Blog: Cybercrime Situation in Germany


Cybercrime Situation in Germany[i]


The rate of cybercrime continues to rise in Germany. For 2020, the German Federal Criminal Police Office (BKA) registered around 108,000 cybercrime offenses directed against the Internet and information technology systems. This number represented a 7.9% increase compared to cases recorded in 2019 and a 23.3% increase compared to 2018. In 2020, this included cases of computer fraud (82,716), deception in legal transactions involving data processing (10,895), computer sabotage (3,770), and spying on data and data theft (10,763).[ii]

In 2019, 75% of German companies in the private sector were victims of cyberattacks. While in 2018 the focus of cyberattacks was on small and medium-sized enterprises, in 2019 the focus shifted to large companies and institutions. These attacks caused damage of around EUR 102 billion. 

Between May 2019 and June 2020, companies that are part of the critical infrastructure in Germany reported 419 incidents, an increase of 66.3%. Most incidents were reported by the financial sector, closely followed by the IT and communications sector.[iii] Such attacks have the potential to cause devastating impact to a country’s operations.

Cybercrime affects business, critical infrastructure, government, public services and institutions as well as citizens and must be considered a primary challenge for society.[iv]

1. Cross-cutting cybercrime facilitators and challenges

1.1 Social engineering and phishing

Criminals can use the theft of digital identities through social engineering (influencing people into acting against their own interest or the interest of an organisation), the use of phishing attacks, malware distribution or capitalising on data breaches for a plethora of cybercrime activities including the access to streaming services, the illegal agreement of contracts and goods orders, virtual mobbing, stalking or online-money transfers.[v]

In Germany, the number of spam emails containing malware increased drastically over the past years. Between 2019 and 2020, an average of 35,000 emails containing malware were detected in the German government’s networks every month.[vi]

1.2 Criminal use of cryptocurrencies

Cybercriminals use cryptocurrencies for money transfers on the dark web or in requests for ransomware payments. Bitcoin is the most commonly used cryptocurrency for transactions on dark web marketplaces. Some criminals have managed to steal cryptocurrencies from individual and enterprise wallets through so-called ‘exit-scams’, where promoters of a cryptocurrency disappear with investors’ money during or after an initial coin offering.[vii]

1.3 Cybercrime-as-a-Service

The cybercrime-as-a-Service (CaaS) business model remains a significant threat, facilitating phishing attacks and the use of malware and ransomware. Cybercriminals who have specialised cyber skills offer their services to other criminals who do not have the technical skills and knowledge to develop specific malware or conduct cyberattacks on their own.[viii]

The BKA distinguishes between nine types of CaaS:

  • Forums and Jabber servers: offering communication services for vendors and customers of criminal services;
  • Bulletproof hosting and proxy provider: offering secure server infrastructures;
  • Marketplaces, shops and AVCs (automated vending carts): offering trading platforms; » Malware development and coding;
  • Malware crypting: making malware undetectable by anti-virus programmes;
  • CAV (counter anti-virus): testing the detection rate of malware by anti-virus programmes;
  • Malware delivery and infection on demand;
  • Drops, mules and cashing out: facilitating the link between the digital and the real world in the criminal activity in delivering goods or cashing out money transfers; as well as
  • Exchanger: exchanging and mixing digital currencies into/with other digital and state currencies.[ix]

1.4 Criminal opportunism in the context of the Covid-19 pandemic

Due to the physical restrictions enacted to halt the virus’s spread, there has been a notable increase in homeworking requiring remote accesses to business resources. The amount of data traffic in Germany increased by 10% compared to the pre-Covid-19 time. VPN servers became lucrative targets for cyber attackers.[x]

Between January and April 2020, the registration of new domain names related to Covid-19 peaked at 116,357. Almost 2% of these new domains were considered malicious, and more than a third as highly risky. Of the 2,022 malicious domains, approximately 16% hosted phishing sites and the remaining 84% for various malware. Between January and July 2020, more than 95,000 cyberattacks had been conducted in Germany using a Covid-19 narrative.[xi]

