Threat Outlook 2026: Hybridized Threats Across Domains
AI Generated Illustration.
Emerging Risks at the Intersection of Cyber, Pysical and Information Warfare
Introduction
While Greenland remains safe from military action for now, the rapidly evolving situation and declining trust within NATO and between Europe and the United States highlight ongoing volatility. Stability may be temporary, as alliances can shift quickly. This underscores the importance of building resilient systems and ensuring independence, sovereignty, and ownership of infrastructure, data, software, and tools to secure essential services.
Last year began with significant momentum. Before taking office, President Trump discussed territorial expansion and sent his team, family, and the Vice President to Greenland. This pace of development continues.
In the first week of the year, the U.S. ousted President Maduro in Venezuela. Tensions over Greenland escalated, threatening longstanding alliances. As a Nordic company, we closely monitor developments in Greenland and Venezuela, as well as the actions of major powers, including those led by authoritarian regimes that may exploit these situations. Meanwhile, protest movements in Iran face violent crackdowns, the U.S. response is increasing tensions and risk of war in the region, and the war in Ukraine continues.
At Revontulet, we monitor the geopolitical landscape, recognizing that threats rarely exist in isolation. Our intelligence model enables us to understand the actions of both state and non-state actors, including informal networks and organizations that may evade detection but pose significant risks. Through this approach, we help clients, from individuals to major corporations, mitigate risk and navigate an increasingly complex global threat environment.
We continue to monitor and assess developments.
In this report, we outline key risks that will shape the coming year and should be on your radar.
To learn more about Revontulet and how we can assist you in addressing emerging threats in this increasingly complex environment, contact us to schedule a call with our team.
Key Findings
Geopolitical instability is compounding threats. Eroding alliances, territorial ambitions, and ongoing conflicts are fuelling increased activity among militias, cartels, terrorist groups, and PMCs, often operating alongside state actors.
Digital sovereignty is a security imperative. Weaponisation of digital services, AI data-leakage risks, and declining global trust are driving urgent demand for sovereign, European-hosted infrastructure.
State-sponsored terrorism is merging with organised crime. "Terrorism for hire," state-directed assassinations by criminal networks, and shared financial models are blurring the boundaries between state operations, crime, and extremism.
Children face escalating cross-domain targeting. Networks blend child exploitation with violent extremism, while organised crime groups exploit minors for serious violence because they are below the age of prosecution.
Critical infrastructure attacks are an operational reality. Baltic subsea sabotage and state-sponsored cyber campaigns demonstrate that attacks increasingly span cyber, physical, and financial domains simultaneously.
Democracy and political figures are under multi-domain threats. Rising physical threats to officials, AI-driven information operations, and attempts at voter intimidation and attacks on electoral infrastructure are converging.
Regulation is shifting from legislation to enforcement. AMLA, DSA, and NIS2, which bring 300,000 European entities into mandatory scope, are coming into force.
AI is accelerating threats across every domain. Generative AI has lowered barriers for disinformation, synthetic CSAM, social engineering, and adaptive malware is outpacing most organisations' defensive capacity.
Threats do not exist in silos. Financial crime funds terrorism, cybercrime enables state operations, and online extremism drives offline violence, making cross-domain, network-level intelligence essential.
Political Instability Leads to New Threats
Heightened geopolitical security concerns add to existing challenges, including Russian expansion in Ukraine, ongoing conflicts in the Middle East and Africa, rising tensions in Southeast Asia, and global efforts to undermine democracy and increase polarization.
The breakdown of norms, erosion of trust among allies, declining faith in a rules-based order, and misuse of legal systems for authoritarian purposes contribute to instability and unpredictability. These factors significantly impact both international and domestic threat landscapes.
Due to global instability, we expect increased activity among militias, cartels, criminal organizations, terrorist groups, PMCs, and other non-state actors, sometimes working with state actors. This will likely result in greater violence and insecurity affecting civilian infrastructure, businesses, industry, tourism, and shipping.
Threats of military action, breaches of alliances, and the imposition of tariffs and financial sanctions further destabilize politics, security, and markets. This erosion of trust increases tensions and lowers the threshold for conventional and unconventional actions.
