About 500 fibre-optic cables carry 97 percent of intercontinental data across the seabed, each roughly the width of a garden hose and lying unprotected on the ocean floor — the new front of geopolitical infrastructure warfare. On Christmas Day 2024, a rusting Cook Islands-flagged tanker named the Eagle S began dragging its anchor across five of them in the Gulf of Finland, at the heart of the Baltic’s unique geographic and infrastructure vulnerability, while Finnish helicopters scrambled to intercept it.
That single incident should have been a success story. Special forces rappelled onto the deck. The vessel was seized. The anchor-drag scar on the seabed provided physical evidence. And yet, ten months later, a Finnish court dismissed the case. The evidence was strong, seabed scars, position data, seized equipment. But the case collapsed on a question no amount of forensic work could answer: whether Finnish law could reach the conduct at all.
If you have ever assumed that catching a saboteur means they face consequences, the Eagle S case will disabuse you of that notion. The real question is not whether you should be worried about undersea cables. It is what you should actually be watching for.
What happened with the Eagle S anchor-drag case and why did the Finnish court dismiss it?
On 25 December 2024, the Eagle S dragged its anchor for roughly 100 kilometres across the Gulf of Finland seabed, damaging five separate cables: the Estlink 2 power interconnector, the C-Lion1 data cable, the Balticonnector gas pipeline link, and two additional telecommunications cables between Finland and Estonia. Finnish special forces rappelled from helicopters to board the vessel, and the National Bureau of Investigation launched a criminal investigation.
The physical evidence was strong. Seabed surveys showed the drag scar. Position data placed the ship directly over the cable corridor. Investigators found transmitting equipment, laptops with Russian and Turkish keyboards, and sensor-type devices aboard, raising suspicions the vessel had a secondary espionage role. The captain was reportedly instructed by radio to destroy charts depicting local subsea cables while under detention.
Finnish intelligence agency SUPO complicated the picture before the court even ruled, stating publicly that investigations found no evidence of deliberate Russian state activity. SUPO attributed the damage to poorly maintained vessels and untrained crews. The statement sits uneasily alongside documented AIS deactivation patterns, but it highlights exactly the problem: a state actor using deniable, poorly maintained proxies is, by design, operating below the threshold where intelligence agencies can make a public call.
On 3 October 2025, the Helsinki District Court dismissed the case, ruling Finland lacked jurisdiction over a negligent act in its Exclusive Economic Zone rather than territorial waters. Under UNCLOS, jurisdiction lay with the flag state, the Cook Islands, or the crew’s nationalities, Georgia and India, neither of which had any incentive to pursue prosecution. The court stressed the allegations involved negligent rather than intentional conduct. Proving intent in grey-zone operations is what makes these cases impossible to prosecute under the legal framework that makes prosecution so difficult.
The Fitburg incident reinforces the pattern. Finnish special forces boarded another Russia-linked vessel in the same EEZ corridor. The ship was carrying Russian steel subject to EU sanctions, which gave Finland grounds for seizure, but the criminal investigation dragged on for 19 months before suspects were referred to prosecutors.
The Eagle S was one vessel in a much larger fleet, one designed from the ground up for deniability. To understand why the case failed, you need to understand the fleet itself.
What is Russia’s shadow fleet and how is it used for undersea infrastructure sabotage?
Russia’s shadow fleet, also called the dark fleet or ghost fleet, is a network of 600 to 1,600 ageing oil tankers and cargo vessels registered under flags of convenience with ownership obscured through cascading shell companies. Its primary purpose is sanctions evasion: following the 2022 G7 oil price cap, these vessels export Russian crude outside Western insurance and shipping frameworks, generating more than €10 billion in monthly revenue. About 48 percent of Russia’s oil exports transit the Baltic Sea.
The fleet’s sabotage capability exploits the Baltic’s shallow average depth of 55 metres through the anchor-drag method. A vessel drags an anchor across a known cable corridor, tearing through fibre-optic cables on the seabed. The method needs no specialised equipment and is inherently deniable: anchor loss is common in commercial shipping, and the Baltic’s narrow cable corridors make it a target-rich environment.