2. Cyber-dependent crime

2.1 Malware

Malware is widely present in cybercrime. Criminals use malware for spying on and forwarding account data such as usernames and passwords; manipulating or destroying data, illegally utilising computing power for crypto-mining, encrypting data, constructing botnets for DDoS attacks or remotely controlling IT systems.[xii] In the past years Emotet was one of the most harmful malwares available. Given its versatile use, Emotet acted as a banking Trojan that served as a loader/dripper to deliver additional malware payloads such as Ryuk ransomware and TrickBot. TrickBot extracts sensitive data from IT systems and transfers them to an external command and control server. Ryuk encrypts data and requests ransom.[xiii]

Other malware that has been delivered subsequently to Emotet included software for manipulating online banking, spying out passwords in web-browsers and email; conducting DDoS attacks; and extracting information from email address lists.[xiv]

2.2 Ransomware

In 2020, ransomware attacks further increased. Common ransomware includes:

  • Software that does not encrypt data on a hard drive but blocks the user’s access to the system;
  • Crypto-ransomware that encrypts data in the IT systems of PCs or network servers;
  • So-called ‘Wipers’ that do not intend to de-encrypt the data after the ransom has been paid but destroy the infected data.

In 2020, ransomware attacks focused primarily on state institutions and big private sector companies. However, universities and hospitals have increasingly become targets too.[xv] The typical modus operandi of ransomware attacks has been modified by including ‘double extortion’ attacks, where criminals threaten to encrypt the data and publish sensitive data before it is encrypted if the ransom is not paid. The ransomware Maze, Nemty and Sodinokibi were used for such attacks, and criminals posted the data on ‘public-shaming’-websites. Since 2020, the ransomware Doppelmayer is increasingly being used. The BKA expects that these types of attacks will further increase. In the Ransomeware-as-a-Service business model, one criminal group develops the ransomware, while the so-called operators load the ransomware onto the target system.[xvi]

2.3 Distributed Denial of Service (DDoS)

The number and intensity of DDoS attacks further increased in 2020. With DDoS attacks, criminals aim to disrupt and block websites, servers, or networks of public or private sector institutions to make their services unavailable. For DDoS attacks, a botnet infects vast numbers of PCs allowing them to be remotely controlled.[xvii] In 2020, up to 20,000 BotInfections of German IT systems were registered every day, and the longest attack lasted for 107 hours.[xviii]

3. Criminal abuse of the dark web

Market places on the dark web often facilitate the trade of illegal goods such as illicit narcotics; licensed chemicals; weapons and explosives; child sexual exploitation material; counterfeit money and forged documents, stolen goods and counterfeit branded items; stolen user credentials and credit card data; malware, guidance for committing crimes; as well as information about and services for money laundering. Illicit drugs remain the main commodity traded on the dark web.[xix]

Dark web forums provide a platform for discussions, sharing of information and experience, announcements between vendors and customers, and ratings of the reliability and quality of vendors and their goods. Other major discussion topics are operational security issues, such as the concealment of user identities, safe communication methods, and the latest investigation techniques by LEAs.[xx]

4. Future challenges and opportunities

Cybercrime continues to rise in Germany. Cybercriminals have become more sophisticated in their attacks. Attacks are growing in technical complexity by dividing labour among cyber experts within the CaaS business model, where several specialists conduct different steps during a cyberattack.[xxi]

As cybercrime affects all of society, it is vital to raise awareness of the threat of cybercrime and potential mitigating measures among internet users, public institutions and private enterprises alike. This education must include essential elements such as handling email or the need to create frequent data back-ups. The adoption of IT security concepts is indispensable for public and private enterprises and institutions.[xxii]

4.1 LEA capacity building for the fight against cybercrime

To counter the rising threat of cybercrime, Germany has increased the capacity of specialised cybercrime units at the federal and state police levels. At the federal level, the BKA set up a new cybercrime department in April 2020. The aim is to pool the competencies within the BKA to combat cybercrime and advance the necessary specialisation of staff in this area. The new cybercrime department will gradually grow over the next few years to around 280 staff, including forensic officers, analysts and IT experts with a wide range of specialisations.[xxiii]

Given the transnational nature of cybercrime, there is a need for practical international law enforcement cooperation in the fight against cybercrime. The cybercrime department coordinates the international exchange of information.

