Key Takeaways
- Cyberattacks against organizations in the DACH region (Germany, Austria, Switzerland) jumped 124% in 2025, driven mainly by hacktivist defacement campaigns and a rise in ransomware activity.
- Germany alone accounted for more than 80% of DACH incidents (≈82%), reflecting its economic size and geopolitical profile, especially its support for Ukraine.
- Website defacement represented 66% of all recorded attacks, largely executed by pro‑Russian hacktivist groups such as NoName057(16), Dark Storm Team, and Mr Hamza.
- Ransomware made up nearly 30% of incidents, with financially motivated groups like Akira, Qilin (formerly Agenda), LockBit, and the emerging Safepay employing double‑extortion tactics.
- Common infection vectors across both threat types were compromised credentials, exposed remote‑access services, and unpatched enterprise platforms—highlighting identity‑security gaps rather than zero‑day exploits.
- Effective defenses include consistent multi‑factor authentication, rigorous patch management for internet‑facing systems, and continuous credential‑exposure monitoring on both the open and dark web.
Overview of the 2025 Threat Landscape in DACH
Check Point Software Technologies reported a dramatic 124% surge in cyberattacks targeting Germany, Austria, and Switzerland in 2025. The increase was propelled by two overlapping forces: politically motivated hacktivist campaigns and financially driven ransomware operations. Germany bore the brunt of the activity, contributing over 80% of all incidents recorded in the DACH bloc, while Switzerland and Austria accounted for roughly 12% and 8%, respectively. Collectively, the DACH region represented 18% of Europe‑wide tracked attacks, positioning Germany ahead of France, Spain, and Italy in terms of individual country share. The concentration of attacks underscores Germany’s outsized economic influence and its visible geopolitical stance, particularly its staunch support for Ukraine, which makes it a lucrative target for both protest‑oriented and profit‑seeking adversaries.
Dominance of Website Defacement Campaigns
The most prevalent attack vector identified was website defacement, constituting 66% of all incidents in the region. These operations were largely orchestrated by pro‑Russian hacktivist collectives such as NoName057(16), Dark Storm Team, and Mr Hamza, with additional contributions from groups like chinafans and Hezi Rash. The attackers typically exploited publicly accessible web properties, altered content to broadcast political messages, claimed responsibility on Telegram channels, and then moved on to the next target. The speed and visibility of these campaigns made them especially effective for amplifying geopolitical narratives. Notably, spikes in monthly attack volumes aligned with periods of heightened hacktivist activity, especially July and August 2025, following law‑enforcement takedowns of NoName057(16) infrastructure under Operation Eastwood. The researchers emphasized that hacktivist actions are highly reactive: a regulatory decision, political statement, or police raid can trigger a coordinated retaliation within hours, rendering traditional, static defense planning insufficient.
Ransomware Activity and Financial Motivation
While hacktivists dominated by volume, ransomware accounted for nearly 30% of incidents, establishing it as the most significant financially motivated threat in the DACH region. The report highlighted three ransomware groups that were especially active during the observation period:
- Akira – Operational since 2023, Akira targets both Windows and Linux environments. It frequently preys on organizations lacking multifactor authentication (MFA) and shows tooling overlaps with the historic Conti ransomware ecosystem.
- Qilin (formerly Agenda) – Operates a ransomware‑as‑a‑service (RaaS) model using a Rust‑based, cross‑platform encryptor. Qilin couples data theft with file encryption and maintains a dedicated leak portal to increase extortion pressure.
- Safepay – An emerging double‑extortion group active since 2024, Safepay exfiltrates victim data before encrypting systems and threatens publication via leak sites. It leverages dark‑web and TON‑based channels for communication and payment.
All three groups relied on a similar set of initial access techniques: compromised credentials, exposed remote‑access services (such as RDP or VPN gateways), and unpatched enterprise platforms. The researchers concluded that identity‑security gaps—weak passwords, missing MFA, and credential leakage—were the common denominator across attacks, far outweighing the use of zero‑day exploits or novel sophisticated techniques.
Underlying Drivers: Geopolitics and Economics
Germany’s outsized share of attacks stems from its dual role as one of the EU’s largest economies and a major contributor to Ukraine‑support initiatives. This positioning places German entities at the intersection of two primary motivators observed in 2025: financial gain (ransomware) and geopolitical signaling (hacktivist defacement). Attackers therefore view German organizations as high‑value targets that can yield both monetary rewards and propaganda impact. The report notes that the concentration of incidents in Germany mirrors its economic and political footprint, making it a natural focal point for adversaries seeking maximum visibility or profit.
Defensive Recommendations Emphasizing Identity Hygiene
Check Point’s analysis concluded that organizations that consistently enforced MFA, maintained rigorous patching discipline on internet‑facing systems, and monitored credential exposure across both the open and dark web were markedly more resilient. The post distilled the 2025 data into a straightforward set of priorities:
- Hacktivist exposure is largely a function of an organization’s publicly accessible attack surface and the speed with which anomalies on those surfaces are detected. Reducing unnecessary web‑facing assets and deploying real‑time web‑integrity monitoring can limit defacement success.
- Ransomware exposure hinges on identity hygiene (strong passwords, MFA, credential‑leak awareness), patch cadence for external services, and vigilant monitoring of credential misuse on underground markets.
By addressing these core areas, organizations can mitigate the most common pathways exploited by both hacktivists and ransomware operators in the DACH region.
Additional Context: Parallel Threat Activity Elsewhere
The report briefly noted a concurrent password‑spraying campaign observed last month targeting Microsoft 365 environments across the Middle East, principally in Israel and the UAE. The campaign, attributed to an Iran‑linked threat actor, hit government entities, municipalities, energy‑sector organizations, and private firms amid the ongoing regional conflict. Activity from the same actor was also detected against a limited set of targets in Europe, the United States, the United Kingdom, and Saudi Arabia, illustrating how threat groups often reuse tactics and infrastructure across multiple geographies.
Conclusion
The 2025 Check Point findings paint a clear picture: the DACH region, spearheaded by Germany, is experiencing a heightened threat environment where politically motivated defacement and financially driven ransomware intersect. Although the attack volumes are large, the underlying tactics remain rooted in well‑known weaknesses—exposed credentials, unpatched services, and insufficient identity controls. By strengthening MFA, patching rigorously, and continuously monitoring credential leakage, organizations can substantially reduce their risk profile and better defend against both the noisy, attention‑seeking hacktivist campaigns and the stealthy, profit‑oriented ransomware operations that dominated the cyber threat landscape last year.