Active crime groups in Germany

Explanations and tabular overview
Status: 23.10.2025

Financially motivated attackers target the assets of those affected in a variety of ways. From fraud and theft to extortion, the BSI observes new attack campaigns on a daily basis. According to the BSI, ransomware and data leaks currently pose the greatest cybercriminal threat to the state, economy and society.

In recent years, the BSI as well as national and international partners have increasingly observed so-called Cybercrime-as-a-Service (CCaaS). This involves outsourcing elements of a cyberattack to specialised attacker groups, similar to outsourcing services. CCaaS allows an attacker to obtain almost every step of an attack as a service from other cybercriminals or at least the malware required for it. The selling of malware is referred to as Malware-as-a-Service (MaaS). MaaS specialising in ransomware are called Ransomware-as-a-Service (RaaS).

Attackers that sell access to networks are called access brokers and the service Access-as-a-Service (AaaS). Emotet and QakBot were two well-known malware families that were probably used by access brokers. Access brokers aim to gain long-term access to a network. To do this, they usually load additional malware via so-called loaders.

Where possible, cybercriminal attackers are categorised into groups based on the malware used and their approach. The following table highlights some attacker groups that the BSI believes pose an increased threat to German organisations. The BSI is also monitoring other attacker groups that are probably also active against German organisations.

