Sanctions won’t stop cyberattacks, but they can still “bite”

Sanctions are one of the tools Western governments use when they want to hit back at state-sponsored cyber threat actors. But do they actually work?

That’s the question a group of current and former cybersecurity officials, analysts, and researchers tackled at the Royal United Services Institute (RUSI), a London-based think tank focused on defense and security.

Their findings suggest that while sanctions won’t stop cyberattacks altogether, they can make them slower, riskier, and more expensive for those behind them.

What works?

RUSI’s taskforce looked at how the US, UK, and EU use sanctions to deal with state-backed cyber threats.

The group found that the best results come from targeting the enablers, i.e., the infrastructure and people who keep these operations running. That means going after cryptocurrency mixers, hosting providers, technology suppliers, private-sector contractors and state-linked companies with global footprints that make it easier for threat actors to move money or data.

Cutting off these links can cripple operations faster than targeting the hackers themselves, and these individuals and entities are more vulnerable because they operate in or depend on the legitimate global economy.

Sanctions are most useful when they’re part of a larger plan rather than a standalone punishment. When governments combine them with diplomatic pressure, criminal indictments, or intelligence sharing (e.g., public technical advisories), the effects are greater, they also concluded.

(The United States, for example, often announces sanctions alongside Justice Department charges, which amplifies the message that hacking has real-world consequences for the perpetrators.)

Each tool amplifies the others: sanctions stigmatize, indictments isolate, advisories inform private-sector compliance. This creates reputational and operational pressure across ecosystems, not just on the named individuals, which results in greater friction for adversaries and clearer international signaling.

Finally, even when they don’t “hurt” the target directly, sanctions reinforce deterrence narratives, clarify norms, and bolster diplomatic solidarity among allies.

What doesn’t work?

While asset freezes or travel bans largely don’t work on deterring foreign intelligence officers, naming them can still serve diplomatic and reputational purposes.

When sanctions come too late or without coordination, they lose much of their bite, the experts also agreed. Delayed sanctions end up becoming largely symbolic signaling with limited operational effect, and unilateral measures lack global enforcement reach (thus allowing threat actors to exploit jurisdictional gaps).

In general, the experts pointed out that EU’s slow listing of sanctioned individuals and organizations, its cautious approact to (credible) attack attribution, and its failure to adequately track whether sanctioned entities lose access to funds or infrastructure considerably weaken the effects of sanctions.

When it comes to attack attribution, though, things are changing and naming who’s behind a cyberattack is slowly becoming standard practice: France, Czechia, and Singapore all publicly called out foreign state hackers in 2025.

Once names are out in the open, sanctions become easier to justify and more credible as part of a collective response.

Sanctions can create much-needed friction

Sanctions slow down adversaries, force them to adapt, and make hacking less profitable.

“North Korean operators,” for example, “continue to conduct heists but struggle to convert stolen crypto assets into usable funds, demonstrating how sanctions can force continual adaptation and raise risks even without stopping operations outright.”

When combined with other measures, sanctions they help define what’s acceptable in cyberspace and what isn’t.

“The goal is not to prevent every hostile operation, which would be unachievable given the deniable and low-level nature of most activity, but to integrate sanctions with diplomatic, law enforcement and intelligence instruments to change the adversary’s behaviour,” the RUSI Cyber Sanctions Taskforce concluded.

“In practice, this means disrupting hostile operations by making malicious activity less rewarding and more politically or economically costly for adversaries.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!