The aftermath of the recent war involving Iran has sparked significant debate among policymakers, intelligence analysts, and security scholars about how Tehran might respond. While traditional retaliation—through regional proxies or direct military signals—remains a concern, more attention is being given to asymmetric and deniable forms of response. One new idea is that Iran could expand its use of newly formed or rebranded proxy groups designed to obscure attribution while enabling ongoing operations abroad. Among these, Harakat Ashab al-Yamin al-Islamiyya (Islamic Movement of the People of the Right Hand), often called Ashab al-Yamin or HAYI, has attracted particular focus.
HAYI is a shadowy militant group that appeared in March 2026, claiming responsibility for a series of arson and explosive attacks targeting Jewish, Israeli, and Western interests across Europe. Security analysts and intelligence officials have connected the group to Iranian proxy networks, often describing it as an “astroturfed” or “brand-name” organization, one that may operate less as a traditional hierarchical group and more as a label used to claim attacks, spread fear, and maintain operational ambiguity. This approach allows state actors to distance themselves from direct responsibility while still influencing the threat environment. In this sense, HAYI may represent not just a single group but a broader tactic: creating flexible, deniable identities through which violence can be outsourced and attributed.
Since our article discussing the rise in terror attacks in Western countries following the joint U.S.-Israeli attacks on Iran, Harakat Ashab al-Yamin al-Islamiyya has carried out two more attacks in Western Europe and allegedly attempted to carry out a third. The first occurred in the United Kingdom, while the second occurred in Belgium. The third incident took place in France.
These incidents, while limited in scale, are indicative of a broader and more concerning evolution in how terrorist operations are conceived, funded, and executed across borders. Rather than relying on traditional hierarchical command structures, groups appear to be experimenting with decentralized, low-cost, and deniable methods of violence that mirror trends seen in the global gig economy.
In Paris, authorities have arrested four people, one adult and three minors, after they attempted to plant an IED outside of a Bank of America. French authorities suspect that Harakat Ashab al-Yamin al-Islamiyya was behind the incident. The arrest of the four individuals lends credence to the theory that many of the attacks in Europe have been foreign-directed, likely by Iran. The three minors were allegedly paid 500-1,000 Euros to carry out the attack. Additionally, some reports indicate that the individuals involved were recruited via Snapchat.
The relatively low payments offered to perpetrators highlight a key aspect of this evolving threat landscape: the commodification of violence. Small amounts of money, when directed at economically vulnerable or impressionable individuals, can be enough to motivate participation in high-risk activities. This dynamic reduces the barrier to entry for terrorism, making it accessible to people who might not otherwise get involved in ideological extremism. Additionally, the use of popular social media platforms like Snapchat emphasizes the challenge law enforcement faces, as recruitment efforts are woven into everyday digital environments that are hard to monitor thoroughly without raising privacy concerns.
The use of proxies (such as gangs) and social media by governments to carry out attacks in Europe is not new. Multiple Western countries have repeatedly accused Iran of recruiting local criminals to carry out intelligence activities and attacks. The United States also sanctioned Sweden’s Foxtrot gang for its cooperation with Tehran. Russia has also employed social media apps like Telegram to recruit people for acts of espionage and sabotage. These individuals are often seemingly unaffiliated with the recruiters and are primarily motivated by financial incentives.
The model of proxy recruitment offers several strategic advantages. It provides plausible deniability for state actors, complicates attribution, and reduces the political and military risks associated with direct action. Moreover, by leveraging pre-existing criminal networks, states can tap into infrastructures that already possess the logistical capabilities and local knowledge necessary to carry out operations effectively. The blending of criminality and political violence further blurs the lines between terrorism, organized crime, and statecraft, creating a hybrid threat environment that is more difficult to categorize and counter using traditional frameworks.
We also observed a similar campaign within Russia, where internet scammers recruit people to perform various actions such as firebombings targeting military facilities, setting off fireworks inside buildings, and damaging ballot boxes. Interestingly, scammers often trick their victims into believing they are part of an FSB operation (Russia’s internal security service). This shows that, even if someone is not ideologically loyal to a group, they could be manipulated or forced into participating in their activities.
This phenomenon reflects an even more insidious evolution: the manipulation of perception and authority. By impersonating state institutions or exploiting trust in official structures, recruiters can compel individuals to act under false pretenses. This tactic not only expands the pool of potential operatives but also introduces ambiguity into the intent behind attacks, making it more difficult for authorities to distinguish between coercion, deception, and voluntary participation. It also raises important legal and ethical questions regarding culpability, particularly when minors or vulnerable individuals are involved.
Furthermore, European criminal gangs are known to use social media to recruit individuals for contract killings. This has become an increasingly serious issue in countries like Sweden, where they are lowering the age of criminal responsibility due to the rising number of young people being recruited to commit gang violence. Importantly, those being recruited do not need to have a connection with the gangs hiring them or the people they’re targeting. These existing networks could be exploited by state or non-state actors to carry out attacks in Europe.
The normalization of “on-demand” violence within criminal ecosystems creates a ready-made marketplace that can be repurposed for political goals. In such an environment, the line between a contract killing and a politically motivated attack becomes increasingly unclear. The same logistical channels—encrypted messaging apps, digital payments, and anonymous recruitment—are used interchangeably by criminal organizations and terrorist groups. This overlap significantly increases the threat, as it enables terrorist groups to avoid long-term radicalization processes and instead depend on transactional relationships.
The contracting out of political violence is not new. Whether done by state or non-state actors, governments and organizations have looked to outsourcing their violence to insulate themselves from retaliation. The advent of social media and financial technology such as cryptocurrency has made this even easier. Though state actors have primarily employed this method, it is not hard to imagine terrorist groups looking to replicate it. And while the scale of the attacks will likely be limited by the willingness of those being contracted, the outsourcing of terrorism enables non-state actors to expand their operational reach.
In this context, the analogy to the gig economy becomes particularly salient. Just as companies connect clients with service providers on a temporary, task-based basis, emerging terrorist and state-linked networks appear to be experimenting with similar models for violence. Tasks can be distributed, compensated, and executed with minimal direct interaction between planners and perpetrators. This decentralization reduces the risk of infiltration and disruption while enabling rapid scaling of operations across multiple geographic locations.
At present, this form of outsourcing political violence by non-state actors remains primarily a possibility rather than an emerging trend. However, the concept has already been successfully employed, as demonstrated above. Therefore, the potential “gigification” of terrorism warrants closer examination by both law enforcement agencies and academic researchers.
Moving forward, counterterrorism strategies will need to adapt to this shifting paradigm. Traditional approaches that focus on hierarchical organizations, ideological indoctrination, and centralized planning may prove insufficient in addressing decentralized, transaction-based models of violence. Greater emphasis will likely be needed on monitoring digital ecosystems, disrupting financial flows—including micro-payments—and strengthening community-level interventions to reduce the pool of vulnerable recruits. Ultimately, understanding and anticipating the “gigification” of terrorism will be essential for mitigating its potential impact on global security.
