Germany reclaimed its position as a primary focus for cyber extortion in Europe in 2025, Google Threat Intelligence says. The country’s infrastructure is being hit harder and faster than targets in neighboring countries.

Google’s research shows that Germany is being hit more often than any other European country. This pivot allegedly reflects a resurgence of the intense pressure observed across German infrastructure during the 2022-2023 period.

According to the tech giant’s analysts, Germany’s “sustained appeal to extortion groups is driven by its status as an advanced European economy with an increasingly digitized industrial base.”

The escalation is indeed speedy. Following a relative cooling of activity in 2024, Germany saw a 92% increase in leaks in 2025, a rate that tripled the European average, Google Threat Intelligence said in a blog post.

The researchers see a clear pattern. Data leak site posts for UK-based organizations are now rarer, but in non-English-speaking countries – particularly Germany – they are witnessing a surge. This can be explained by several converging factors.

“The continued maturation of the cybercriminal ecosystem, including the use of AI to automate high-quality localization, is further eroding the historical protection offered by language barriers,” said Google Threat Intelligence.

However, victim profiles are also shifting. As larger targets in North America and the UK improve their security posture or utilize cyber insurance to resolve incidents privately, threat actors appear to be pivoting toward the ripe markets of the German Mittelstand.

Find out if your email, phone number or related personal information might have fallen into the wrong hands. That’s a term used to describe small- to medium-sized German enterprises that form the backbone of the nation’s economy.

Cybercriminal groups are even posting ads seeking access to German companies and offering a cut of any extortion fees collected from victims.

For example, in November 2024, the threat actor known as Sarcoma targeted businesses across several highly developed nations, including Germany.

The situation may seem dire, but Google Threat Intelligence notes that a degree of caution is warranted.

According to the researchers, relying solely on data leak site numbers can be misleading, as threat actors typically only post victims who refuse to initiate or complete extortion negotiations.

“Public reporting on the decline in ransom payment rates may be partially fueling the steady increase in shaming site posts as a secondary pressure tactic,” the report claims.

“Consequently, while the surge in Germany remains a critical trend, these metrics should be viewed as one component of a broader, more complex threat landscape.”

According to the researchers, relying solely on data leak site numbers can be misleading, as threat actors typically only post victims who refuse to initiate or complete extortion negotiations.

Indeed, 2025 was characterized by significant turbulence in the cybercriminal ecosystem, driven by internal conflicts and aggressive law enforcement actions against dominant "big game" operations like LockBit and ALPHV.

“The resulting vacuum at the top of the ransomware market has led to a more crowded field of agile, mid-tier data leak site brands. In Germany, this rebalancing is highly visible: as established brands receded, a wider pool of competitors emerged to absorb the market share,” explained Google Threat Intelligence.

Ransomware groups such as SafePay and Qilin have now gained significant prominence within the German landscape, for example. SafePay, in particular, claimed breaches of 76 German companies in 2025, accounting for 25% of all German victim posts that year.

Just like Germany, France is a relevant target for cyberattacks for at least two reasons: a strong economy and its geopolitical alignment with the European Union and NATO.