War with Iran Raises Proxy Attack Risk and Cyber Threats in Southeast Europe

Iran’s footprint in the Balkans has evolved from modest religious outreach to a sophisticated covert network that exploits the region’s porous borders and under‑resourced security apparatus. Tehran leverages local sympathizers, translates propaganda into regional languages, and embeds operatives in logistics chains, turning the Balkans into a quiet staging ground for intelligence gathering and illicit financing. This shift mirrors a broader Iranian strategy to offset conventional military disadvantages by cultivating proxy capabilities far from its own borders.

The threat materialized in 2024‑2026 through a series of high‑profile incidents. Albanian ministries suffered data breaches attributed to the Homeland Justice hacker group, while the EU’s 2025 Terrorism Situation Report highlighted a surge in Iran‑linked propaganda fueling anti‑Israel sentiment. Balkan governments responded by labeling the IRGC a terrorist entity and aligning with U.S. designations, yet the recent wave of HAYI‑affiliated attacks across five European nations underscores a willingness to conduct precise, politically motivated strikes. These operations focus on state infrastructure and pro‑Western officials, avoiding mass‑casualty scenarios but delivering strategic intimidation.

For enterprises and investors, the convergence of cyber and kinetic threats demands a layered defense posture. Companies should bolster endpoint security, conduct regular threat‑intel briefings, and diversify supply‑chain routes to mitigate potential disruptions. Policymakers must deepen intelligence sharing with NATO and EU partners, targeting the criminal networks that facilitate Iranian logistics. By addressing both the digital and physical dimensions of Iran’s proxy campaign, the Balkans can reduce its attractiveness as a rear‑area sanctuary and safeguard the broader European security environment.