What separates accidents from sabotage is the AIS data. Vessels routinely deactivate their Automatic Identification System transponders before entering cable corridors and reactivate after passing through, behaviour inconsistent with ordinary navigation. Baltic and North Sea states formally identified AIS manipulation as a maritime safety threat in January 2026. Since October 2023, the shadow fleet has been linked to at least eleven cable disruptions in the Baltic.
The fleet’s opacity is intentional. Vessels fly Cook Islands, Panama, or Liberia flags. Ownership runs through shell companies in multiple jurisdictions. Crews are recruited internationally, sometimes via Telegram. Inspections have found equipment atypical for commercial shipping, and some crew members have had links to Russian military or mercenary groups. In May 2025, Russia deployed an Su-35 fighter jet to overfly a shadow fleet vessel, causing Estonian authorities to abandon an interception attempt.
At the other end of Russia’s capability spectrum sits the Main Directorate of Deep-Sea Research, GUGI, operating the spy ship Yantar, deep-sea submersibles, and specialist submarines. A UK-Norway naval operation in late 2025 tracked an Akula-class attack submarine and two GUGI surveillance submarines over Western cable routes. The shadow fleet handles the low-tech, high-volume end; GUGI handles the sophisticated end. Together they demonstrate full-spectrum seabed warfare capability.
If the Baltic is where Russia tests the limits of attribution, the Taiwan Strait is where China rehearses for something more consequential.
What is China’s role in undersea cable threats and what capabilities has it demonstrated?
China’s threat profile is different in kind, not just degree. Where Russia relies on deniable, distributed sabotage, China has invested in capability built for military contingency, centred on the Taiwan Strait.
The most significant capability is a deep-sea cable-cutting submersible, tested to 3,500 metres depth, well beyond the reach of the fewer than 60 commercial cable-repair ships operating globally. A coordinated deep-water cut could leave regions offline for months.
The Matsu Islands incident in February 2023 demonstrated intent. Chinese vessels severed both fibre-optic cables connecting Taiwan’s Matsu Islands to the main island, causing a 50-day internet blackout for 14,000 residents. Analysts widely assess it as a practice run for wider Taiwan isolation in a conflict scenario. Taiwan has 14 external cable connections; severing most of them would cut the island off from global communications.
China’s primary operational tool is the People’s Armed Forces Maritime Militia, PAFMM, fishing vessels civilian on paper but operating as a PLA subsidiary. The Shunxing 39 incident in January 2025, in which a Chinese-flagged vessel loitered over cable routes in the Taiwan Strait, reinforces the pattern.
The Hong Tai 58 case in February 2025 produced a rare prosecution. A decrepit Chinese-flagged vessel, its cargo holds rusted shut, severed a Chunghwa Telecom cable off Taiwan’s Penghu Islands. Taiwan’s Coast Guard seized it, and the captain received a three-year jail sentence. The vessel appeared to be what analysts describe as a pawn sacrifice, a deliberately expendable asset.
In the Baltic theatre, Chinese-linked vessels complicate the Russia-only narrative. The Newnew Polar Bear was implicated in the October 2023 Balticonnector damage and was observed sailing in tandem with the Russian nuclear icebreaker Sevmorput. The Yi Peng 3 was detained by Denmark in November 2024 for dragging its anchor through Baltic cables before being released.
There is an industrial dimension as well. HMN Tech, formerly Huawei Marine, the state-owned firm leading China’s Digital Silk Road cable projects, has been excluded from Western cable projects on US pressure over espionage concerns. The result is a bifurcated global infrastructure: Chinese-aligned networks operate in a separate technology ecosystem with different security assumptions, and that bifurcation makes unified defence harder.
How do Russia’s and China’s approaches to undersea cable threats differ?
Russia’s model is distributed deniability. It relies on the shadow fleet’s scale, anchor-drag tactics needing no specialised equipment, and flags of convenience that frustrate attribution. The strategic logic is grey-zone harassment: inflict persistent, low-cost disruption that degrades confidence in infrastructure without crossing the threshold of armed conflict. The cost asymmetry makes this sustainable. Dragging an anchor across a cable corridor costs essentially nothing beyond fuel. Keeping naval frigates on constant alert to shadow hundreds of potential saboteurs is not.
China’s model is centralised capability. It operates state-directed vessels with demonstrated submersible cutting technology. The strategic logic is military contingency: develop and rehearse the ability to isolate Taiwan by severing its cable connections, either as a pre-invasion shaping operation or as a standalone coercion tool. The deeper waters of the Taiwan Strait drive investment in submersible rather than surface-level capability.