Active crime groups that attack targets in Germany:
Groupname	Exceptional characteristics	Description
Frozen Spider (aka White Kali)	Responsible for restricted¹ RaaS Medusa Ransomware Medusa is not to be confused with similar named ransomware MedusaLocker Leak site known	RaaS Medusa probably active since the end of 2022. No known exclusion of sectors or countries from attacks.
Graceful Spider (aka ATK103, Chimborazo, DEV-0950, Dudear, FIN11, G0092, Gold Tahoe, Hive0065, Lace Tempest, SectorJ04, Spandex Tempest, TA505, White Austaras)	Responsible for GetAndGo Loader (aka Get2, FRIENDSPEAK) SDBBot GraceWire (aka FlawedGrace) Clop (aka Ciop, CIop, Cl0p, Ci0p, CI0p) Leak site known Attackers repeatedly abused zero-day vulnerabilities in exposed systems such as file-sharing servers. Extortion often without the use of ransomware only with stolen data	Attacker group probably active since 2016. No known exclusion of sectors or countries from attacks. From the end of 2019 until 2022 regularly use of Clop ransomware. Since 2022, regularly blackmail with data leaks only.
Honey Spider	Responsible for MaaS Shindig (aka Bumblebee) Shindig is used by various access brokers. An attack with Shindig is often followed by the theft of data and the use of ransomware	MaaS Shindig probably active since March 2022. No known exclusion of sectors or countries from attacks. Shindig was a target of the law enforcement measures from Operation Endgame. Shindig is beeing updated and used in cyberattacks against systems in Germany on a regular basis despite the law enforcement actions.
Lunar Spider (aka Gold Swathmore, White Khione)	Responsible for MaaS BokBot (aka IcedID) Responsible for MaaS Lotus (aka Latrodectus, BlackWidow, IceNova) Lotus is used by various access brokers. An attack with Lotus is often followed by the theft of data and the use of ransomware	MaaS BokBot was probably active since April 2017 until the end of 2023. No known exclusion of sectors or countries from attacks. BokBot is based on banking trojan Neverquest (aka Vawtrak) BokBot was a target of the law enforcement measures from Operation Endgame. The MaaS Lotus is probably actively used since October 2023 and continually updated.
Punk Spider (aka White Lilith)	Responsible for private² RaaS Akira Leak site known	RaaS Akira probably active since March 2023. Attacks against government organisations excluded - deviations are to be expected! No known exclusion of countries from attacks. Akira is probably based on the source code of the inactive RaaS Conti leaked in February 2022.
Recess Spider (aka White Peryton)	Responsible for private² RaaS Play (aka PlayCrypt) Leak site known	RaaS Play probably active since June 2022. No known exclusion of sectors or countries from attacks. Extortion negotiations are partly conducted by email.
Scattered Spider (aka 0ktapus, Dev0671, Dev0875, Dev0971, Muddled Libra, Octo Tempest, Oktapus, Roasted 0ktapus, Scatter Swine, Scattered Swine, StarFraud, Storm-0875, UNC3944, White Dev 146)	Responsible for MaaS BlackLotus Was affiliate of RaaS Alphv, RansomHub Probable affiliate of RaaS DragonForce (see White Dragon) Repeated use of SIM swapping and social engineering against helpdesk employees to take over valid accounts Attacker interacts specifically with cloud resources of affected organisations Registers own identity providers, for example, in order to be able to log in as any valid account	Affiliate group probably active since March 2022. Exclusion of sectors and countries from attacks in accordance with used RaaS. Since April 2025 probable affiliate of RaaS DragonForce. In 2024 and 2025 multiple suspects were arrested in connection to Scattered Spider.
Traveling Spider (aka Gold Mansard, White Imp)	Responsible for RaaS INC Responsible for RaaS Lynx Leak sites to both RaaS known Was responsible for RaaS Nevada, RaaS Nokoyawa, RaaS Karma, RaaS Nefilim (aka Nemty X), RaaS Nemty	Attacker group probably active since August 2019. RaaS INC probably active since September 2023. RaaS Lynx probably active since August 2024. Both RaaS are operated simultaneously.
Vice Spider (aka White Nefas, DEV-0832, Vanilla Tempest, Vice Society)	Probably responsible for Ransomware Rhysida Alternatively affiliate of private² RaaS Rhysida Reports in the fourth quarter of 2024 indicate probable use of new Ransomware InterLock For both ransomwares are leak sites known	Affiliate group probably active since April 2021. Vice Spider used a variety of RaaS over the years including: DeathKitty (aka HelloKitty, Fivehands, Wacatac), Zeppelin (aka Buran), Hive, Quantum, Alphv, RedAlertLocker, LockBit Vice Spider originaly established their own presence under the branding Vice Society. RaaS Rhysida probably active since Mai 2023. Ransomware InterLock first observed in October 2024. It is unclear whether Vice Spider is still using this ransomware. Tools developed and provided by Lunar Spider were used in Vice Spider cases multiple times.
White Dragon (aka Slippery Scorpius)	Responsible for restricted¹ RaaS DragonForce Leak site known RaaS DragonForce also operates as service model with individualized branding RaaS DragonForce provides affiliates among other things with free call-service. This probably entails voice calls in tandem with extortion attempts.	RaaS DragonForce probably active since August 2023. In 2025 the operators moved to a "cartel"-model that provides affiliates with the ransomware and infrastructure but enables an individual branding. The ransomware Devman probably is based on DragonForce in this way.
White Fenrir	Responsible for restricted¹ MaaS DarkGate (aka Meh, MehCrypter) Responsible for Crypter-as-a-Service (CaaS) DarkGateCrypter Responsible for Service DarkGate AutoIt Converter DarkGate is used by various access brokers. An attack with DarkGate is often followed by the theft of data and the use of ransomware	MaaS DarkGate probably active since 2017, first advertised on underground forums in May 2023. No known exclusion of sectors from attacks. Attacks against organisations from Russia and Moldova excluded. At the end of 2023, the operating group switched to a private² operating mode. Previously, the MaaS was offered to up to 30 affiliates. In November 2024 DarkGate was switched back to a restricted¹ operating model.
White Kore	Responsible for RaaS Qilin (aka AgendaCrypt, Agenda) Leak site known Attackers exhibit increased focus on healthcare sector	RaaS Qilin probably active since August 2022. Sample have been temporarily distributed with the file name `Agenda` therefor also known as Agenda ransomware. Probable Rebrand to MichaelKors in April 2023 has not been completed.
White Veles (aka DEV-0504, Velvet Tempest)	Responsible for ExMatter (aka Sender2) Rather probable responsible for ransomware Termite	Affiliate group probably active since August 2021. Exclusion of sectors and countries from attacks in accordance with used RaaS. Was affiliate of RaaS LockBit, RaaS BlackMatter, RaaS Alphv and RaaS Conti. Multiple ransomware cases with ransomware Termite were attributed to White Veles.
White Yama	Responsible for RaaS WorldLeaks Was responsible for RaaS HuntersInternational Leak site known	RaaS HuntersInternational was probably active from October 2023 to Mai 2025. HuntersInternational is probably based on source code of RaaS Hive, which is inactive since January 2023. WorldLeaks is known since January 2025, first activity was observed in Mai 2025.
N/A	Responsible for private RaaS SafePay Leak site known The attackers contact victims for example via voice calls to increase extortion pressure.	RaaS SafePay probably active since November 2024. On the leak site were an above average number of presumed victims from Germany named. The BSI is unaware of a specific resaon for this clustering at the moment of publishing of the entry.

