Germany Surges as Prime Target in European Cyber Extortion Wave – 92% Spike in 2025

Breaking: Germany Overtakes UK as Top European Data Leak Target

Germany has reclaimed its position as the epicenter of cyber extortion in Europe, with data leak site (DLS) postings involving German organizations surging 92% in 2025 compared to the previous year. This explosive growth rate triples the European average, marking a stark intensification of ransomware activity that now outpaces all neighboring nations.

According to Google Threat Intelligence (GTI) data, the jump is both sudden and severe. After a relative dip in 2024, when the United Kingdom held the lead as the most-targeted European country, Germany is once again under concentrated assault by ransomware groups and data extortionists.

“Germany’s rapid return to the top of the European victim list is no coincidence. The digital sophistication of its industrial base, combined with a large number of mid-sized enterprises that are still maturing their defenses, makes it an incredibly fertile ground for cybercriminals,” said Jamie Collier, senior threat intelligence analyst at Google.

The speed of the escalation is unprecedented: DLS posts targeting German entities grew from around 115 in 2024 to over 220 in 2025. This represents not just a numerical increase but a shift in criminal strategy across the continent.

Background: The Shifting European Threat Landscape

Throughout 2022 and 2023, Germany endured a sustained period of heavy cyber extortion pressure, only to see the United Kingdom become the primary focus in 2024. Now the pendulum has swung back decisively. The change is not driven by the sheer number of companies—Germany actually has fewer registered enterprises than France or Italy. Instead, its appeal stems from its status as a leading advanced European economy with a deeply digitized industrial sector.

While total DLS posts globally rose nearly 50% in 2025, the distribution within Europe changed dramatically. English-speaking nations like the UK saw a cooling of activity, while non-English-speaking nations—particularly Germany—absorbed the brunt of the surge. This “linguistic pivot” reflects a maturing cybercriminal ecosystem that now leverages AI to automate high-quality localization, effectively eroding historical protections offered by language barriers.

Equally important is the shift in victim profiles. Larger “big game” targets in North America and the UK have improved their security posture and often use cyber insurance to resolve incidents privately, making them less profitable for extortion groups. Threat actors are now pivoting to the “ripe markets” of the German Mittelstand—small and medium-sized enterprises that are digitized but relatively defenseless.

What This Means for German Businesses and European Cyber Defense

The 92% surge in German data leak victims signals that cybercriminals are systematically reallocating resources toward regions they perceive as weaker. Google Threat Intelligence Group (GTIG) has observed multiple criminal groups posting advertisements specifically seeking access to German companies, offering a share of extortion fees to brokers who deliver entry points.

“We are seeing threat actors like Sarcoma openly advertise for access to German firms. These groups are not opportunistic; they are methodically targeting a market they believe will generate high returns,” explained Robin Grunewald, a threat intelligence lead at GTI.

This development has critical implications for German cybersecurity strategy. The Mittelstand, which forms the backbone of the German economy, is now in the crosshairs. Without significant investment in detection, response, and employee training, the trend is likely to accelerate. Furthermore, the use of AI to churn out convincing, localized phishing and ransomware payloads means even small companies can no longer rely on obscurity.

For the rest of Europe, the German surge serves as an early warning. If criminals can so efficiently pivot to a new target set, no country is immune. The data highlights the need for cross-border intelligence sharing and proactive defense measures. As the landscape evolves, one thing is clear: the pressure on German infrastructure is not easing—it is building.

• 2025 German DLS victim count: approximately 220+ (up from ~115 in 2024)
• European average growth rate: ~30%
• Primary driver: weak defense posture in Mittelstand firms, AI-enabled localization, decline in UK/NA big-game hunting

The clock is ticking for German businesses to fortify their defenses before the next wave hits.