Germany Surges as Europe's Top Cyber Extortion Hotspot in 2025
Germany has overtaken the United Kingdom to become the primary target for cyber extortion in Europe, according to new data from Google Threat Intelligence (GTI). Data leak site (DLS) posts targeting German entities skyrocketed by 92% in 2025 compared to the previous year, a growth rate three times the European average.
“This isn't about the sheer number of companies—Germany actually has fewer active businesses than France or Italy,” said Jamie Collier, a senior threat intelligence analyst at Google. “Instead, its advanced, digitized industrial base makes it a uniquely ripe market for extortion groups.”
Background
Germany's vulnerability is a return to form. During 2022 and 2023, the country faced intense pressure from ransomware groups, but a relative lull followed in 2024 as the UK briefly took the lead. Now, threat actors have pivoted back, exploiting new tools and tactics.
European DLS posts rose nearly 50% globally in 2025, but Germany's spike dwarfs that trend. The shift also reflects a “linguistic pivot”: criminals are using AI to automate high-quality localization, eroding the protection that language barriers once offered.
Key Drivers
- Maturation of cybercriminal ecosystem: AI-powered translation and localization tools let groups target non-English-speaking nations with precision.
- Shift in victim profiles: Large “big game” targets in North America and the UK have hardened defenses or use insurance for private settlements, pushing attackers toward Germany's Mittelstand—small and medium enterprises with weaker security.
- Active recruitment: Google Threat Intelligence Group has observed criminal forums where groups advertise for access to German companies, offering a cut of extortion fees.
“For example, the threat actor known as Sarcoma has been targeting businesses in several developed nations, including Germany, since at least November 2024,” said Robin Grunewald, a GTI researcher.
What This Means
Germany's industrial backbone—its digitized manufacturing, logistics, and engineering firms—faces an elevated and sustained risk. Unlike the UK, where leak volumes have cooled, German infrastructure is under the most intense pressure since 2022–2023.
Organizations must urgently assess their exposure. The combination of AI-driven localization and a focus on the Mittelstand means no sector is safe. Cyber insurance may offer post-breach relief, but prevention—through robust backup systems, employee training, and threat intelligence sharing—remains critical.
“This is a clear signal that attackers are following the path of least resistance,” Collier added. “Germany's digital economy is a prime target, and the pace of escalation shows no sign of slowing.”
Related Articles
- SentinelOne AI Thwarts Major Supply Chain Attack Targeting CPU-Z Utility; Attackers Compromised Official Download Site
- How to Safeguard Your Enterprise from Shadow AI Agents with Microsoft Agent 365
- 5 Critical Facts About the .NET 10.0.7 Out-of-Band Security Patch
- Meta's Enhanced Security for End-to-End Encrypted Backups: Key Updates and How They Work
- Former Ransomware Negotiators Sentenced to Prison for Involvement in BlackCat Cyberattacks
- How to Design Accessible Session Timeouts for Users with Disabilities
- Anatomy of a Supply Chain Attack: How Hackers Weaponized LiteLLM to Steal Your Data
- Ex-Ransomware Negotiators Sentenced to 4 Years for Role in BlackCat Attacks