You think you're safe inside your home, but an anonymous user thousands of miles away can hire a desperate local online to burn it down for a handful of cryptocurrency.
That isn't a plot from a tech thriller. It just happened in London.
The Old Bailey court recently convicted Roman Lavrynovych, a 22-year-old Ukrainian construction worker living in London, for a series of bizarre arson attacks targeting properties and a vehicle connected to British Prime Minister Keir Starmer.
Lavrynovych wasn't a hardened spy. He didn't even know who owned the properties. He was just a gig worker browsing Telegram groups for casual labor, desperate to make rent. That's where he met "El Money," a Russian-speaking handler who slowly groomed him from printing political posters to pouring white spirit on doors.
While Lavrynovych faces a lengthy prison sentence, the real mastermind behind the keyboard vanished into the digital ether. This case exposes a massive, terrifying vulnerability in Western security: Russia's new playbook of decentralized, low-cost proxy warfare.
The Grooming of a Telegram Arsonist
The relationship didn't start with fire. It started with a job hunt.
Between August 2024 and May 2025, Lavrynovych posted over 100 times in Russian- and Ukrainian-language Telegram groups looking for manual labor in London. El Money noticed. He reached out under the digital handle "El Money"—a translation of the Ukrainian word "Hroshi."
The handler used a classic boiling-frog strategy to radicalize his recruit.
- Phase 1: Low-level vandalism. El Money paid Lavrynovych to print out political leaflets for a fake activist group called Direct Action. He had him paste them up around London neighborhoods at night.
- Phase 2: Escalation to hate speech. The tasks shifted to spray-painting anti-Islamic graffiti on mosques and Muslim communities. The goal was simple: stoke domestic racial and religious tensions in the UK.
- Phase 3: The arson commands. Once trust was established and Lavrynovych was financially dependent, El Money dropped the hammer. He sent precise coordinates and instructions on how to mix flammable chemicals purchased from a local B&Q hardware store.
On May 6, 2025, Lavrynovych went to a B&Q store in south London and bought white spirit. Two days later, he rode a night bus to Kentish Town and lit up a Toyota RAV4. The car used to belong to Keir Starmer. Media outlets had published photos of the vehicle's license plate back in 2020 after a minor traffic collision, giving the Russian handler all the targeting data he needed.
Three days later, Lavrynovych was back in north London, setting fire to the doorstep of a flat in Islington where Starmer lived in the 1990s. The final attack happened just after midnight on May 12, when he torched Starmer's actual family home.
Starmer had already moved into 10 Downing Street, but his sister-in-law, Judith Alexander, was staying there with her family. She woke up to two loud bangs and found her home filling with thick, choking smoke.
The Handler Desperately Wanted the Spotlight
Here is the weirdest part of the entire operation: Lavrynovych was terrible at it.
El Money promised thousands of dollars in Tether cryptocurrency, but there was a catch. The money was only coming if the attacks made the national news. To prove he did the job, Lavrynovych had to film the fires.
His video skills were awful. One clip of the burning car lasted only a few seconds. Another video, shot in the pitch black, mostly just captured the audio of Lavrynovych repeatedly striking matches.
The morning after the final house fire, El Money checked the British news feeds and found nothing. He messaged his recruit in frustration: "It's all dead quiet so far — not a single article or announcement about the incident on this street."
Shortly after, British counterterrorism police swarmed the house Lavrynovych shared with his grandmother. He was still frantically messaging Telegram asking where his crypto was. He never got paid.
The Legal Blind Spot Cops Can't Fix
The trial at the Old Bailey lasted six weeks, ending in convictions for Lavrynovych and his 27-year-old accomplice, Stanislav Carpiuc. But the courtroom proceedings highlighted a glaring gap between what intelligence agencies know and what prosecutors can actually prove to a jury.
James Scobie KC, Lavrynovych's defense attorney, called his client a "vulnerable, ignorant puppet" and openly expressed frustration that the trial didn't look into the "devil in the background."
British prosecutors didn't bring charges under the 2023 National Security Act, which was specifically designed to target foreign state threats. Why? Because proving a direct link to the Kremlin beyond a reasonable doubt using unclassified phone records is nearly impossible.
Commander Helen Flanagan of London's Counter Terrorism Policing stated there was no evidence the attackers had any ideological motivation or even knew they were attacking the Prime Minister's properties. To a jury, it looked like a simple, reckless property crime for cash.
But former counterterrorism chief Commander Dominic Murphy, who oversaw the initial investigation, pointed out that El Money's tradecraft perfectly matches known Russian state-backed sabotage operations. These dirty digital campaigns require high-level sign-off in Moscow, yet they use cheap, disposable local proxies to maintain total deniability.
How to Protect Your Online Footprint from Foreign Handlers
The Associated Press has tracked at least 192 covert attacks across Europe since the 2022 invasion of Ukraine, ranging from cyberattacks and warehouse fires to assassination plots. Russia has stopped sending trained spies with fake passports to do their dirty work. Instead, they are trolling local job boards.
If you or someone you know is looking for casual work or freelance gigs online, you need to recognize the warning signs of a digital handler before you get pulled into something illegal.
Watch for the Red Flags
- Anonymous job offers: Never accept work from individuals on Telegram, Signal, or WhatsApp who refuse to provide a verifiable company name, physical address, or official email domain.
- Cash or crypto-only payments: Legitimate businesses don't insist on paying exclusively through untraceable crypto wallets like Tether or Bitcoin for basic manual tasks.
- Requests for photos or videos: If a client demands video proof of you completing low-level tasks in public places at night, they aren't monitoring your productivity. They are gathering propaganda or verification for their handlers.
- Gradual escalation: Be highly suspicious if a job starts with simple tasks—like handing out flyers or posting online reviews—and slowly morphs into property damage, surveillance of specific buildings, or vandalism.
If you stumble onto an online job posting that feels like a front for malicious activity, don't engage. Report the account and the details directly to the police or your national counterterrorism reporting hotline. Your information could be the piece of the puzzle that prevents the next fire.