These dynamics threaten electoral integrity and democratic institutions, fuel cyber and information warfare, and increase covert operations and attacks on critical infrastructure and political figures. The use of criminal networks for state-sponsored attacks further complicates detection and mitigation.
In this environment, understanding the behaviors of both state and non-state actors, including extremist and criminal networks, is essential. Through analysis, data-driven intelligence, and trusted services, we help citizens, leaders, governments, and businesses protect their interests.
Tech and Data Sovereignty
On his first foreign trip as Vice President, J.D. Vance spoke at the AI Action Summit in Paris and at the Munich Security Conference. After this, the impact was felt across Europe, with a renewed focus on digital sovereignty, data, and AI investment.
Since then, the need for digital security and sovereignty has increased.
Over the past year, we have seen attempts to sanction both members of the International Criminal Court and leaders working to enforce the European Digital Services Act and tackle disinformation. Cybersecurity, digital infrastructure, policy, and internet governance are a frontier battleground.
Information warfare and cyberattacks are already increasingly frequent in elections, daily life, and the operation of critical infrastructure.
Denial of access to services is often weaponized at the national level during elections, protests, and periods of tension. It is also used during international conflicts.
As global trust declines, data security, cybersecurity, and digital sovereignty are essential. Relying on tools and services managed by potential adversaries poses significant risks to sovereignty.
The risks associated with AI and data are significant when generic and commercial AI, including large language models, are used in intelligence and security workflows. These models may access confidential information that could be used for training or leaked. We are concerned this will shape the future of intelligence agencies, companies, and national security organizations as barriers between technology and government continue to erode.
As demand for training data grows, respect for intellectual property, trade secrets, and sensitive data is declining, increasing related threats. This may lead to greater distrust of data service and infrastructure providers that rely on safety policies rather than safety by design. International regulations and policies governing data flows, along with discrepancies between national frameworks for data storage and transit, are critical to protecting sensitive information. Organizations with high data-safety requirements must consider these factors when selecting vendors and designing systems.
At Revontulet, this has informed our decision to move data and infrastructure to domestic and trusted providers in Europe and Norway. This gives our clients and us greater peace of mind and lowers the risk of leaks, breaches, government overreach, and interference. Our clients in Europe and overseas can trust that their data is protected to the highest standards within a stable democracy with a strong judiciary.
With rising geopolitical instability, weakening institutions, and the risk of companies infringing on intellectual property and data protection to train AI models, we expect a stronger global focus on data sovereignty and security.
Sabotage, State-Sponsored Terrorism & Hybridization With Organized Crime
The boundaries between organized crime groups acting on behalf of state actors and other non-state actors, including militias, cybercriminals, PMCs, and terrorist networks, are becoming increasingly blurred. As geopolitical tensions rise, so does the willingness to use rogue actors to fulfill state interests through sabotage, cybercrime, organized crime, mercenaries, armed groups, or terrorism.
Sabotage targeting critical infrastructure, aviation, and maritime resources ranks high on the European security agenda. This has especially been felt surrounding the apparent sabotage operations against subsea pipelines in the Baltic, through infringements on NATO airspace by Russian jets, drone operations near civilian and military airports, and activities associated with the so-called Russian “shadow fleet.”
In recent years, we’ve observed an increase in “terrorism for hire,” where organized crime groups carry out attacks, including bombings, assassinations, and attempted murders, on behalf of state actors. In some cases, minors involved with organized crime have carried out these attacks.
In parallel with criminal groups conducting terroristic attacks, extremist organizations have evolved by copying strategies, behaviours, and operational and financial models from organized crime.
Leading figures in terrorist cells and extremist movements frequently have deep roots in organized crime communities. This applies both to far-right figures and to Islamic-inspired terrorists, among them people central in the execution of attacks in Europe throughout the last decade.
Hybridization between organized crime and terrorism also has a financial impact, where terrorist organizations and organized crime coexist in illicit economies. Trade and trafficking of illegal goods and the economies surrounding drugs, oil, arms, and human trafficking play a significant role in financing terrorism, as do extortion, fraud, and other financial crimes.
