Hacktivism and ransomware targeting organizations across Germany, Austria, and Switzerland increased 124% in 2025, according to Check Point Exposure Management (based on published attacks on the web and dark web). Three distinct dynamics drove the surge, each with its own logic and its own implications for security teams in 2026. 

Germany Absorbed Most of It 

Germany accounted for more than 80% of regional incidents, with Switzerland at 12% and Austria at 8%. Across Europe, the DACH region represented 18% of all recorded attacks, placing Germany above France, Spain, and Italy by individual country share. 

The concentration reflects Germany’s economic and political profile. As one of the EU’s largest economies and a significant contributor to Ukraine-support efforts, it sits at the intersection of financial targeting and geopolitical signaling, two of the primary motivators behind 2025’s attack activity. 

  • Germany: 82% of DACH incidents 
  • Switzerland: 12% 
  • Austria: 8% 
  • DACH as a share of European incidents: 18% 
Hacktivists Dominated by Volume 

Defacement was the leading attack type in the region at 66% of incidents, driven almost entirely by hacktivist groups using website vandalism to amplify political messaging. NoName057(16), a pro-Russian collective focused on DDoS and web disruption, was among the most active throughout the year. Groups including Mr Hamza, chinafans, Dark Storm Team, and Hezi Rash contributed sustained defacement and DDoS activity against public-facing services. 

These campaigns were built for speed and visibility, hitting publicly accessible targets, claiming the activity on Telegram, and moving on. The volume they generated was significant: the region’s highest monthly attack figures coincided directly with periods of elevated hacktivist activity, particularly July and August following the Operation Eastwood law enforcement action against NoName057(16) infrastructure. 

What makes hacktivist activity difficult to plan around is its responsiveness to external events. A regulatory action, a political statement, or a law enforcement takedown can trigger a coordinated retaliation campaign within hours. 

Ransomware Groups Kept Steady Pressure On 

While hacktivists dominated by volume, ransomware accounted for nearly 30% of incidents, making it the most significant financially motivated threat in the region. Three groups were particularly active. 

  • Akira has operated since 2023 and targets Windows and Linux environments, frequently exploiting organizations without MFA in place. Researchers have identified tooling overlaps with the former Conti ecosystem
  • Qilin, originally known as Agenda, runs a RaaS model using a Rust-based cross-platform encryptor. It combines data theft with encryption and maintains a dedicated leak portal for extortion pressure
  • Safepay is an emerging double extortion group active since 2024, operating across dark web and TON-based channels. It exfiltrates data before encrypting and pressures victims through leak site publication

All three followed similar initial access patterns: compromised credentials, exposed remote access services, and unpatched enterprise platforms. Identity weaknesses were the common thread, not zero-days or novel techniques. 

Organizations that enforced MFA consistently, maintained patching discipline on internet-facing systems, and monitored for credential exposure were meaningfully harder targets. 

What to Do With This 

The 2025 data points to a straightforward set of priorities. Hacktivist exposure is largely a function of how much publicly accessible attack surface an organization presents, and how quickly anomalies on those surfaces get detected. Ransomware exposure comes down to identity hygiene, patch cadence, and whether credentials are being monitored across the open and dark web before they get used against you. 

Check Point Exposure Management tracks threat actor activity, IOCs, and attack surface exposure continuously, giving security teams the context to act on threats like Akira, Qilin, and NoName057(16) before they become incidents. The IOCs for all groups covered in the 2025 DACH report are available in the Threat Actor Intel Module. 

For complete threat actor profiles, sector breakdowns, and indicators of compromise, read the full report

 

You may also like