Germany Surges as Top European Cyber Extortion Target – Data Leak Posts Jump 92% in 2025

Germany has reclaimed its position as Europe's primary focus for cyber extortion in 2025. Data leak site (DLS) posts targeting German organizations surged 92% compared to 2024—three times the European average—according to Google Threat Intelligence (GTI) data. The spike marks a dramatic return to the intense pressure levels seen in 2022–2023, hitting German infrastructure harder and faster than neighboring countries.

“This is not just a bounce back; it’s an acceleration,” said Robin Grunewald, a senior threat analyst at GTI. “The speed of escalation caught many by surprise—Germany went from a relative calm in 2024 to a full-blown crisis in 2025.” The shift follows a 2024 period where the UK led in DLS victims, but now cyber criminals have pivoted aggressively toward German targets.

Why Germany? Analysts point to its status as an advanced European economy with a highly digitized industrial base. Despite having fewer active enterprises than France or Italy, Germany’s Mittelstand—mid-sized industrial companies—presents a “ripe market” for extortion. “These firms are digitized but often under-resourced in cybersecurity,” said Jamie Collier, a GTI researcher. “Threat actors see them as low-hanging fruit.”

Background

Germany’s return to prominence follows a global 50% rise in DLS posts in 2025. While the UK saw postings cool, non-English-speaking nations—especially Germany—witnessed a surge. This “linguistic pivot” is driven by the maturation of the cyber criminal ecosystem, including the use of AI to automate high-quality localization of extortion materials, eroding the historical protection of language barriers.

Google Threat Intelligence Group has observed multiple criminal groups actively advertising for access to German companies, offering a cut of extortion fees. For example, since November 2024, the threat actor known as Sarcoma has targeted businesses across several highly developed nations, including Germany. These groups are shifting from “big game” targets in North America and the UK, where security posture improvements and private cyber insurance settlements reduce public leak volume.

The data also reveals that the growth rate is not an outlier due to economy size. Germany’s 92% increase in victim listings on DLS platforms triples the European average, underscoring a targeted campaign rather than a general uptick. “We’re seeing a convergence of factors: automated localization tools, a pivot to the Mittelstand, and a criminal ecosystem that’s now industrialized,” Collier added.

What This Means

For German businesses, this surge signals an urgent need to bolster defenses. The Mittelstand, which forms the backbone of the German economy, faces heightened risk as criminals exploit digital supply chains and weak incident response. “The threat is no longer just to large corporations,” Grunewald warned. “Every digitized SME in Germany is a potential target now.”

Policymakers in Berlin and Brussels must act quickly. The European Union’s NIS2 directive and Germany’s own IT security law may need stricter enforcement for mid-sized firms. Additionally, cross-border intelligence sharing and public-private partnerships are critical to counter the industrialized cybercrime ecosystem. “We can’t afford a wait-and-see approach,” said Collier. “The criminals are moving faster than the defenses.”

The return of Germany as a primary cyber extortion arena also reshapes regional priorities. Neighboring countries should expect spillover effects as threat actors expand their playbook. For now, all eyes are on Berlin’s response—and on the shadowy groups that have made German data leaks their new gold mine.