Anchor dragging, Russia’s signature method, is deniable and cheap but limited to shallow waters. Submersible cutting, China’s demonstrated edge, is more attributable but effective at depths commercial repair cannot reach, making it more consequential despite less frequent use.
Theatre differences compound the challenge. The Baltic Sea is NATO territory with a multilateral defence architecture, allied naval presence through Baltic Sentry, and the possibility of incident response. The Taiwan Strait is contested, with limited international patrol presence, most cables in international waters, and Taiwan’s SAWS monitoring system lacking physical intervention capability. NATO’s cable defence architecture was not designed for both theatres simultaneously.
Both threat models converge on the same weak point, and the Eagle S case exposed what it looks like when attribution fails at every tier.
Why is attribution of undersea cable sabotage so difficult to prove?
Attribution operates on three tiers. Technical attribution, forensic evidence, AIS data, vessel position, is achievable and was demonstrated in the Eagle S case. Legal attribution, prosecutable evidence meeting criminal standards, fails because of jurisdictional architecture. Political attribution, willingness to name a state actor and impose consequences, is constrained by escalation management and alliance consensus.
Flags of convenience are the primary obfuscation mechanism. A vessel registered in the Cook Islands, Panama, or Liberia falls under the flag state’s jurisdiction, and those states have neither capacity nor incentive to investigate sabotage in European waters. The EEZ jurisdictional gap, explained in the Eagle S case above, is the legal vulnerability at the centre of it all: under UNCLOS, coastal states have limited criminal jurisdiction in their EEZ beyond economic offences.
AIS deactivation patterns illustrate the gap. A vessel going dark before entering a cable corridor and reactivating afterwards is operationally damning but legally circumstantial. A defence can always claim equipment failure. The Helsinki court’s ruling means criminal jurisdiction, when tethered to flag state or nationality, is ill-suited to deter grey-zone maritime operations.
As noted in the Eagle S case, SUPO’s finding of no evidence of deliberate state activity captures the intelligence-evidence gap: state actors using deniable proxies operate by design below the threshold where agencies can make a public call.
The Hong Tai 58 prosecution in Taiwan is the rare success, achieved through Taiwan’s results principle. Article 4 of Taiwan’s criminal code extends jurisdiction when the result of an offence occurs within its territory, even if the conduct occurred beyond it. Baltic Sea states are studying this model but have not adopted it.
There is also a resilience dilemma: the more effectively countries build redundancy into their cable networks, the harder it becomes to meet the legal standard for severe disruption. If traffic reroutes within milliseconds, a court may find the damage insufficiently serious, even though the adversary achieved the attrition it intended.
The structural problem behind every cable incident
The Eagle S case was a structural inevitability. The system, detection, interception, evidence collection, worked. What failed was the legal architecture it operated within. Russia’s distributed deniability in the Baltic and China’s centralised military contingency in the Taiwan Strait exploit the same vulnerability: the gap between knowing what happened and being able to act on it.
Taiwan’s results principle and the Hong Tai 58 prosecution point toward a possible path, extending domestic criminal jurisdiction to cover damage whose effects are felt within a state’s territory regardless of where the conduct occurred. Whether NATO and allied states are willing to reform the jurisdictional architecture that makes frigate deployments impressive but insufficient is the question that matters for the institutional and legal responses underway.
The cables are still there, still carrying the internet, still as vulnerable as they were on Christmas Day.
Frequently Asked Questions
What actually happens when an undersea cable is cut?
When a fibre-optic cable is severed, internet traffic does not stop: it is automatically rerouted through other cables in the global network, often within milliseconds. Users may notice slower speeds or increased latency, but rarely a total blackout. The exception is regions with limited cable connections. Taiwan’s Matsu Islands experienced a 50-day internet outage in 2023 because only two cables served 14,000 residents, and both were cut simultaneously.
How long does it take to repair a damaged undersea cable?
Repair typically takes two to four weeks, depending on water depth, weather conditions, and the availability of a cable repair ship. Fewer than 60 such vessels operate globally, and demand spikes after multiple incidents. Shallow-water breaks in the Baltic are usually faster to repair than deep-water cuts, which is partly why China’s demonstrated submersible cutting capability at 3,500 metres is so concerning: it targets depths where commercial repair simply cannot reach.
