Germany Reclaims Top Spot in European Data Leak Landscape
In 2025, Germany has once again become the primary focus of cyber extortion across Europe. While data leak site (DLS) posts increased by nearly 50% globally, Google Threat Intelligence (GTI) reports that the surge is hitting German infrastructure harder and faster than its neighbors, marking a sharp return to the high-pressure levels seen in 2022 and 2023.
The 92% Surge That Triples the European Average
Following a brief slowdown in 2024, when the United Kingdom led in DLS victims, cybercriminals have pivoted back to Germany. The number of German victims listed on leak sites grew by 92% in 2025 compared to the previous year—a growth rate three times the European average. This acceleration is not simply a matter of scale: Germany has fewer active enterprises than France or Italy, yet its appeal to extortion groups remains unmatched.
Why Germany? The Role of Digitized Industry and Mittelstand
Germany’s sustained appeal stems from its status as an advanced European economy with a highly digitized industrial base. The country’s Mittelstand—small and medium-sized enterprises that form the backbone of its economy—are increasingly reliant on digital systems but often lack the robust cybersecurity of larger corporations. Threat actors view these companies as ripe targets: they generate substantial revenue but may have weaker defenses or cyber insurance policies that facilitate private settlements.
This shift in victim profiles is a key driver. As larger “big game” targets in North America and the UK improve their security posture or resolve incidents privately through insurance, criminals are seeking new opportunities in markets like Germany where vulnerabilities persist.
The Linguistic Pivot: AI and Localization Breaking Language Barriers
Another factor is the maturation of the cybercriminal ecosystem. AI-powered tools now automate high-quality localization of extortion messages, enabling attacks that overcome language barriers that once protected non-English-speaking regions. While the United Kingdom saw a cooling of leak site postings in 2025, non-English-speaking nations—particularly Germany—witnessed a surge. This “linguistic pivot” reflects how historical defenses like language are eroding.
Threat Actor Activity: Advertisements and Access Markets
Google Threat Intelligence Group (GTIG) has observed multiple cybercriminal groups actively seeking access to German companies. For example, since November 2024, the threat actor known as Sarcoma has been targeting businesses across highly developed nations, including Germany. These groups post advertisements on underground forums, offering a share of extortion proceeds to anyone who can provide initial access to German networks. This marketplace dynamic accelerates the cycle of targeting.
What This Means for German Organizations
The convergence of these factors—digitized industry, Mittelstand vulnerability, AI-powered localization, and active access markets—means German companies face a uniquely high risk. The speed of escalation is particularly notable: the 92% growth in leaks outpaced every other European nation in 2025.
Organizations are urged to reinforce defenses, monitor for leaked credentials, and ensure incident response plans account for extortion scenarios. As the cybercriminal ecosystem continues to evolve, Germany’s experience may offer lessons for other economies undergoing digital transformation.