Understanding the evolving behaviors of criminal networks and organizations is essential to addressing these threats.
We anticipate an increase in the overlap and hybridization between state interests, organized crime, and terrorism.
Targeting of Children and Youth
The exploitation of children and young people online remains one of the most serious issues of the digital age. In the first half of the 2020s, we observed a significant shift: a growing convergence of child sexual abuse material (CSAM), violent extremism, and organized online communities that view the abuse and coercion of minors as an objective.
In 2025, we dedicated significant effort to monitoring and assisting clients in addressing the increasing overlap between child abuse and violent extremism. We have closely followed networks associated with 764 and The Com, which are loosely organized but highly active online communities linked to misanthropic and nihilistic violent extremism (M/NVE). These groups recruit and groom minors, coerce them into producing self-harm and abuse content, and in some cases, direct them toward offline violence. Their operational model targets the most vulnerable, children struggling with identity, isolation, or mental health, and exploits their vulnerabilities.
Beyond online communities, we also see the use and abuse of children by offline organized crime groups. This has been demonstrated in Europe, where children have been exploited in carrying out serious crimes, including violent crimes using firearms and explosives. The strategic objective is for organized crime to abuse vulnerable individuals below the age of criminal prosecution. This allows perpetrators to be quickly redeployed and reduces criminalization and legal scrutiny facing the group, compared to cases that go to trial.
Coercion and extortion of minors, sometimes referred to as "sextortion," has become a revenue-generating activity for criminal actors who also engage in fraud, hacking, and other illicit operations.
Traditional content moderation, which focuses on known CSAM material and established indicators, faces increasing challenges with networks that operate across platforms, use coded language, and evolve rapidly. For law enforcement, the hybridization of abuse and extremism complicates investigation and prosecution. For parents, educators, and society, the scale and sophistication of these threats require greater awareness and intervention than current systems can provide.
We expect intensified targeting of children and youth by extremist groups seeking to radicalize and by criminals exploiting young people's vulnerabilities for profit. This is a critical area where intelligence-driven intervention saves lives.
Targeting of Critical Infrastructure
The targeting of critical infrastructure—including energy systems, telecommunications, transport networks, water treatment, health services, and digital infrastructure—has shifted from theoretical concern to operational reality across Europe and beyond. In 2025, attacks, reconnaissance, and sabotage accelerated. The scope of targeting expanded, attacks became more sophisticated, and state-aligned actors grew increasingly brazen.
Subsea infrastructure in the Baltic and North Seas remains a focal point. The apparent sabotage of undersea pipelines and telecommunications cables, incidents attributed to state-adjacent actors, has underscored the vulnerability of the physical infrastructure that underpins European connectivity and energy security. Russia's so-called "shadow fleet" of aging tankers, used to circumvent oil sanctions, continues to pose environmental and security risks in Nordic waters. At the same time, drone operations near civilian and military airports, GPS spoofing in critical maritime chokepoints, and the intrusion of hostile aircraft into NATO airspace have all contributed to a heightened security posture across the region.
Cyber operations against infrastructure have similarly intensified. State-sponsored groups, including Russian APT28, Chinese APT41, and Iranian-affiliated actors, are actively conducting reconnaissance and intrusion campaigns against European energy, transport, and telecommunications infrastructure. The breach of Norway's Risevatnet dam, in which attackers remotely opened a discharge valve via an exposed control panel, served as a stark reminder that the consequences of successful attacks on operational technology are not limited to data theft but can extend to physical harm and environmental damage.
Infrastructure targeting is complex because it spans multiple domains. Campaigns often combine cyber intrusions, physical sabotage, financial disruption, and information operations, orchestrated by networks that blend state interests with organized crime, mercenaries, and hacktivist proxies. Addressing these threats requires intelligence that links technical indicators to adversarial networks, motivations, sponsors, and evolving tactics.
European regulation is catching up. NIS2 brings approximately 300,000 entities into scope across the EU, with Norway implementing corresponding provisions under the updated Security Act. The total defence doctrine (totalforsvaret) further integrates civilian infrastructure operators into the Norwegian national security framework, making threat intelligence not merely a prudent investment but a regulatory and national defence requirement.
