses and private security providers to improve incident reporting, situational awareness, and intelligence sharing. As cross‑border execution of VaaS continues to expand, it is likely to pose an increasing risk to businesses, exposing them to revenue losses, property damage, and significant reputational harm.