Germany Returns as Prime Target: Behind the Surge in European Data Leaks

In 2025, Germany reclaimed its position as the primary focus of cyber extortion in Europe, with data leak site (DLS) posts rising nearly 50% globally and hitting German infrastructure especially hard. According to Google Threat Intelligence data, the country experienced a 92% increase in leaked records compared to 2024—triple the European average. This shift marks a significant return to the intense pressure observed during 2022 and 2023, after a brief period where the United Kingdom led in victim numbers. The surge is driven by Germany's advanced digital economy, a pivot toward the Mittelstand (small and medium-sized enterprises), and cyber criminals leveraging AI to overcome language barriers. Below, we explore the key questions surrounding this escalation.

1. Why has Germany become the top target for cyber extortion in Europe again?

Germany's renewed status as the leading target in 2025 stems from its status as an advanced European economy with a highly digitized industrial base. Unlike France or Italy, which have more active enterprises, Germany's appeal lies in the Mittelstand—a sector of mid-sized companies that often possess valuable intellectual property but may have weaker cybersecurity postures compared to larger firms in North America or the UK. Cyber criminals see these businesses as ripe markets for extortion. Additionally, as big game hunting in English-speaking regions becomes harder due to improved defenses and private insurance settlements, threat actors are pivoting to non-English speaking markets where language barriers have historically offered some protection—but are now being eroded by AI-powered localization tools.

2. How much did data leak site posts increase for Germany in 2025?

According to Google Threat Intelligence (GTI), Germany saw a dramatic 92% increase in the number of victims listed on data leak sites in 2025 compared to the previous year. This growth rate triples the European average, highlighting an accelerated escalation. The surge followed a relative cooling in 2024, when the United Kingdom led in DLS posts. The speed of this rebound underscores how quickly German infrastructure became a prime target again, with the country now facing pressure levels similar to the highs seen in 2022 and 2023. This data is visualized in Figure 2 of the original report, showing a sharp upward trend that outpaces regional peers.

3. What role does the German Mittelstand play in this shift?

The Mittelstand—Germany's backbone of small and medium-sized enterprises (SMEs)—is a key driver of the cyber extortion surge. Unlike larger corporations that can afford robust defenses and cyber insurance, many Mittelstand firms are less prepared for sophisticated attacks. They often hold critical data such as trade secrets, customer information, and operational blueprints, making them lucrative targets. Cyber criminals have recognized this vulnerability, especially as larger targets in North America and the UK hardened their defenses. The shift toward the Mittelstand reflects a broader trend of attackers moving from big game hunting to exploiting ripe markets where security gaps persist but economic value remains high.

4. How are cyber criminals using AI and localization to bypass language barriers?

Language barriers have historically protected non-English-speaking nations like Germany from some cyber extortion campaigns. However, the maturation of the cyber criminal ecosystem now includes the use of AI to automate high-quality localization. Threat actors can generate convincing phishing emails, ransom notes, and negotiation scripts in German with proper grammar and cultural context, making attacks more effective. This technological advancement erodes the historical linguistic shield, allowing criminals to target German companies with precision. The Google Threat Intelligence Group (GTIG) has observed multiple groups offering access to German companies and a share of extortion fees, indicating a strategic pivot backed by these new capabilities.

5. What evidence shows threat actors actively seeking access to German companies?

Google Threat Intelligence Group (GTIG) has documented multiple cyber criminal groups posting advertisements on underground forums, specifically seeking access to German companies. For example, since November 2024, a threat actor known as Sarcoma has targeted businesses across several developed nations, with Germany as a prominent focus. These advertisements often offer a percentage of any extortion fees obtained from victims, creating a marketplace for initial access brokers. This active recruitment and targeting underscores the deliberate pivot toward Germany, as criminals view the country's digital infrastructure as both vulnerable and high-reward.

6. How does Germany's industrial digitization contribute to its appeal?

Germany's increasingly digitized industrial base makes it exceptionally attractive to cyber extortionists. Sectors like automotive manufacturing, engineering, chemicals, and logistics have embraced digital transformation, creating a wide attack surface. Industrial control systems, supply chain networks, and proprietary R&D data are high-value targets that criminals can exploit. The Industrie 4.0 initiative has integrated IT and operational technology, but not all companies have matched this integration with proportional cybersecurity investments. This gap, combined with the economic importance of these industries, means that even a single successful breach can yield significant ransom payments or data leak profits.