At Revontulet, we provide cross-domain intelligence to help infrastructure operators navigate this threat landscape. We connect cyber campaigns to the groups and criminal networks behind them, monitor threats across physical and digital domains, and deliver intelligence products. We expect further escalation ahead and are strengthening our intelligence capabilities accordingly.
Threats Against Democracy, Electoral Infrastructure, Candidates, and Officials
Democratic institutions, electoral infrastructure, and individuals who serve in elected and appointed positions face an increasingly complex threat landscape.
The convergence of foreign interference, extremism, cyber operations, and physical threats against political figures has created a security environment in which elections are no longer just political events; they are targets for adversarial action across multiple domains.
The early weeks of 2026 have already demonstrated this dynamic. Elections are conducted amid heightened information operations, with foreign actors seeking to influence public opinion. In the United States, the 2026 midterm elections are shaping up to be contentious, with early indicators suggesting that candidates may face not only political opposition but coordinated online harassment, threats, physical attacks, and attempts at intimidation.
The threat to individuals in public life is acute and worsening. In 2024, U.S. Capitol Police received over 700 reports of threats against congressional members, including 50 cases of false 911 calls attempting to get police to respond to the homes of lawmakers (swatting). Threats against business and political leaders underscored the vulnerability of public figures to violence inspired or coordinated through online networks. In Europe, threats against politicians, candidates, and officials have also risen, driven by polarisation, extremist mobilisation, and the ease with which online rhetoric can translate into offline targeting.
Electoral infrastructure itself is a target. Cyber operations against voter registration systems, election management platforms, and results reporting infrastructure are now an expected feature of election cycles globally. We also see increased threats against physical election locations, including attempts to bar voters from entering, intimidation by political opposition and state-backed forces, and more.
Information operations, including deepfakes, coordinated inauthentic behaviour, and weaponised leaks, aim to undermine public trust in electoral outcomes, sometimes with the explicit goal of delegitimising results before votes are cast. The accessibility of generative AI tools has lowered the barrier to producing convincing disinformation at scale, leading to a significant escalation in deepfake fraud attempts.
What makes these threats particularly challenging is their cross-domain nature. A foreign intelligence service may sponsor information operations while simultaneously cultivating relationships with domestic extremist groups capable of physical violence. A coordinated online harassment campaign against a candidate may overlap with cybercrime operations targeting their staff or donors. Understanding and mitigating these threats requires intelligence that spans domains, linking information operations to their sponsors, connecting online threats to offline actors, and mapping the networks that enable both.
At Revontulet, our counter-terrorism origins and cross-domain intelligence model make us uniquely equipped to support the protection of democratic institutions and the individuals who serve them. We monitor the networks that pose threats to democracy, and provide the intelligence that candidates, officials, parties, and governments need to secure electoral integrity and protect public life.
With elections scheduled across multiple continents and geopolitical tensions at their highest level in recent memory, we expect threats to democracy, electoral infrastructure, and political figures to be among the defining security challenges of the year.
Regulation of Digital & Financial Services
The regulatory landscape for online platforms and financial services is shifting to a new phase of enforcement and expansion. Previously focused on policy development and legislative drafting, we are now entering an era of active supervision, investigation, and enforcement. For organizations in these sectors, the move from regulation on paper to regulation in practice will be a defining development in 2026.
In the financial sector, the EU's Anti-Money Laundering Authority (AMLA), operational since July 2025, is moving from establishment to direct supervisory action. The EU AML Single Rulebook, entering force in July 2027, will harmonise anti-money laundering obligations across all member states, closing the gaps that criminal networks have long exploited through jurisdictional arbitrage.
Evaluations continue to pressure national regulators to demonstrate effective implementation, not merely legislative compliance. At the same time, sanctions regimes remain in flux — the war in Ukraine and evolving geopolitical alliances are constantly reshaping the sanctions landscape, requiring real-time intelligence to maintain compliant operations.
