New research from Check Point Software Technologies identified that cyberattacks targeting organizations across Germany, Austria and Switzerland surged 124% in 2025, driven by a sharp rise in hacktivist campaigns and ransomware operations. It also revealed that Germany accounted for more than 80% of all recorded incidents in the DACH region, reflecting its economic significance and geopolitical visibility, particularly its support for Ukraine. Across Europe, the DACH region represented 18% of all tracked cyberattacks, placing Germany ahead of France, Spain and Italy by individual country share.
The report identified website defacement campaigns as the dominant attack type, representing 66% of incidents, largely orchestrated by pro-Russian hacktivist collectives such as NoName057(16), alongside groups including Dark Storm Team and Mr Hamza. At the same time, ransomware activity intensified as financially motivated groups, including Qilin, Akira, and LockBit continued targeting organizations with weak authentication controls and exposed internet-facing systems.
Check Point researchers said the surge reflects a broader shift in Europe’s cyber threat landscape, where geopolitical disruption campaigns increasingly overlap with profit-driven ransomware operations. Germany accounted for 82% of all cyber incidents recorded across the DACH region, while Switzerland represented 12% and Austria accounted for 8%. Collectively, the DACH region made up 18% of all cyber incidents tracked across Europe.
The post added that “Across Europe, the DACH region represented 18% of all recorded attacks, placing Germany above France, Spain, and Italy by individual country share. The concentration reflects Germany’s economic and political profile.”
The researchers highlighted that while hacktivists dominated by volume, ransomware accounted for nearly 30% of incidents, making it the most significant financially motivated threat in the region.
Three groups were particularly active during the reporting period. Akira, which has operated since 2023, targets both Windows and Linux environments and frequently exploits organizations that do not have multifactor authentication in place. Researchers have identified tooling overlaps between Akira and the former Conti ransomware ecosystem.
Secondly, came Qilin, originally known as Agenda, which operates a RaaS (ransomware-as-a-service) model using a Rust-based cross-platform encryptor. The group combines data theft with file encryption and maintains a dedicated leak portal to increase extortion pressure on victims. Safepay, an emerging double extortion group active since 2024, operates across dark web and TON-based channels, exfiltrating victim data before encrypting systems and threatening publication through leak sites.
The post added that all three groups relied on similar initial access methods, including compromised credentials, exposed remote access services and unpatched enterprise platforms. Researchers said identity security gaps, rather than zero-day exploits or sophisticated new techniques, remained the common denominator across the attacks.
As one of the EU’s largest economies and a significant contributor to Ukraine-support efforts, it sits at the intersection of financial targeting and geopolitical signaling, two of the primary motivators behind 2025’s attack activity.
Check Point also identified that defacement was the leading attack type in the region at 66% of incidents, driven almost entirely by hacktivist groups using website vandalism to amplify political messaging. “NoName057(16), a pro-Russian collective focused on DDoS and web disruption, was among the most active throughout the year. Groups including Mr Hamza, chinafans, Dark Storm Team, and Hezi Rash contributed sustained defacement and DDoS activity against public-facing services.”
Noting that these campaigns were built for speed and visibility, the researchers noted they hit publicly accessible targets, claimed the activity on Telegram, and moved on. “The volume they generated was significant: the region’s highest monthly attack figures coincided directly with periods of elevated hacktivist activity, particularly July and August following the Operation Eastwood law enforcement action against NoName057(16) infrastructure.”
The researchers observed that what makes hacktivist activity difficult to plan around is its responsiveness to external events. “A regulatory action, a political statement, or a law enforcement takedown can trigger a coordinated retaliation campaign within hours.”
Organizations that enforced multi-factor authentication consistently, maintained patching discipline on internet-facing systems, and monitored for credential exposure were meaningfully harder targets.
The post concludes that “The 2025 data points to a straightforward set of priorities. Hacktivist exposure is largely a function of how much publicly accessible attack surface an organization presents, and how quickly anomalies on those surfaces get detected. Ransomware exposure comes down to identity hygiene, patch cadence, and whether credentials are being monitored across the open and dark web before they get used against you.”
Last month, Check Point tracked an ongoing password-spraying campaign targeting Microsoft 365 environments across the Middle East, primarily in Israel and the UAE, conducted by an Iran-linked threat actor. These attackers have been targeting cloud environments of government entities, municipalities, energy-sector organizations, and private-sector companies amid the ongoing conflict in the Middle East, primarily in Israel and the UAE. Furthermore, activity associated with the same actor was also observed against a limited number of targets in Europe, the U.S., the U.K., and Saudi Arabia.
