In wake of Ukraine war, US and allies are hunting down Russian spies
The Washington Post February 17, 2023
Among the slumbering passengers on an overnight flight from Miami to Munich last month were two travelers on opposing sides of an espionage takedown.
In one seat was a German citizen who would be arrested upon arrival and charged with treason for helping Russia recruit and run a Kremlin mole in the upper ranks of Germany’s intelligence service. Seated nearby was an FBI agent who had boarded the flight to surreptitiously monitor the suspected operative, according to Western security officials, and make sure that he was taken into custody by German authorities.
The Jan. 21 arrest of Arthur Eller — based largely on evidence that the FBI had assembled during the suspect’s stay in Florida — was the latest salvo in a shadow war against Russia’s intelligence services.
Over the past year, as Western governments have ramped up weapons deliveries to Ukraine and economic sanctions against Moscow, U.S. and European security services have been waging a parallel if less visible campaign to cripple Russian spy networks. The German case, which also involved the arrest of a senior official in the BND, Germany’s foreign intelligence service, followed roll-ups of suspected Russian operatives in the Netherlands, Norway, Sweden, Austria, Poland and Slovenia.
The moves amount to precision strikes against Russian agents still in Europe after the mass expulsion of more than 400 suspected Russian intelligence officers from Moscow’s embassies across the continent last year.
U.S. and European security officials caution that Russia retains significant capabilities but said that its spy agencies have sustained greater damage over the past year than at any time since the end of the Cold War. The magnitude of the campaign appears to have caught Russia off-guard, officials said, blunting its ability to carry out influence operations in Europe, stay in contact with informants or provide insights to the Kremlin on key issues including the extent to which Western leaders are prepared to continue stepping up arms deliveries to Ukraine.
If so, the fallout may add to the list of consequences that Russian President Vladimir Putin - a former KGB officer in East Germany - failed to anticipate when he ordered the invasion of Ukraine.
“The world is quite different for the Russian services now,” said Antti Pelttari, director of Finland’s foreign intelligence service. Because of the expulsions, subsequent arrests and a more hostile environment in Europe, he said, “their capability has been degraded considerably.”
Russia relying on cyberespionage
Russia has sought to compensate for its losses by relying more heavily on cyberespionage, Pelttari and other European officials said. Moscow has also tried to take advantage of border crossings and refugee flows to deploy new spies and replenish its depleted ranks, officials said.
But these new arrivals would be without the protection and advantages of working out of Russian embassies, officials said, and may lack the experience, sources and training of those who were declared persona non grata.
In a possible sign of Russian desperation, officials said, Moscow has attempted to send spies who were expelled from one European capital back to another, probing for vulnerabilities in coordination across the continent’s patchwork of security services.
“We have no illusions that the Russians will keep on trying” to reconstitute networks in Europe, said a senior Western security official who, like others, spoke on the condition of anonymity to discuss sensitive operations. The official said his country and others have shared the identities of those they expelled with other members of the European Union. Of those Russian attempts to reinsert spies, the official said, “none that we are aware of were successful.”
The German case has heightened anxieties about lingering vulnerabilities in Europe, showing that even amid the post-Ukraine crackdown, Moscow was getting a steady stream of classified files from inside one of Europe’s largest intelligence services, Germany’s BND. Berlin has downplayed the damage in conversations with allied services, but the accused mole had access to highly sensitive data, security officials said.
A month before Eller’s arrest in Munich, German authorities had also arrested Carsten Linke, 52, who was in charge of a unit responsible for internal BND security with access to the personnel files of agency employees, officials said. He had previously spent years working at a sprawling facility in Bavaria responsible for technical collection operations targeting global information networks.
Germany only discovered the penetration with the help of an allied Western service that BND officials have refused to identify. In September, a joint operation revealed that Russian intelligence agencies had gained possession of classified BND documents, setting in motion a mole hunt that quickly focused on Linke.
A lawyer for Linke did not respond to requests for comment.
The severity of the breach prompted the United States, Britain and other governments to curtail intelligence-sharing with Berlin, officials said.
“Every single service is doing their own damage assessment,” said a senior intelligence official in Northern Europe. “You think, ‘What information did we share with them? Was that information available to [Russia’s agent]?’”
The Germans also confronted other difficult questions, including whether Linke had an accomplice. German officials began scrutinizing his relationship with Eller, a 31-year-old gem and metals trader who was born in Russia and lived in the same region of Bavaria where Linke had spent much of his career.
German media reports have said that Linke and Eller met in 2021 at a social event. But in recent interviews with The Post, officials said there are indications that the two were introduced by a member of Germany’s far-right Alternative for Germany, or AfD, party, raising the prospect that Linke may have been motivated by radical political views.
Eller’s work seemed to require near-constant travel — 110 trips last year alone, according to a person familiar with the investigation - with records showing that he had frequently traveled to Moscow.
Eller was “pretty fast identified as a possible co-conspirator,” said a senior German security official involved in the investigation. But by early November, he had departed to Florida with his wife and young daughter for a lengthy visit with his wife’s relatives in Miami, the person familiar with the investigation said.
Eller returned to Germany in December as part of an international business trip. When Linke was arrested on Dec. 21, Eller received a call from a contact in Russia’s Federal Security Service (FSB) — the main successor to the KGB — warning him that he was in danger and urging him to fly to Moscow, the person said.
Instead, Eller departed again for Florida on Christmas Day, the person familiar with the case said. Remarkably, German authorities made no attempt to prevent him from leaving. “The evidence we had gathered was not enough to arrest him,” the German security official said.
A crash investigation by the FBI changed that.
After learning that Eller was under scrutiny in the BND breach, the bureau kept him under near-constant surveillance. Agents monitored Eller’s movements and communications, while German authorities provided a stream of information about their own unfolding investigation, officials said.
Eller’s hectic travel schedule came to an abrupt halt on Jan. 12, when he sought to board another flight to Munich and was intercepted at the Miami airport by FBI agents, said the person familiar with the case. A senior FBI counterintelligence official described the contact as an “overt approach,” a potentially risky maneuver that paid off unexpectedly.
Eller agreed to undergo questioning by FBI agents at a nearby facility, and to surrender devices including a laptop and cellphone, according to the person familiar with the investigation. He cast himself as affiliated with the BND, the person said, and proceeded to reveal startling details, including that he had carried classified BND files to Russia and returned with envelopes that he believed contained large sums of cash for Linke, and that he had been in contact with officers from the FSB.
Eller’s attorney declined to comment. It is not clear why Eller volunteered so much information, but he has been casting himself as a victim of Linke’s manipulation, according to the person familiar with the case. That person said Eller claims he thought he was working for the BND, and Eller has said his cooperation with the FBI reflected his desire to help investigators. Agents also spoke with Eller’s wife and her brother in Florida, the person familiar with the investigation said.
German officials reject any characterization of Eller as being duped. Eller admitted to the FBI and German investigators that “he had been the one who asked Linke to commit the espionage acts,” the senior German security official said.
A senior U.S. official said the Justice Department weighed whether to file charges against Eller but officials saw no evidence that he had committed a serious crime in the United States and opted to have him return to Germany, where the case against him was stronger. Eller was ordered to leave the country, and FBI agents escorted him to the gate for his departure, according to the person familiar with the investigation, who said that Eller’s laptop and phone were not returned to him.
Armed with the information gleaned by the bureau, German authorities were waiting at the Munich airport on Jan. 21 with an arrest warrant issued two days earlier.
Linke is accused of abusing his BND authority to help Eller cross German border checks with classified files and cash. The person familiar with the investigation said that a separate BND official, apparently acting on orders from Linke, would assist Eller through the Munich airport by helping him bypass customs inspections.
Investigators have uncovered at least four payments that Eller brought to Linke, totaling about $100,000, officials said. Other aspects of the case remain a mystery, including the purpose of repeated trips Eller made between New York and Moscow. Attempts by The Post to reach Eller’s wife or her relatives in Florida were unsuccessful.
Concealing any connection to Russia
While the German case centers on a European accused of betraying his country for the Kremlin, others have involved Russian nationals seeking to infiltrate the West.
Among them are so-called “illegals” sent abroad not as diplomats — with accompanying legal protections — but under more elaborate cover arrangements designed to conceal any connection to Russia.
Authorities in the Netherlands last year confronted a passenger who presented a Brazilian passport when he arrived at Schiphol Airport in Amsterdam, having accepted a position as an intern at the International Criminal Court. In reality, he was a Russian military officer named Sergey Cherkasov who had been sent overseas more than a decade earlier by Russia’s GRU spy agency, its main military intelligence service, according to officials and court records.
Cherkasov had spent years living in Brazil and constructing an identity as Victor Muller Ferreira using fraudulent documents. He went on to earn degrees at Trinity College in Dublin and Johns Hopkins University’s School of Advanced International Studies in Washington before securing an internship offer from the international court now investigating allegations of Russian war crimes in Ukraine.
Turned back by the Netherlands, Cherkasov is now serving a prison sentence in Brazil after being convicted of charges including document fraud. Russia has denied he was a spy, but has sought his return by claiming he is a wanted drug criminal and asking Brazil to extradite him.