For online services, the Digital Services Act is transitioning from framework to enforcement. The European Commission has opened formal investigations into multiple major platforms. The Terrorist Content Online Regulation continues to impose its removal mandate, with member states empowered to issue removal orders and cross-border cooperation requirements placing operational demands on platforms. NIS2 extends cybersecurity obligations to digital infrastructure providers, adding another layer of compliance requirements.
The illicit economies that underpin financial crime, drug trafficking, arms dealing, human trafficking, fraud, and corruption are themselves evolving. Cryptocurrency and decentralised finance have introduced new laundering typologies that traditional compliance tools struggle to detect. Trade-based money laundering remains one of the most significant and least addressed channels for illicit financial flows. Terrorist financing continues to adapt, leveraging novel payment methods, crowdfunding, and cross-border transfers that exploit regulatory gaps.
For our clients, the implications are clear: compliance now requires more than basic checklists and watchlist subscriptions. Regulators expect organizations to demonstrate a genuine understanding of their risk exposure, including identifying threats, understanding illicit network operations, and taking proactive measures to detect and disrupt criminal activity. This is the intelligence Revontulet provides.
Our cross-domain intelligence enables organizations to understand how corruption connects to sanctions evasion, how terrorist financing intersects with organized crime, and how cybercrime infrastructure supports financial fraud across online platforms and financial systems. As enforcement intensifies and the consequences of non-compliance increase, we expect demand for intelligence-driven compliance to grow significantly.
AI Threats
The rapid growth of artificial intelligence tools, combined with evolving cyber threats, is reshaping the threat landscape faster than most organizations can respond. The volume, sophistication, and accessibility of AI-enabled threats will challenge every sector we monitor.
AI Generated Image
The most visible manifestation is the sheer volume of AI-generated content deployed for malicious purposes. Generative AI has dramatically lowered the barrier to producing convincing disinformation, synthetic media, fraudulent communications, and social engineering attacks. Influence campaigns that once required significant state resources can now be conducted by small teams or individuals with access to commercial AI tools. Deepfake video and audio are being used for fraud, extortion, and political manipulation at a scale that was technically impossible just two years ago. The result is an information environment in which distinguishing authentic from synthetic content is becoming progressively harder for platforms, institutions, and individuals alike.
In the cyber domain, AI is being leveraged by threat actors to accelerate every stage of the attack lifecycle. AI-assisted vulnerability discovery, automated exploitation, and adaptive malware that evolves to evade detection are no longer theoretical concerns but observed realities. Ransomware operations have become more sophisticated, with AI-powered targeting enabling attackers to efficiently identify the most vulnerable and lucrative targets. Phishing campaigns are now generated at scale with linguistic and contextual quality that renders traditional detection methods less effective.
The exploitation of AI for generating child sexual abuse material and non-consensual intimate imagery represents one of the most disturbing applications of this technology. Generative models capable of producing realistic synthetic imagery have been adopted by abuse networks to produce, distribute, and trade material that harms real individuals. This development has alarmed law enforcement, child safety organisations, and technology platforms, but regulatory responses remain insufficient relative to the scale of the threat.
At the same time, integrating AI into defensive and intelligence workflows introduces its own risks. Organisations adopting commercial AI and large language models for security, compliance, and intelligence functions must contend with the risk of data leakage. Sensitive information used in AI workflows may be retained, accessed, or exfiltrated through interactions with models. The erosion of barriers between technology companies and government further complicates data governance, as models trained on commercial data may inadvertently process or expose classified or sensitive information.
For Revontulet, AI is both a tool and a threat domain. We leverage AI capabilities, including multimodal analysis, content matching, behavioural detection, and RAG-based querying of our graph database, to enhance our intelligence operations. At the same time, we monitor how adversarial actors adopt and exploit AI, tracking the evolution of AI-enabled threats across all domains we cover.
We expect AI-enabled threats to increase in volume and sophistication, from state-sponsored influence campaigns to cybercriminal operations and the exploitation of women and children through synthetic media. Organizations best positioned to address these challenges will have intelligence capabilities that span these domains and understand how AI is transforming the threat landscape. This is our focus, and we believe our intelligence will be increasingly essential.