A 16-year-old receives a message on Instagram. Someone offers him €500 to “deliver a package” to an address across town. No questions. No paper trail. He doesn’t know who hired him, who ordered the job, or that the package is cover for an assault on a business owner who refused to pay protection money. He gets picked up by police three hours later. The man who placed the order is four countries away, never touches the operation, and is already working the next job.

This is Violence-as-a-Service — and it’s running like a startup.

TL;DR

  • Criminal networks have adopted the crime-as-a-service model for physical violence: outsourcing assaults, threats, and contract killings to disposable hired perpetrators
  • Recruitment happens digitally via social media, encrypted messaging apps, memes, and gamified challenges — targeting minors and young adults
  • Europol’s Operational Taskforce GRIMM, launched April 2025, has made 280 arrests in one year across 8 European countries
  • The model deliberately uses youth to shield organizers from prosecution — minors face lighter sentences, and they don’t know who they work for
  • The infrastructure mirrors ransomware-as-a-service: modular, deniable, scalable

Contents

  1. Crime-as-a-Service: The Full Ecosystem
  2. The As-a-Service Model Moves Offline
  3. How the Recruitment Pipeline Works
  4. The Digital Infrastructure Behind Physical Violence
  5. OTF GRIMM: Europe’s Response
  6. What This Means for Security Research
  7. Related Posts
  8. Sources

Crime-as-a-Service: The Full Ecosystem

Before examining VaaS, it’s worth mapping the broader Crime-as-a-Service (CaaS) landscape that organized crime has built over the last decade. What started as a cybercrime supply chain has expanded into a full criminal economy where every component — tools, access, infrastructure, identities, and now physical violence — can be outsourced, rented, or purchased.

ServiceAbbreviationWhat It ProvidesWho Buys It
Ransomware-as-a-ServiceRaaSRansomware builds, negotiation portals, victim leak sitesAffiliates who handle intrusion and deployment
Malware-as-a-ServiceMaaSReady-made malware, loaders, stealers, RATs on subscriptionAnyone wanting to infect targets without coding
Phishing-as-a-ServicePhaaSPhishing kits, lookalike domains, real-time credential capture panelsCredential thieves, BEC actors
Initial Access BrokersIABPre-compromised network access sold on darknet marketsRansomware groups, espionage actors
DDoS-as-a-ServiceDDoSaaSBotnet-powered volumetric attacks on demandExtortionists, competitors, hacktivists
Fraud-as-a-ServiceFaaSMoney mules, cashing infrastructure, drop accountsAnyone needing to convert stolen funds
Scam-as-a-ServiceSaaS (criminal)Script-based call centre fraud, romance scam templates, pig butchering rigsLarge-scale financial fraud operations
Violence-as-a-ServiceVaaSPhysical assaults, threats, contract jobs — outsourced to hired perpetratorsCriminal organizations needing deniable enforcement

The critical insight is that none of these services require technical expertise from the buyer. RaaS affiliates don’t write malware. VaaS clients don’t commit violence. The criminal supply chain has achieved the same separation of concerns that legitimate software development has — specialists at each layer, none of them exposed to the full operation.

VaaS is the newest layer of this stack, and unlike the others, it bridges digital infrastructure with physical-world consequences.

The As-a-Service Model Moves Offline

Organized crime looked at the CaaS model and replicated it for the physical world.

Violence-as-a-Service (VaaS) works on the same structural logic as RaaS:

RaaS ComponentVaaS Equivalent
Ransomware developerCriminal organizer / broker
RaaS affiliateHired street-level perpetrator
Initial access brokerScout / target identifier
Victim negotiation portalEncrypted task coordination channel
Cryptocurrency paymentCash drops, prepaid cards
Leak site (pressure tactic)Public threat / reputation damage
Burner infrastructureThrowaway SIM cards, temp accounts

The organizer never commits the act. The perpetrator never knows the client. Both can plausibly deny the other exists. Operational security that cybercriminals learned from state-sponsored hackers has been translated into street-level crime.

How the Recruitment Pipeline Works

The recruitment funnel is deliberately designed to exploit psychological vulnerabilities — the same techniques used in social engineering attacks, applied to physical world targeting.

