Germany in 2025 experienced a 92 percent growth in data leak site victims, three times the European average, according to Google Threat Intelligence.
In 2025 Germany once again became a focus area for cyber extortion operations across Europe. Postings on data leak sites that listed German organizations rose markedly. Globally the number of such postings increased by nearly 50 percent during the year. The growth observed in Germany exceeded the rate recorded in neighboring countries and returned the country to levels of activity last seen in 2022 and 2023.
The positioning of Germany followed a different pattern in 2024 when the United Kingdom recorded the highest number of listed victims. Germany moved ahead in 2025. The change cannot be attributed simply to the total number of enterprises operating in the country. Germany maintains fewer active companies than France or Italy. The appeal to extortion groups stems instead from the advanced nature of the German economy and the extent of digitization within its industrial base.
The volume of German victims listed on data leak sites grew by 92 percent between 2024 and 2025. This rate represented three times the average growth recorded across Europe as a whole. Activity directed at organizations in the United Kingdom decreased during the same period while volumes in non-English speaking countries rose. Several linked factors explain the development. Cyber criminal groups have adopted artificial intelligence tools to automate the localization of attacks and related communications. The technology has reduced the protective effect that language differences once provided. At the same time the groups have redirected attention toward the German Mittelstand. This segment of the economy consists of small and medium-sized enterprises that often operate in specialized manufacturing and engineering fields and form a central part of German industrial output.
Larger organizations in North America and the United Kingdom have improved their security controls or resolved incidents through private arrangements supported by cyber insurance. The result has been a movement by threat actors toward markets they regard as offering higher success rates. Evidence of this deliberate focus appears in public advertisements placed by actors on criminal forums. Some actors have sought business partnerships that grant access to German companies and have proposed sharing a portion of any resulting extortion payments. One actor identified as Sarcoma has pursued such arrangements since November 2024 while targeting businesses in several developed economies including Germany.
Numbers drawn from data leak sites must be interpreted with care. These platforms publish information only in cases where victims decline to initiate or complete payment negotiations. A documented decline in the proportion of organizations that pay ransoms may therefore contribute to the higher volume of postings. Groups appear to employ public listing of stolen data as a secondary pressure mechanism once initial demands are refused.
The cyber criminal ecosystem itself experienced internal turbulence and external pressure in 2025. Law enforcement operations and conflicts within major groups such as LockBit and Alphv reduced the dominance of a small number of large operations. The resulting reduction in capacity at the top of the market allowed a wider set of mid-tier groups to expand their share of activity. In Germany this rebalancing produced a more varied distribution of attacks.
SafePay accounted for postings related to 76 German companies in 2025. That total represented 25 percent of all German victims listed on data leak sites during the year. Qilin increased its operational pace in Germany by a factor of three during the third quarter of 2025. The group continued the pattern into early 2026 with 13 additional German victims posted. The expansion in Germany has occurred alongside the group’s broader international growth but has maintained a consistent emphasis on German targets.
Data on the size of affected organizations further clarifies the targeting pattern. Companies with fewer than 5,000 employees accounted for 96 percent of all ransomware-related data leaks recorded in Germany in 2025. The proportion aligns closely with the overall structure of the German economy in which small and medium-sized enterprises predominate. The figure counters the assumption that only large corporations attract attention. Smaller organizations frequently operate with more limited dedicated security personnel and specialized resources. This makes them practical targets for groups seeking reliable returns with lower resistance.
The concentration on smaller firms carries secondary consequences for larger enterprises. Many large German companies maintain extensive networks of suppliers and contractors. These third parties often process sensitive data or retain privileged access to corporate systems. Attackers can exploit such connections to move laterally toward higher-value objectives. Organizations at the top of supply chains can reduce exposure by moving beyond passive monitoring of vendors. Structured third-party risk management approaches that include vendor tiering and mandatory security controls such as multifactor authentication limit the pathways favored by current attack methods.
The distribution of victims across economic sectors shows both continuity and change. Manufacturing remained the most affected industry at 23 percent of all recorded leaks. Legal and professional services followed at 14 percent and recorded growth during the year. Construction and engineering accounted for 11 percent while retail represented 10 percent. The rise within legal and professional services reflects the type of information these firms routinely manage. They serve as custodians of client data that includes intellectual property details, financial strategies and plans related to mergers and acquisitions. Such material offers extortion groups leverage that extends beyond the immediate victim to a wider client base.
The developments recorded in 2025 indicate that the volume of cyber extortion activity affecting Germany has returned to the elevated levels observed in 2022 and 2023. The European threat environment has grown more varied. Activity now extends across a broader range of languages and national markets. The contraction of former dominant groups has produced a more competitive field populated by agile mid-tier operators. Groups such as SafePay and Qilin have expanded their presence in Germany in parallel with their international operations. Their activity centers on the Mittelstand and the professional services sector where supply chain linkages create additional points of entry. Vulnerabilities at the level of smaller organizations can therefore propagate upward through industrial networks.
These patterns are likely to persist into 2026. Organizations of all sizes in Germany and across Europe face the need to monitor an environment characterized by greater diversity of actors and continued pressure on non-English speaking economies. The combination of technological adaptation by criminals and structural features of the German economy has sustained the country’s position within the European cyber extortion landscape.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de