CrowdStrike has published its 2025 European Threat Landscape Report, painting a stark picture of an increasingly aggressive and complex cyber environment across Europe. According to the CrowdStrike report, European organizations accounted for nearly 22 percent of all global ransomware and extortion victims over the past year, placing the continent second only to North America in total incidents.
The findings highlight the accelerating speed of attacks, the convergence of cybercrime and state-sponsored activity, and the growing commercialization of hacking tools and services across underground networks.
CrowdStrike’s intelligence teams, which monitor over 265 named adversary groups worldwide, observed that ransomware operations in Europe have reached historic highs. Since the start of 2024, more than 2,100 victims across the region have been listed on extortion leak sites.
The United Kingdom, Germany, France, Italy, and Spain emerged as the most targeted countries, with 92 percent of incidents involving both file encryption and data theft. Increasingly, ransomware operations are being supported by a growing underground economy of initial access brokers, malware developers, and criminal service providers.
CrowdStrike tracked more than 260 brokers advertising access to over 1,400 European organizations in what has become a thriving black market for compromised credentials and network footholds.
Russia, China, Iran
The report also highlights a sharp escalation in attack velocity. Threat groups such as SCATTERED SPIDER increased their ransomware deployment speed by nearly 50 percent year-over-year, with the average time between intrusion and ransomware execution now dropping to around 24 hours. This compressed attack timeline leaves organizations with less time to detect and respond before critical systems are encrypted or exfiltrated.
Beyond financially motivated crime, the geopolitical dimension of Europe’s cyber landscape has intensified. Russia-linked threat actors continued to target Ukraine and neighboring countries with credential phishing, espionage, and destructive operations focused on government, energy, telecommunications, and military networks. North Korean groups, meanwhile, have expanded their European activity, targeting defense, financial, and diplomatic sectors – combining espionage operations with cryptocurrency theft to fund state objectives.
China-based threat actors have concentrated on industrial and scientific espionage, exploiting cloud environments and software supply chains to access intellectual property. CrowdStrike identified campaigns focused on healthcare and biotechnology across 11 European countries, with VIXEN PANDA named as one of the most prolific Chinese actors targeting government and defense networks. Iranian operations also intensified, with IRGC-linked groups conducting phishing, DDoS, and hack-and-leak campaigns against organizations in the U.K., Germany, and the Netherlands. In several cases, Iranian adversaries posed as hacktivist collectives to disguise coordinated espionage activity.
Violence-as-a-Service
Parallel to the state-backed activity, underground criminal ecosystems have become more sophisticated. English- and Russian-language forums, including BreachForums – a successor to the dismantled RaidForums – remain key hubs for trading stolen data, malware, and exploit kits. CrowdStrike’s analysts also observed Telegram, Tox, and Jabber being used extensively for criminal collaboration, recruitment, and financial transactions.
The intersection of cyber and physical crime is also growing. CrowdStrike warns that so-called “Violence-as-a-Service” networks have begun using encrypted Telegram channels to coordinate physical assaults, kidnappings, and extortion campaigns linked to cryptocurrency theft. Groups connected to “The Com” ecosystem and hybrid actors like RENAISSANCE SPIDER are blurring the line between the virtual and physical threat domains, offering payments for acts of sabotage, arson, or intimidation tied to broader cyber objectives.
Adam Meyers, head of Counter Adversary Operations at CrowdStrike, described the current European cyber environment as “more crowded and complex than ever.” He noted that adversaries are combining “criminal innovation and geopolitical ambition,” deploying enterprise-grade tools to conduct espionage and disruption at scale. “Ransomware crews are operating like commercial enterprises, while state-backed actors exploit global instability to pursue intelligence and influence,” said Mr. Meyers. “In this high-stakes environment, only an intelligence-led defense powered by AI and guided by human expertise can effectively counter these evolving threats.”
The CrowdStrike report underscores how Europe’s digital infrastructure – spanning critical industries, government systems, and private enterprises – has become both a strategic target and a testing ground for global cyber operations.