As an example of such international law enforcement cooperation, in January 2021, law enforcement and judicial authorities from Canada, France, Germany, Lithuania, the Netherlands, the UK, the USA and Ukraine countries with coordination support from Europol and Eurojust disrupted the “world’s most dangerous malware” Emotet.[xxiv] LEAs gained control of the Emotet infrastructure, including several hundreds of servers located across the world. They took the infrastructure down from the inside by redirecting the victim’s infected machines towards law enforcement-controlled infrastructure.[xxv] While this operation was celebrated as a huge success, LEAs noted a return of the Emotet malware just 10 months later. In November 2021, the malware was discovered on infected machines using Trickbot’s infrastructure. Emotet was being spread via spam and phishing emails which contained infected Word, Excel, and Zip files that deploy Emotet on the victim host. It was expected that Emotet would in future also be spread again with links in emails that lead to malicious office files, or through malicious Windows App Installer packages pretending to be Adobe software.[xxvi] This example demonstrates how difficult the fight against sophisticated cybercriminals is.


[i]     See Bundeskriminalamt (BKA), 2021, Cybercrime. Bundeslagebild 2020, Wiesbaden 2021 [Cybercrime. Federal Situation Picture 2020], pp. 8ff., retrieved from:

[ii]     See Bundesamt für Sicherheit in der Informationstechnik (BSI), 2020, Die Lage der IT-Sicherheit in Deutschland 2020, Bonn 2020 [Federal Office for Information Security: The State of IT Security in Germany in 2020], p. 36, retrieved from: Publikationen/ Lageberichte/Lagebericht2020.pdf?__blob=publicationFile&v=2; and BKA, 2020a, Cybercrime. Bundeslagebild 2019, Wiesbaden 2020 [Cybercrime. Federal Situation Picture 2019], p. 50, retrieved from:;jsessionid=84ADE59C8966B97AB919A84BE5E55CBA.live0612.

[iii]     See BKA 2020a, p. 54.

[iv]     See BKA 2020a, p. 7.

[v]      See BSI 2020, p. 37.

[vi]     See BKA 2020a, p. 31.

[vii]    See Europol 2020, Internet Organised Crime threat Assessment 2020, pp. 27 + 31, retrieved from; BKA 2020a, p. 35; and BKA 2021a, pp.12f. 

[viii]    See BKA 2020a, pp. 36-40; and BKA 2021a, p. 45f.

[ix]     See BKA 2020b, Sonderauswertung Cybercrime in Zeiten der Corona-Pandemie, Wiesbaden 2020 [Special Analysis Cybercrime in Times of Corona Pandemic], p. 5, retrieved from: Cybercrime/cybercrimeSonderauswertungCorona2019.html?nn=28110.

[x]     See BKA 2020b, pp. 6 + 10.

[xi]     See BKA 2020a, p. 12.

[xii]    See BKA 2020a, pp. 16f.

[xiii]    See BKA 2020a, p. 17.

[xiv]    See BKA 2020a, p. 21 and BSI 2020, p. 13.

[xv]     See BKA 2020a, pp. 21f; and BKA 2021a, pp. 22 + 26. 

[xvi]    See BKA 2020a, p. 25.

[xvii]   See BSI 2020, p. 16.

[xviii]    See BKA 2020a, p. 30.

[xix]     See BKA 2020a, p. 32.

[xx]    See BKA 2020a, p. 53.

[xxi]    See BKA 2020a, p. 54.

[xxii]   See BKA 2020c, Bundeskriminalamt stärkt die Cybercrimebekämpfung [BKA strengthens the fight against cybercrime], press release on 01.04.2020, retrieved from:

[xxiii]  See Europol 2021, Word’s most dangerous malware Emotet disrupted through global action, Europol Press release of 27 January 2021, retrieved from:

[xxiv]  See Europol 2021.

[xxv]   See BSI 2021, BSI Cyber Sicherheitswarnung, [Cyber Security Alert], CSW-Nr. 2021-269890-1132, Version 1.1, 02.12.2021, p. 1, retrieved from:; and Check Point 2021, November 2021’s Most Wanted Malware: Emotet Returns to the Top 10, Press Releases, retrieved from: