A definition, not an accusation
Hybrid CoE (the European Centre of Excellence for Countering Hybrid Threats, an intergovernmental body based in Helsinki) defines a hybrid threat as an action, carried out by a state or non-state actor, that aims to weaken a target by influencing its decision-making — at the local, regional, national or institutional level. The Council of the European Union specifies that these actions combine several means at once: information manipulation, cyberattacks, economic pressure, discreet political maneuvering. This report describes that combination mechanism — it doesn't name any specific actor.
Source: Hybrid CoE · Council of the European Union, "Hybrid threats" page.What characterizes the mechanism
The combination
A single isolated tool (a cyberattack, a piece of false information) isn't a hybrid threat. It's the combination of several means, coordinated toward one goal, that defines it.
The threshold
These actions deliberately stay below the threshold that would trigger a classic, clear-cut response — that's part of the mechanism, not chance.
The ambiguity
Attribution is often hard to establish with certainty, which complicates the response and is built into the calculation of the actor behind the action.
The broad target
Institutions and infrastructure, but also public opinion and citizens' trust in information, can be targeted simultaneously.
FIMI: information manipulation as a tool
The European diplomatic service (EEAS, the European External Action Service) proposed the term FIMI in 2021 — Foreign Information Manipulation and Interference — to describe behavior, most often not illegal in itself, but deceptive and coordinated, aimed at influencing a decision or perception. ENISA and the EEAS jointly published an analysis of the link between FIMI and cybersecurity, documenting how these campaigns sometimes rely on compromised digital infrastructure to amplify their reach.
Source: ENISA & EEAS, Foreign Information Manipulation and Interference (FIMI) and Cybersecurity — Threat Landscape.Why this mechanism can land in a text message
ENISA's latest annual threat-landscape report documents a phenomenon it calls "hacktivism-as-cover": disinformation campaigns that sometimes overlap with operations that look purely criminal, with spikes in activity observed around elections or other politically sensitive events. For an individual, this can translate very concretely: a mass text, a fake account relaying misleading information, or an automated call — the same channels, and sometimes the same technical infrastructure (SIM farms, spoofed numbers), as those documented elsewhere in this Laboratory for classic financial fraud.
Source: ENISA, Threat Landscape 2025. See also the SIM farms & criminal call centers report.Frequently asked questions
What is a hybrid threat, in one sentence?
An action that combines several means at once (disinformation, cyberattack, economic pressure...) to weaken a target, while staying below the threshold that would trigger a classic, clear-cut response.
What is FIMI?
Foreign Information Manipulation and Interference: a term proposed in 2021 by the European diplomatic service to describe behavior, most often not illegal in itself, that aims to influence a decision or perception at scale.
How does this affect an individual?
Large-scale disinformation campaigns sometimes use the same channels as ordinary scams — mass texts, fake accounts, automated calls — especially around sensitive events like elections. Recognizing a suspicious pattern protects against both.