Every dissident organization sooner or later confronts the infiltration question, and the honest answer is that it probably has been penetrated, or will be, or would be if it ever became effective enough to matter. State counterintelligence programs reveal an uncomfortable truth: when the state decides to penetrate an organization, it brings resources, training, and patience that most targets cannot match. Building structures that render the spy’s presence futile is the more important question.

COINTELPRO, which officially operated from 1956 to 1971 but whose tactics continued long after its formal termination, placed informants inside every significant dissident movement of its era. Black Panthers, antiwar organizers, civil rights organizations, socialist parties, and environmental groups all discovered, often too late, that trusted members had been reporting to handlers throughout. Active provocation emerged alongside surveillance when the Church Committee investigated: forged documents designed to create internal splits, anonymous letters spreading rumors about leaders, and agents deliberately encouraging illegal activity to justify prosecution. When FBI assistant director William Sullivan testified about these tactics, he was blunt about the operational mindset: “No holds were barred. We have used these techniques against Soviet agents. They have used them against us. We did not differentiate.”

Modern informant operations run with even greater sophistication. The FBI’s Confidential Human Source program, formalized after 2004, represents a professionalization of the old methods. Leaked guidelines reveal that agents build extensive dossiers on potential recruits before making contact, collecting derogatory information for use as pressure. They may use covert identities to approach targets, and they are freed from the meeting limitations that constrain standard undercover operations. A single field office can authorize payments up to one hundred thousand dollars per year to a single informant, and the guidelines explicitly permit recruiting journalists, clergy, and lawyers with proper authorization. The network is vast, and its members are selected precisely because they can blend in.

The British case of Mark Kennedy illustrates what deep infiltration looks like. Kennedy spent seven years living as “Mark Stone,” an environmental activist. He attended protests across Europe, formed intimate relationships with multiple women in the movement, and became a trusted figure who participated in planning and actions. When he was finally exposed in 2010, activists discovered that his passport, his backstory, his entire persona had been manufactured by police handlers who monitored his movements and communications daily. The women he deceived were experienced activists who had known him for years. One of them later testified that “he was trained in manipulation techniques, he was trained in lying. A backstory was created for him by and with his employers. He had a back-room team of people supporting him wherever he went.” Kennedy was not an outlier. The subsequent Undercover Policing Inquiry revealed a pattern spanning decades, with officers stealing the identities of dead children for cover and receiving explicit or tacit approval for their sexual deceptions.

The Brandon Darby case in the United States demonstrates how the agent provocateur operates. Darby was a celebrated activist who had co-founded Common Ground Relief in post-Katrina New Orleans. When he began working as an FBI informant in 2007, he used his reputation and his influence as an older, more experienced organizer to cultivate relationships with younger activists planning protests at the 2008 Republican National Convention. Two young men, Bradley Crowder and David McKay, constructed Molotov cocktails after extended exposure to Darby’s militant rhetoric and were promptly arrested on information Darby provided. At trial, witnesses testified that Darby “was the one to suggest violence, when the rest of us disagreed” and that as “an older seasoned activist, Darby had a lot of sway over Crowder and McKay.” Both men went to prison. Darby, the man who by multiple accounts had encouraged the escalation, testified for the prosecution.

These cases point toward a fundamental asymmetry that detection-focused security culture cannot overcome. The state can afford to be patient, to invest years building cover, to provide resources and training that make their agents useful to the organizations they infiltrate. An activist trying to spot the spy has only suspicion and intuition to work with. The standard advice to watch for inconsistencies in background stories, unexplained access to resources, or eagerness to push toward illegal activity fails against the competent infiltrator who has been coached to avoid exactly these tells. Worse, a detection-obsessed culture breeds the paranoia that COINTELPRO documents explicitly sought to create. An FBI memo from 1970 advised agents to encourage “the impression that there is an FBI agent behind every mailbox” because the resulting suspicion and internal conflict would do more damage than any individual informant. When movements consume themselves with accusations and counter-accusations, the state wins at no cost.

The cypherpunk tradition offers a different framework, one that begins by accepting the presence of adversaries as a design constraint. Eric Hughes wrote in A Cypherpunk’s Manifesto that “we cannot expect governments, corporations, or other large, faceless organizations to grant us privacy,” and the same logic applies to organizational security. The goal is building systems where adversaries’ presence cannot accomplish its purpose, regardless of how deep they go.

In cryptographic terms, this means designing for security under the assumption that the adversary knows everything except the secret keys. In organizational terms, it means decentralization, compartmentalization, and communication channels that the infiltrator cannot compromise regardless of their access. A single person holding insufficient information to destroy the network renders infiltration of that person largely pointless. End-to-end encrypted communications mean the informant can report what was said in the meeting but cannot hand over the contents of private channels. Flat and redundant organizational structures ensure that removing any individual, whether by arrest or exposure, does not cripple the whole.

Vigilance still has a role. Organizations should vet members, pay attention when someone’s story fails to cohere, and refuse to tolerate the aggressive and divisive behavior that documented infiltrators have consistently displayed. These measures form a second line of defense, though. Structure is the primary line: build so that even successful infiltration cannot achieve its objectives.

The historical record confirms that the state will infiltrate opposition movements whenever it perceives them as threatening. Attempting to identify and exclude infiltrators has repeatedly failed, missing the real agents while enabling the paranoia and internal conflict the state sought. Accepting infiltration as a given and designing accordingly, treating the spy as an environmental hazard to be engineered around, is the sustainable answer. Cypherpunks understood decades ago that the only reliable answer to pervasive surveillance was cryptography that made surveillance ineffective, and the same principle applies to the spy in the room: the goal is ensuring that their presence changes nothing.