On 26 April, Just Stop Oil (JSO) announced it was “hanging up the high-vis vest” following three years of direct action against the U.K. government’s licensing policy of oil, gas, and coal projects in the U.K. Since its inception in 2022, JSO has conducted several high-profile and controversial protests focused on maximising disruption through non-violent means. The blocking of the M25, disrupting major sporting events, defacing private jets and culturally significant artwork, among other actions, all received significant media attention. However, this came at the cost of very low levels of support from the U.K.’s population. At the time, only around 17 per cent of people surveyed supported JSO’s actions, and coupled with growing pressure from police and the government, the group likely struggled to fill its ranks – especially with those who were willing to risk arrest and prosecution.
Environmental activist groups like JSO and Extinction Rebellion (XR) have largely failed to bring about significant changes in political attitudes toward climate change. Coupled with the government and police’s crackdown on their disruptive forms of protests, most notably the substantially punitive measures, this has effectively forced activist groups to recalibrate their approach to direct action.
Sabotage has featured in the activist playbook, but in today’s complex socio-political climate, it could be set for a revival. As traditional direct action appears to have failed to deliver results, a growing number of emerging activist groups could begin anchoring their movements in more radical tactics. If this trend continues, sabotage may increasingly become a central tool in their pursuit of socio-political change.
Shifting strategies
While previous tactics used by activist groupswere geared towards attracting attention, recent incidents highlight the adoption of a more clandestine approach, including:
- The decentralisation of leadership structures to reduce the risk of intrusion or arrests that could disrupt campaigns.
- Expanded target selection to include supply chains, specific assets (including critical communications infrastructure, such as vulnerable points situated in public areas like fibre optic cabinets) and in some cases targeting employee residences.
- Low-to-very low public and social media presence, with limited posts to publicise successful actions.
- Activists avoid arrest where possible (unlike JSO and XR) and opt for high-impact, low-risk campaigns, which is likely appealing to activists with the propensity to engage in sabotage. This could be a key factor in recruitment strategies.
- Operating in much smaller groups during actions –in some cases as few as two to three activists.
- Targeting intended sites at night or early morning. This contrasts previous actions, which typically occurred during business hours, often weeks-long, as demonstrated by XR.
- A move away from live-streaming protests, insteaduploading footage once activists have safelyreturned.•
- Extensive planning and likely the conducting of hostile reconnaissance to identify potential gaps insecurity or an ideal staging ground.
- In some cases, activists have used disguises to avoid detection.
Case studies
Shut the System (STS)
STS is an environmental activist group formed in 2024 to engage in a “new phase” of environmental activism. On 10 June 2024, in a coordinated targeting of Barclays with Palestine Action, STS activists vandalised at least 20 Barclays branches nationwide by smashing glass doors and windows and using spray paint. The group cited Barclays’ investment of $190 million in fossil fuel companies between 2016-2022 as the cause for being targeted.
On 20 January 2025, STS members severed fibre optic cables in London’s financial district, claiming to have disrupted internet access to “hundreds” of insurance companies. Insurance companies in other parts of the country were also targeted in the campaign. Business disruption was minimal, although reports emerged of slower internet speeds. The group reportedly practised identifying and removing appropriate manhole covers as well as researching which wires to sever.
On 7 May 2025, STS activists targeted several Barclays branches by spray painting political statements, glueing door locks, ATM machines, and severed fibreoptic cables at Barclays’s Northampton headquarters. Moreover, activists targeted the residential properties of three senior Barclays executives by spray painting similar political slogans, including the CEO, the Global Head of Sustainable Finance and the President of Barclays Bank PLC.
