Children’s recruitment and use in cyber-operations
A child‑rights law analysis
The rapid expansion of the digital environment has profoundly reshaped the landscape of childhood, weaving online spaces into nearly every aspect of children’s social, educational, and recreational lives. Yet this same environment has given rise to new and insufficiently understood forms of vulnerability: as contemporary conflict increasingly incorporates offensive and defensive cyber‑operations, children are being recruited and used to participate in cyber operations. The widespread availability of powerful digital tools, combined with children’s innate fluency in navigating online environments, has dramatically lowered the threshold for involvement. The participation of children in cyber-operations involves activities that may range from seemingly innocuous digital tasks to sophisticated intrusions into information systems. This development is deeply alarming: it exposes children to unprecedented forms of complex harm, combining psychological, developmental, and potentially physical harm, that demands attention.
Children’s engagement in cyber‑hostilities diverges significantly from the conventional image of the “child soldier.” The differences manifest across multiple dimensions: the actors who involve children, the mechanisms through which recruitment occurs, the nature of the activities for which children are used, and the corresponding preventive obligations of States.
The legal framework
International law, most notably international child rights law and international humanitarian law, remains unequivocal: the recruitment and use of children in hostilities by both State armed forces and non‑State armed groups is strictly prohibited and, in most circumstances, criminalized.1 These prohibitions exist to shield children from the dangers inherent in combat environments, including the heightened risk of being targeted.2 Crucially, these norms are technology‑agnostic. Their protective scope extends seamlessly to cyber‑recruitment and participation in cyber‑hostilities, just as it applies to traditional forms of recruiting or using children in conflict.
The Convention on the Rights of the Child (CRC) and in particular its Optional Protocol on the involvement of children in armed conflict (OPAC) were drafted with kinetic hostilities in mind. Nevertheless, their provisions and the principles prohibiting the recruitment and use of children apply to cyber operations which form part of conflicts. The CRC offers a broad framework that applies at all times, within conflict or without: Article 3 requires that the best interests of the child serve as a primary consideration in all actions concerning children, including those arising in the context of cyber-operations. The Committee on the Rights of the Child has noted that, “[t]he digital environment was not originally designed for children, yet it plays a significant role in children’s lives. States parties should ensure that, in all actions regarding the provision, regulation, design, management and use of the digital environment, the best interests of every child is a primary consideration.”3
Recruitment
Children are being drawn into cyber operations through multiple pathways, ranging from overt conscription or enlistment to far more subtle forms of influence, including manipulation through social media, gaming environments, and encrypted communication channels. State‑linked or politically motivated actors may encourage “volunteer” cyber activities framed as civic participation or patriotic duty. Peer networks can normalize hacking or digital vigilantism, while coding forums and online competitions can blur the line between legitimate skill‑building and illicit operations.
Within this spectrum, children’s involvement may be either knowing or unwitting. Some are recruited with full awareness, engaging as hackers or cyber operatives and believing themselves to be acting with skill or purpose. Others may inadvertently facilitate military operations, for example, by allowing their personal devices to be used to geolocate military assets or identify targets.4 Still others may be tricked into playing games that generate military surveillance data.5
Across all these scenarios, the mechanisms of influence exploit children’s developmental stage, their search for identity and belonging among peers, and their limited understanding of the risks they assume...
Across all these scenarios, the mechanisms of influence exploit children’s developmental stage, their search for identity and belonging among peers, and their limited understanding of the risks they assume, both in terms of their own security and the legal consequences of their actions. International law prohibits all forms of exploitation of children that is economic or prejudicial to any aspects of the child's welfare (CRC Art 32 and 36).
Courts have held that prohibited enlistment need not be a formal process; it simply denotes acceptance and enrolment in the armed force or group. It may require a series of steps.6 Below the law’s age cut-offs, any kind of recruitment is prohibited. There may be criminal liability for organizing, attempting, assisting in, requesting, encouraging or supervising these recruitment activities.7
Use
Any “use” of children in hostilities is also unlawful. All forms of participation expose children to grave risks, including the possibility of being directly targeted or excluded from civilian harm assessments. Even without any use of the child in hostilities, the child’s connections to cyber-infrastructure, such as phones or networks, might be deemed possible military objectives.8 The digital nature of their involvement does not diminish the seriousness of these dangers; rather, it obscures them, making effective protection all the more urgent.