Is it true that undersea cables can be tapped for surveillance rather than physically cut?
Yes. While sabotage dominates headlines, signals intelligence collection is the quieter and arguably more persistent threat. Russia’s GUGI-operated spy ship Yantar is equipped with deep-sea submersibles capable of accessing and splicing into fibre-optic cables to intercept data without leaving visible damage. The same vessels that can cut cables can also tap them, making physical inspection and integrity verification extremely difficult. This is why some Western cable routes now avoid waters accessible to known surveillance vessels.
Why do countries still rely on undersea cables instead of satellites?
Undersea cables carry approximately 99 percent of all intercontinental internet traffic because they offer vastly higher bandwidth, lower latency, and greater reliability than satellites. A single modern fibre-optic cable can transmit hundreds of terabits per second, while satellite links typically operate in the gigabit range and introduce noticeable delay. Satellites serve as a backup for isolated locations, but they cannot replace the cable network’s capacity. The physical vulnerability of cables is the trade-off for their unmatched performance.
How much does it cost to cut a cable compared to repairing one?
The cost asymmetry is extreme. Dragging an anchor across a cable corridor costs essentially nothing beyond fuel and crew wages, and the vessel can continue its commercial voyage. Repairing a single cable break can cost between one and three million dollars, depending on depth, location, and repair ship availability. When multiple cables are damaged in a single incident, as with the Eagle S dragging its anchor across five separate cables, the repair bill multiplies accordingly. This asymmetry makes sabotage a strategically sustainable attrition campaign for adversaries.
Could a coordinated attack take down the entire internet?
No single attack could take down the entire internet. The global network of approximately 500 active undersea cables includes substantial redundancy, and traffic reroutes automatically when cables fail. However, a coordinated simultaneous attack on multiple cables in a concentrated region could isolate a country or continent. Taiwan’s 14 external cable connections are a specific concern for this reason: severing most or all of them in a coordinated operation would effectively cut the island off from global communications, which is precisely the scenario analysts believe China is rehearsing.
What is NATO doing right now to protect undersea cables?
NATO launched Baltic Sentry in early 2025, deploying frigates, maritime patrol aircraft, and uncrewed surface vessels to monitor cable corridors in the Baltic Sea. The operation focuses on deterrence through visible presence and rapid response rather than physical protection of every cable. NATO is also investing in distributed acoustic sensing technology that converts existing fibre-optic cables into seabed surveillance arrays, capable of detecting approaching vessels. However, Baltic Sentry covers only one theatre, and the Taiwan Strait lacks any comparable multilateral protection framework.
What can countries do if they catch a vessel cutting cables but cannot prosecute?
Where prosecution fails, states have several non-legal responses. Finland expelled the Eagle S from its waters and its crew remain under travel restrictions. Port states can detain vessels for safety violations discovered during inspection, effectively removing them from operation for months. Diplomatic escalation, including coordinated statements like the Baltic-North Sea joint declaration of January 2026, raises the political cost for flag states. Insurance sanctions are also emerging: some Western insurers now refuse to underwrite vessels with suspicious AIS patterns, making shadow fleet operations more expensive.
How do cable operators know where a cable has been cut?
Cable operators locate breaks using optical time-domain reflectometry (OTDR), which sends a light pulse down the fibre and measures the time it takes for the reflection to return from the break point. This pinpoints the damage location to within tens of metres. Repair ships then use remotely operated vehicles to inspect the seabed, retrieve the severed ends, and splice in replacement cable. The process is well established, but it assumes a repair ship is available. With fewer than 60 vessels globally, a multi-cable incident creates a queue that can extend outages by weeks.
Which undersea cables are considered most vulnerable right now?
The Baltic Sea’s cable corridors are the most active sabotage theatre, with shallow depths averaging 55 metres making them accessible to anchor-drag attacks. The 14 cables connecting Taiwan to the outside world are considered the most strategically exposed, because their severance would isolate the island in a conflict scenario and most pass through international waters where protection is minimal. The Red Sea and South China Sea cable routes face a different vulnerability: they are chokepoints where dozens of cables converge, and a single incident could affect connectivity across multiple continents.