Stage 1: Initial contact Recruiters identify vulnerable targets through social media: young people showing signs of financial stress, social isolation, or desire for status. First contact is casual — a follow, a comment, a direct message that doesn’t mention crime at all.

Stage 2: Trust building The recruiter presents themselves as a peer or older mentor. Conversations focus on shared frustration, the “system” being rigged, and how the right people know how to work around it. Money, respect, and belonging are the consistent hooks.

Stage 3: The offer The first job is always framed as minor — deliver something, watch a location, send a message. Low risk, good pay. It’s designed to be easy enough to say yes to, and successful enough that the next ask feels natural.

Stage 4: Escalation and lock-in Once a recruit has committed a crime, they become leverage. The organization now holds the threat of exposure. Refusal carries consequences. The recruit is inside.

Europol specifically flagged warning signs for this pipeline: a teenager who stops asking for money but appears to have it, unexplained new possessions, increased secrecy about communications, and behavioral withdrawal from family.

The coded language, memes, and gamified framing used in recruitment channels are designed to be invisible to older observers — recognizable to the target demographic as a subculture rather than a criminal operation.

The Digital Infrastructure Behind Physical Violence

The operational coordination of VaaS networks is almost entirely digital:

  • Encrypted messaging apps (Signal, Telegram, WhatsApp, and purpose-built criminal platforms) handle tasking, payment confirmation, and operational debriefs
  • Social media platforms are used for recruitment, reputation building among recruits, and target identification
  • Cryptocurrency and prepaid payment systems create distance between client payment and perpetrator compensation
  • Compartmentalization mirrors cell-based terrorist structures — most participants know only their direct contact, not the broader network

The result is a command structure that is genuinely difficult to dismantle. Arresting street-level perpetrators doesn’t reach the organizers. Surveilling the digital infrastructure requires cross-border legal authority that most single-country investigations lack.

This is why Europol’s involvement is structurally necessary — not optional.

OTF GRIMM: Europe’s Response

Operational Taskforce GRIMM was launched in April 2025 as a joint initiative led by Sweden, with participation from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway.

In its first year:

  • 280 arrests across participating countries
  • 193 arrests in the first six months alone
  • High-value fugitives added to the EU Most Wanted list on the one-year anniversary (April 2026)

OTF GRIMM operates on four strategic pillars:

  1. Intelligence sharing — breaking down the cross-border information silos that allow organizers to exploit jurisdictional gaps
  2. Network mapping — charting criminal recruitment pipelines, role structures, and monetization flows rather than just pursuing individual cases
  3. Targeting service providers — going after the organizers and brokers, not only the perpetrators they deploy
  4. Technology company partnerships — working with platforms to identify and disrupt digital recruitment infrastructure before perpetrators are operational

The EU Most Wanted publications are a deliberate pressure tactic: naming senior organizers publicly collapses their operational anonymity and activates tip lines across multiple countries simultaneously.

What This Means for Security Research

VaaS is relevant to this field beyond the surface level of “crime does crime things.”

The as-a-service criminal model is converging. Networks that operate VaaS infrastructure also use cybercrime tools — encrypted comms, anonymization, cryptocurrency, digital identity management. The skill sets and the platforms overlap. Threat intelligence that maps one informs the other.

Social engineering is the universal attack vector. The same psychological manipulation techniques used to compromise employees — manufactured trust, urgency, fear, belonging — are used to recruit perpetrators. Understanding the mechanics of manipulation at the human level is fundamental security knowledge regardless of whether the threat is digital or physical.

Compartmentalization as a defense model. VaaS networks operate with the same cell-based, need-to-know compartmentalization used by intelligence services and sophisticated APT groups. The reason it’s effective for attackers is the same reason it’s effective for defenders: compromise of one node reveals nothing about the others. Organizations building resilient security programs can learn from the same structural logic.

Platform abuse is the enabler. Remove the encrypted channels and social media recruitment pipelines and VaaS networks face serious operational constraints. This is why technology company cooperation is one of OTF GRIMM’s four pillars — and why platform security, content moderation infrastructure, and law enforcement API access remain genuinely contested policy terrain.

The criminal adoption of the as-a-service model was predictable. Its migration from digital to physical was also predictable. What gets built next on top of this infrastructure is the question worth watching.

Sources