Palestine Action (PA)
PA was established in 2020 and primarily targeted Elbit Systems, an Israeli defence organisation that maintained several offices in the U.K. PA repeatedly cited Elbit Systems’ use of the term “battle tested” for its products – mainly found in Unmanned Aerial Vehicles (UAVs). PA were one of the first recently established groups to employ sabotage like tactics in the U.K., regularly targeting Elbit’s offices with red spray-paint symbolising blood, occupying sites, including blocking entrances/ exits, vandalising equipment, and generally leading to significant business disruption. PA also targeted other defence organisations deemed complicit in Israel’s occupation of Palestine. In June 2022, the group caused an estimated £1 million in damages at Thales’ site in Glasgow using smoke bombs and by destroying certain equipment. Following Israel’s military operations in the Gaza Strip in 2023, the PA intensified its actions targeting other defence companies, including Lockheed Martin and more recently Leonardo, where three activists drove a van into its Edinburgh site’s perimeter fence. The BBC’s headquarters in London were also targeted by the group in January this year. In November 2023, the group grew its international presence and was able to target an Elbit Systems site in New Hampshire, U.S. Beyond the defence and media sector, PA also targeted Allianz, Elbit Systems’ insurer, on several occasions this year, including their offices in Manchester and London, as well as TwickenhamStadium (owned by Allianz) during a Six Nations rugby match by flying a drone displaying a Palestinian flag over the stadium.
Then, in June 2025, the group conducted its most daring action. Activists breached the perimeter of RAF Brize Norton and used electric scooters to rapidly cross the airfield and spray two military aircraft with red paint. RAF Brize Norton is the U.K.’s largest RAF station, housing approximately 5,800 personnel and home to RAF’s Air Mobility Force. Activists specifically vandalised two Voyager Air-to-Air Refuelling (AAR) tankers. The fallout resulted in PA becoming a proscribed organisation under the U.K.’s Terrorism Act 2000, categorising it as an extremist group after the government assessed that PA had committed and participated in acts of terrorism, including damaging property to further their political objectives.
Volcano Group
Beyond the U.K., sabotage-driven activist groups remain active in Europe. Most notably, the Vulkangruppe (Volcano Group), which claimed responsibility for the arson attack targeting a highvoltage power mast near the Tesla gigafactory in Grünheide near Berlin. Electricity supply to Tesla’s only European factory and 60,000 nearby homes was cut for several hours. Multiple media outlets cite the business suspension caused by the outage cost Tesla $1 billion. Elon Musk labelled Vulkangruppe as the “dumbest eco terrorists on Earth” for targeting an electric vehicle manufacturer and not those linked to fossil fuels. The group cited Tesla’s alleged contamination of groundwater and consuming large quantities of water from a protected water source, as well as the wider issue of green capitalism.
Vulkangruppe, a left-wing extremist group according to German authorities, have conducted similar actions in the past, including targeting cable ducts on railway lines, radio masts, data lines and company vehicles. In May 2021, another arson attack targeting Tesla was claimed by the group, and in 2020, they targeted the Heinrich Hertz Institute in Berlin.
What does this mean for organisations?
The government’s intensified crackdown on sabotage-driven actions has ultimately altered the civil unrest risk landscape for organisations. Whilst enhanced security and surveillance provided by the Terrorism Act 200016 would act to deter and prevent sabotage-driven actions, it also has unintended consequences. Legal challenges by PA against the group’s proscription continue, with reports citing that the Home Secretary Yvette Cooper agreed “in scope and nature” that only three of PA’s nearly 390 actions met the terrorism threshold and that the Joint Terrorism Analysis Centre (JTAC) assessed most of PA’s actions as lawful. Despite there being no evidence that the government will walk back on the ban, it does highlight a possible grey area induced by the political and legal complexities when proscribing an activist group. There remains a possibility for certain activist groups to exploit this grey area by maintaining sabotage-oriented actions under the pretence of political activism.
Conversely, certain activist groups could be forced to adapt their approach to activism in response to increased government pressure. For instance, going underground, splintering into smaller cells, and possibly becoming less risk-averse in their adoption of sabotage tactics, whilst still maintaining the same political objective(s). This type of evolution could set the scene for a more complex and unpredictable threat landscape for businesses concerning civil unrest.
