Germany has overtaken the United Kingdom to become the primary target for cyber extortion in Europe, according to new data from Google Threat Intelligence (GTI). Data leak site (DLS) posts targeting German entities skyrocketed by 92% in 2025 compared to the previous year, a growth rate three times the European average.
“This isn't about the sheer number of companies—Germany actually has fewer active businesses than France or Italy,” said Jamie Collier, a senior threat intelligence analyst at Google. “Instead, its advanced, digitized industrial base makes it a uniquely ripe market for extortion groups.”
Background
Germany's vulnerability is a return to form. During 2022 and 2023, the country faced intense pressure from ransomware groups, but a relative lull followed in 2024 as the UK briefly took the lead. Now, threat actors have pivoted back, exploiting new tools and tactics.
European DLS posts rose nearly 50% globally in 2025, but Germany's spike dwarfs that trend. The shift also reflects a “linguistic pivot”: criminals are using AI to automate high-quality localization, eroding the protection that language barriers once offered.
Key Drivers
- Maturation of cybercriminal ecosystem: AI-powered translation and localization tools let groups target non-English-speaking nations with precision.
- Shift in victim profiles: Large “big game” targets in North America and the UK have hardened defenses or use insurance for private settlements, pushing attackers toward Germany's Mittelstand—small and medium enterprises with weaker security.
- Active recruitment: Google Threat Intelligence Group has observed criminal forums where groups advertise for access to German companies, offering a cut of extortion fees.
“For example, the threat actor known as Sarcoma has been targeting businesses in several developed nations, including Germany, since at least November 2024,” said Robin Grunewald, a GTI researcher.
What This Means
Germany's industrial backbone—its digitized manufacturing, logistics, and engineering firms—faces an elevated and sustained risk. Unlike the UK, where leak volumes have cooled, German infrastructure is under the most intense pressure since 2022–2023.
Organizations must urgently assess their exposure. The combination of AI-driven localization and a focus on the Mittelstand means no sector is safe. Cyber insurance may offer post-breach relief, but prevention—through robust backup systems, employee training, and threat intelligence sharing—remains critical.
“This is a clear signal that attackers are following the path of least resistance,” Collier added. “Germany's digital economy is a prime target, and the pace of escalation shows no sign of slowing.”