In October, authorities in Norway arrested an accused Russian spy under similar circumstances. The suspect had posed as a Brazilian researcher focused on Arctic security issues at a university in northern Norway, credentials that enabled him to gain access to European experts and officials. Like Cherkasov, Mikhail Mikushin was a Russian “illegal” who had spent years abroad developing an elaborate cover for his GRU assignment, according to Norwegian authorities.
The pace of arrests and exposures has been driven in part by increased cooperation among European services, officials said, as well as a post-Ukraine shift in mind-set in countries, including Germany, long criticized by some of their European neighbors as too complacent about the threat from Moscow.
“February of 2023 is not the same as February of 2021 or 2019,” said a senior Western intelligence official. After’s Russia’s invasion of Ukraine, “there just isn’t as much tolerance or as much space” in Europe.
Senior officials described whack-a-mole-like efforts to keep Russian services from restocking European embassies with spies. In a speech last year, Ken McCallum, director of Britain’s MI5 domestic service, said the British government had “refused on national security grounds over 100 Russian diplomatic visa applications” since 2018, when Britain expelled 23 suspected Russian spies in retaliation for the poisoning of a defector in Salisbury, England.
As a result of such pressure, Western officials said they have also seen signs that Russia’s intelligence services are making decisions they would have avoided in the past — making operatives more vulnerable to detection.
“Our work has revealed Russian agencies raising their risk tolerances,” said the senior FBI counterintelligence official, though he declined to provide specifics. In some cases, he said, “their actions to me show desperation.”
The crackdown has also been fueled by U.S. intelligence. Seeking to take advantage of Moscow’s vulnerability, the CIA and FBI have stepped up flows of intelligence to services across Europe to root out Russian penetrations, officials said. Even before the arrests in Germany, authorities in Sweden, Norway and other countries had cited contributions from U.S. intelligence in their arrests of GRU illegals and disruptions of related networks.
The full impact of the damage to Russia’s spy networks in Europe is difficult to assess.
Security officials in Finland and Sweden, for example, said they have been surprised at how little effort Russia put toward disrupting those countries’ applications to join NATO.
“It was remarkably quiet in the springtime” as Finland submitted its paperwork, said Pelttari, the Finnish spy chief.
To some, it was a sign that Russia’s capabilities had been degraded and that its services were preoccupied with the Ukraine war effort, which has exposed major failings by the FSB and other agencies. But officials said it may also reflect recognition by Moscow that public support for joining NATO was so overwhelming that seeking to shift opinion or disrupt the process was a lost cause.
Russia was suspected of involvement in other cases that raised anxieties in Europe last year, although evidence of direct links to Moscow has so far proved elusive.
Norwegian authorities made multiple arrests in cases of suspicious surveillance activity involving drones last year, raising fears that Russia was targeting critical infrastructure. But those who were detained have since been released, and authorities now believe many were innocent hobbyists.
Mail bombs sent late last year to government officials and other targets in Spain, including one that injured a Ukrainian Embassy official, triggered fears that Russia was mobilizing a network of far-right militants to sow terror. Last month, however, Madrid announced the arrest of a 74-year-old Spaniard who opposed his country’s support for Ukraine but appears to have acted alone. A statement issued by Spain’s investigating magistrate said there was “no indication that the person under investigation belongs to or collaborates with any terrorist gang or organized group.”
There are more recent signs, however, that Russia’s spy agencies continue to meddle in Europe.
Over the past month, Lithuania has endured a wave of online operations targeting Ukrainian refugees. The first involved “phishing” emails that were sent out to local agencies, nonprofits and even hotels with attachments seeking the names and addresses of Ukrainians they had encountered.
The messages were falsely sent under the guise of Lithuania’s migration authority, prompting a scramble by public officials to disavow the emails and reassure Ukrainians there was no government effort to track them.
A follow-on email campaign involved phony messages purportedly from the Ukrainian Embassy asserting that Lithuania was helping to locate military-aged males to send back into the conflict. Lithuania’s security services attributed the attack to an unidentified “Russian cyber actor.” Data on refugees could be used to harass them or even blackmail those with relatives trapped in parts of Ukraine occupied by Russia.
But a senior Lithuanian official said the more likely goal was to sow distrust between refugees and host governments. The messages were intended to make Ukrainians worry “that they are not safe and secure here,” the official said, with a possible secondary goal of “tying up the resources of our institutions.”
The Washington Post’s Cate Brown in Washington and Gabriela Sá Pessoa in São Paulo, Brazil, contributed to this report.