In 2025, a dramatic shift in Europe's cyber extortion landscape has placed Germany back in the crosshairs. After a brief period where the United Kingdom led in data leak site (DLS) victims, Germany now faces a surge in attacks that is outpacing its neighbors. This Q&A explores the key drivers behind this resurgence, from the role of AI in overcoming language barriers to the strategic pivot toward German midsize companies.
What is the current state of cyber extortion in Germany compared to other European countries?
Germany has reclaimed its position as the primary target for cyber extortion in Europe in 2025. According to Google Threat Intelligence data, data leak site posts rose nearly 50% globally, but Germany experienced an even sharper increase. The country now accounts for a disproportionately high share of European DLS victims, surpassing the United Kingdom, which had led in 2024. This is particularly striking because Germany has fewer active enterprises than France or Italy, meaning the spike isn't due to sheer company numbers. Instead, it reflects a targeted campaign by cybercriminal groups drawn to Germany's advanced, digitized economy and its industrial base. The speed of escalation is notable: after a relative lull in 2024, Germany saw a 92% growth in leaks in 2025—a rate three times the European average.
Why have cybercriminals pivoted back to targeting German infrastructure?
Several factors have driven cybercriminals to refocus on Germany. One key reason is the evolution of the cybercriminal ecosystem. The use of AI to automate high-quality localization has eroded the historical protection that language barriers once provided. This "linguistic pivot" allows threat actors to effectively target non-English speaking countries like Germany. Additionally, larger "big game" targets in North America and the UK have bolstered their security postures or use cyber insurance to settle incidents privately, making them less attractive. In response, criminals have shifted toward what they see as "ripe markets"—particularly the German Mittelstand, a sector of midsize, often family-owned companies that are heavily digitized but may lack the robust defenses of larger corporations. Germany's status as an advanced European economy with a highly digitized industrial base makes it a prime candidate for extortion attempts.
What role does AI play in the increased targeting of Germany?
Artificial intelligence is a critical enabler of the shift toward Germany. Google Threat Intelligence notes that cybercriminals are using AI to automate the creation of high-quality, localized content—such as phishing emails, ransom notes, and even entire data leak site posts—in German. This technology eliminates the need for human translators or native speakers, allowing attacks to scale rapidly across language barriers. Historically, non-English speaking countries like Germany benefited from a "language protection" because many threat actors operated in English. AI now makes it easy to craft convincing German-language lures, increasing the effectiveness of campaigns. The sophistication of these AI-generated materials also makes them harder to distinguish from legitimate communications, thereby lowering the barrier for attackers to target German organizations, especially smaller ones that may not have advanced detection systems.
How does the shift from the UK to Germany reflect broader European trends?
The pivot from the UK to Germany mirrors a broader European trend where non-English speaking countries are experiencing a surge in cyber extortion while English-speaking nations see a cooling. In 2024, the UK led in DLS victims, but in 2025, its numbers declined, while Germany and other non-English European markets witnessed rapid growth. This divergence is driven by two forces: first, the maturation of the cybercriminal ecosystem, including AI-based localization, as discussed. Second, a strategic shift in target profiles—threat actors are moving away from heavily defended "big game" targets in the US and UK toward the less secure but economically valuable midsize firms in Germany. This doesn't mean the UK is safe, but the locus of attack volume has moved eastward. The trend also suggests that language and culture are no longer reliable shields against cyber extortion.
What evidence is there that cybercriminal groups are actively seeking access to German companies?
Concrete evidence comes from Google Threat Intelligence Group (GTIG), which has observed multiple cybercriminal groups posting advertisements in online forums seeking access to German companies. These ads often offer a proportion of any extortion fees obtained from victims, effectively creating a market for initial network access. One specific example is the threat actor known as Sarcoma, active since November 2024, who has targeted businesses across several highly developed nations, including Germany. Such posts indicate a deliberate, organized effort to acquire footholds in German networks. The willingness to share profits with access brokers highlights how lucrative German targets are perceived to be. This direct solicitation for German company access further confirms that the spike in DLS victims is not random but the result of a coordinated push by ransomware gangs and their affiliates.
What is the German Mittelstand and why is it a prime target?
The Mittelstand refers to the vast segment of small and medium-sized enterprises (SMEs) in Germany that form the backbone of the economy. These are often family-owned, highly specialized, and deeply integrated into global supply chains. Many are leaders in niche manufacturing, engineering, and technology sectors. They are an attractive target for cybercriminals for several reasons. First, despite their digitalization, they often lack the sophisticated cybersecurity resources of large corporations. Second, their critical role in supply chains means that a successful attack can disrupt multiple downstream partners, increasing leverage for extortion. Third, as "big game" hunting becomes harder, threat actors have downgraded to these midsize firms that still have significant financial resources but lower defenses. The combination of high digitization, economic importance, and relatively weaker security makes the Mittelstand a "ripe market" for ransomware and data extortion groups.