Standard threat detection techniques, such as open-source and social media intelligence (OSINT and SOCMINT), may become more redundant as activist groups reduce their social media footprint and turn to encrypted messaging platforms. As such, actions could become harder for businesses to detect, anticipate or respond to in advance.
By expanding their target selection, sabotage driven activist groups possess the ability to apply pressure against the intended target through a wide variety of attack angles, including (but not limited to) specific points along supply chains, specific employees, particularly executives, and other critical components that facilitate trade.
Even a single determined actor, with both the necessary levels of intent and capability, can cause a significant disruption to an organisation’s operations, assets, staff, and consumers.
Risk mitigation guidance
Pre-unrest risk assessment
- Assess the risk of activist activity to your organisation. This can be as a whole organisation, a division, region or portfolio, or specific to one or a small number of locations. This would include assessment of known threat actors, known areas or points of interest for threat actors and/or identifying and assessing their ideologies, modus operandi and target profiles.
- Consider performing security vulnerability assessments to identify gaps in your security risk mitigation against plausible activist modus operandi (attack pathways).
- Assess the volume and sensitivity of accessible information relating to senior management through conducting executive exposure reviews. This should include scrapes of the surface, deep, and dark web, and should cover the identification of residential addresses and associated imagery, breached credentials, mentions of the individuals’ names online and any existing activist groups that have targeted them, and familial associations. Activist groups may exploit such information to facilitate targeted harassment or use it to physically threaten individuals, most commonly publicly listed executives.
- Review the organisation’s affiliations with financial partners, service providers, customers and other partner types to identify potential exposures which could be examined and targeted by activist groups.
Threat monitoring
- Monitor sociopolitical developments and possible trigger events that could cause heightened levels of protests or activism at or close to your operations.
- Where available (e.g., through a guarding provider), utilise third-party threat monitoring and risk intelligence of prominent activist groups.
- Exploit any existing law enforcement or industry security bodies, common in most large cities, that provide local intelligence on protest activity.
- Continuously monitor digital footprints of senior management and public sentiment of the organisation online (including the dark web), to detect references or targeting by activist groups.
Prevention
- Based on the outcomes of your risk assessments, determine what enhanced security measures are required. These measures may range from physical, technical, cyber or procedural controls, and should be proportionate and appropriate to the risk faced.
- As appropriate, assess the need for enhanced security measures around executives, both at work and at home.
- In collaboration with existing mitigation, including risk transfer and temporary changes to organisation operations (e.g., working from home). Examples of proactive enhanced security measures include:
- Increased human and technical surveillance
- Additional guarding
- Enhanced access control and screening
- Removal of company signs or logos, and
- Physical mitigation, such as barriers, protection of glass facades, etc.
Preparedness
- Ensure facilities and security staff are appropriately trained and aware of risk mitigation measures and emergency response procedures. This includes:
- Awareness of the legal rights of activists and their legal status
- The modus operandi of relevant activist groups
- Communications procedures
- Mitigation escalations
- Lockdown and evacuation procedures, and
- Crisis management escalation protocols.
- Develop response plans for locations identified as high risk to protest activity or activism. As relevant, consider developing organisation-wide response templates and/or guidance for a variety of protest activity.
- Train relevant staff in hostile threat awareness, to increase awareness of identifying suspicious behaviour, understanding activist tactics, and responding safely to on-site activist activities.
- Communicate to the organisation, suppliers, and customers relevant information in advance of planned or expected protest activity, e.g., such as enhanced security mitigation, changes to working/opening hours, etc.
Post-incident
- Risk assess the potential for further direct activist activity in the near future to determine the speed with which to return to business as usual.
- Evaluate the performance of the response and assess any identified change in threat actor modus operandi or risk exposure, adapting relevant security measures and procedures accordingly.