Protecting children from engagement in armed conflict involves a complexity. The more broadly hostile activities and hostile parties are interpreted, the greater the domain for lethal force during hostilities — i.e. the greater the risk of direct or collateral harm to children. However, the more broadly these terms are construed in effective prohibitions on engaging children, the more is done to prevent risks of harm to children.9
The actors
Both regular armed forces and armed groups are prohibited from recruiting and using children. Yet in the cyber domain, the actors involved and the forms of engagement often look very different from traditional patterns. Groups that involve children in cyber‑warfare may not neatly qualify as “armed forces,” as “cyber‑warriors” rarely carry weapons or wear visible military insignia. Similarly, determining whether a collective constitutes an “armed group” can be challenging when its members operate anonymously, lack a continuous combat function,10 or are loosely organized11 — as is the case with hacktivist collectives such as “Anonymous.”12
The landscape is further complicated by the involvement of private actors. Private military contractors and not‑for‑profit associations may train children in cyber‑operations,13 while corporate entities employing children may be required to report cybersecurity vulnerabilities or incidents to national authorities,14 thereby contributing to the protection of dual‑use (civilian and military) technologies. Some corporate actors may not foresee the risks they are generating for children; others may actively exploit child labour for hazardous digital work at the perimeter of hybrid conflicts. States have even openly called upon hacktivists to engage “independently” in cyber‑operations,15 blurring the line between civilian participation and organized involvement in hostilities.
In responding to cyber‑hostilities, States must therefore proceed with great caution. They are required to presume civilian status,16 including for private contractors and civilian employees, unless and only for such time as they take a direct part in hostilities.17 This presumption must be especially robust where children are known or suspected to be involved. Armed forces and armed groups should also give a wide berth to any activities that might be construed as online recruitment, and States must rigorously enforce not only the prohibitions relating to armed groups but also all rules governing hazardous child labour.18
The protections afforded to children do not diminish because the means of warfare have evolved.
The path forward
The Paris Principles affirm that protection and reintegration measures extend to any child associated with an armed force or armed group, regardless of whether the child took direct part in hostilities.19 This principle, too, is technology-agnostic: the protections afforded to children do not diminish because the means of warfare have evolved. Children participating in cyber-operations in conflicts fall squarely within this protective framework and should benefit from the same rights to assistance, recovery, and reintegration. Protection measures should ensure that children involved in cyber operations are treated primarily as victims,20 with child‑sensitive procedures and support systems. Accountability must focus on adult recruiters and exploiters, while domestic legislation should be harmonized with CRC obligations to address cyber‑specific forms of exploitation.
International law does not merely protect children and punish those who recruit or use them in hostilities; it also imposes a proactive duty on States to take “all feasible measures” to prevent children’s participation in hostilities in the first place.21 In the digital sphere, fulfilling this obligation requires a tailored combination of legal, administrative, and technical measures, such as ensuring the segregation of military and civilian digital assets, implementing human‑rights‑compliant digital monitoring, and preparing for and responding effectively to cyber‑operations.
The Committee on the Rights of the Child has made this obligation explicit: “States parties should ensure that children are not recruited or used in conflicts, including armed conflicts, through the digital environment. That includes preventing, criminalizing and sanctioning the various forms of technology‑facilitated solicitation and grooming of children, for example, through use of social networking platforms or chat services in online games”.
Effective prevention must encompass strengthened digital literacy, early detection of recruitment or use efforts by the full range of actors, and enhanced accountability for online platforms whose services may be misused to target children. And because cyber‑recruitment transcends borders with ease, international cooperation is indispensable to meeting States’ obligations under Article 4 of the CRC to implement children’s rights to the maximum extent of available resources.
As cyber operations and hostilities become an increasingly prominent feature of global security and criminal landscapes, children must be kept out of them and all States must ensure that the rights and welfare of children remain at the centre of legal and policy responses.
1. Convention on the Rights of the Child 1990 art 38(1)-(3); Optional Protocol to the Convention on the Rights of the Child on the involvement of children in armed conflict 2000 arts 1–4; Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of International Armed Conflicts (Protocol 1) 1977 art 77(2); Worst Forms of Child Labour Convention 1999 (C182) art 3(a); Rome Statute of the International Criminal Court 1998 art 8(2)(b)(xxvi). The instruments have different prohibitions for different activities and different age cut-offs.
2. ICRC, ‘Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Protocol I), 8 June 1977: Commentary of 1987’ paras 3179, 3183, 3185 <https://ihl-databases.icrc.org/en/ihl-treaties/api-1977/article-77/commentary/1987> accessed 9 December 2025.
3. Committee on the Rights of the Child, ‘General Comment No. 25 (2021) on Children’s Rights in Relation to the Digital Environment’ (United Nations 2021) General Comment CRC/C/GC/25 para 12 <https://undocs.org/CRC/C/GC/25> accessed 16 April 2024.
4. Michael N Schmitt (ed), ‘Conduct of Hostilities’ Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017) r 97, para. 4 (unwitting device use cannot render the child a direct participant in hostilities, but it can dangerously render the device a military objective).
5. Phil Muncaster, ‘Russia Recruits Ukrainian Children for Sabotage and Reconnaissance’ (Infosecurity Magazine, 16 December 2024) <https://www.infosecurity-magazine.com/news/russia-recruits-ukrainian-children/> accessed 26 March 2026.
6. Prosecutor v Fofana and Kondewa (Appeals Judgment) [2008] Special Court for Sierra Leone SCSL-04-14-A [141, 144] (and partially dissenting opinion of Winter J at paras. 11-12).
7. e.g. Rome Statute arts 25, 28; see generally, Cécile Aptel, Atrocity Crimes, Children and International Criminal Courts: Killing Childhood (1st edn, Routledge 2023) 41-44 (treaty history), 68-81 (international criminal jurisprudential history), 81-86 (major issues in child recruitment under international criminal law). <https://doi.org/10.4324/9781003361015> accessed 9 August 2024.
8. See FN4.
9. Aptel (n 7) 90–91.
10. Nils Melzer, ‘Interpretive Guidance on the Notion of Direct Participation in Hostilities under International Humanitarian Law’ (ICRC 2009) 27.
11. Melzer (n 10) 31–35; Michael N Schmitt (ed), ‘The Law of Armed Conflict Generally’ Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017) rr 83, paras. 11-15.
12. Russell Buchan, ‘Cyber Warfare and the Status of Anonymous under International Humanitarian Law’ (2016) 15 Chinese Journal of International Law 741 <https://doi.org/10.1093/chinesejil/jmw041> accessed 21 May 2024; Schmitt, ‘Conduct of Hostilities’ (n 4) r 87, paras 10–13; Prosecutor v Lubanga - Conviction [2012] International Criminal Court ICC-01/04-01/06 [537]; Sylvain Vité and Isabelle Gallino, ‘Decentralized Armed Groups: Can They Be Classified as Parties to Non-International Armed Conflicts?’ (2024) 106 International Review of the Red Cross 931 <https://doi.org/10.1017/S1816383124000560> accessed 20 January 2025.
13. ‘The Ministry of Defence Cadet Forces’ (GOV.UK, 26 May 2021) <https://www.gov.uk/guidance/the-cadet-forces-and-mods-youth-work> accessed 22 March 2026; ‘AFA CyberPatriot Website’ <https://www.uscyberpatriot.org/> accessed 7 October 2024.
14. Measures for a high common level of cybersecurity across the Union 2022 (Directive (EU) 2022/2555) art 12(1), 23 (note Article 2 on scope).
15. ‘Cyber Hacktivists Are Busy Undermining Putin’s Invasion’ (Good Authority, 3 February 2010) <https://goodauthority.org/news/cyber-hacktivists-are-busy-undermining-putins-invasion/> accessed 13 June 2024; David Wallace, Shane Reeves and Trent Powell, ‘Direct Participation in Hostilities in the Age of Cyber: Exploring the Fault Lines’ (2021) 12 Harv. Nat’l Sec. J. 164.
16. GC-AP 1 1977; Compare Schmitt, ‘Conduct of Hostilities’ (n 4) r 95 and discussion therein.
17. Melzer (n 10) 37–40.
18. Worst Forms of Child Labour Convention.
19. UNICEF, ‘The Paris Principles: Principles and Guidelines on Children Associated with Armed Forces or Armed Groups’ (UNICEF 2007) para 2.1 <https://www.unicef.org/mali/media/1561/file/ParisPrinciples.pdf>.
20. UNICEF (n 19) Based on international law and standards and on the original Cape Town Principles this document incorporates knowledge and lessons learned and in particular emphasises the informal ways in which boys and girls both become associated with and leave armed forces or armed groups. Taking a child rights-based approach to the problem of children associated with armed forces or armed groups, the Principles underscore the humanitarian imperative to seek the unconditional release of children from armed forces or armed groups at all times, even in the midst of conflict and for the duration of the conflict. CRC arts 39–40.
21. GC-AP 1 1977 art 77(2); CRC art 38(2); Michael N Schmitt (ed), ‘Certain Persons, Objects, and Activities’ Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (2nd edn, Cambridge University Press 2017) r 138, para. 4.