Footnotes:

¹ Restricted MaaSs are MaaSs that openly recruit new affiliates and, for example, require affiliates to go through an application process before they are granted access to the service.

² Private MaaSs are MaaSs that do not openly recruit new affiliates. The service is available to a limited group of affiliates and new affiliates tend to be added by invitation.

Leak victim statistics:

Since 2021, ransomware attacks have usually been accompanied by a data leak. The combined extortion with data encryption through ransomware and data publication through data leaks is known as double extortion. The BSI monitors so-called leak sites on which attackers publish the names and stolen data of victims of their ransomware attacks if they do not give in to cyber extortion.

These leak pages can therefore be used to record presumed victims who have been threatened with the publication of their data. In this respect, the leak victim statistics are not statistics on ransomware attacks, but on victims of hush money extortion. The BSI refers to "presumed" victims, as being named on a leak page under the control of an attacker does not necessarily mean that an attack actually took place. In some cases, attackers mention names for the sole purpose of blackmail without an actual attack having taken place.

The monitoring of leak pages only covers some of the ransomware victims. This means that, generally, only those organisations that refuse to pay a ransom or hush money are named and published on leak pages. Not all ransomware attackers use a leak page either. A large number of ransomware victims therefore remain unidentified. Consequently, this data collection does not provide any information on how many of the actual victims decide to pay a ransom or hush money. Moreover, the time of publication does not provide any information about exactly when the ransomware attack took place, which may have been a long time before. On top of that, the categorisation of presumed victims by country is only an approximation, as it is usually based on the location of the presumed victim's main office. This means that the attacked network segment may have been located in other parts of the world, especially in the case of globally active companies.

The indices in the diagram measure the naming of presumed victims on leak sites. The average for the year 2021 is used as the basis.

Statistics from the fourth quarter 2022 to the third quarter 2025 — Source: BSI

The index for Germany was 258 points in the third quarter of 2025. This means that the number of observed presumed victims named on leak sites in the thrird quarter of 2025 was 2.58 times higher than the annual average for 2021. The comparative index worldwide was 221 points in the third quarter of 2025. A recurring trend can be observed at the beginning of the year. Attackers suspected to be operating out of Russia in particular reduce their activity at this time. They presumably pause operations over the Orthodox Christmas on 6 and 7 January.

The first cyberattacks involving hush money extortion and leak sites were observed in 2019. In the first quarter of 2019, the cybercriminal group calling itself Team Snatch attacked several victims. In the fourth quarter of 2019, the cybercriminal group behind the RaaS Maze began combining ransomware attacks with leaks. In 2020, this approach became widespread among various cybercriminal groups, which the BSI reported as a proliferation of cybercriminal approaches (see The state of IT security in Germany in 2022). In 2021, double extortion attacks became the norm for ransomware attacks.

The number of presumed victims observed increased significantly in 2023 compared to previous years. In 2023, almost 1.7 times the annual average for 2021 was observed both worldwide and in Germany. Globally, this means an increase of almost 50% from 2022 to 2023, or almost 30% for Germany in the same period.

The main factors behind this increase are likely to be a sustained high to very high level of activity by the most threatening actors and an increase in activity across all leak sites. The BSI also observed several leak sites that were only active for a short time or named many presumed victims through individual campaigns.

The increase in activity on a number of leak sites continued during 2024. BSI observed multiple leak sites that probably reposted data leaks of "old" cases. The substanial increase in the first quarter of 2025 was in large parts due to an attack campaign against file sharing software from the software development company Cleo in December 2024. Presumed victims from this campaign have been published from January to March 2025 on the leak sites Clop of the group Graceful Spider.

There may also be a change in payment behaviour. In general, only those presumed victims who delay or refuse to pay a ransom or hush money are recorded on leak sites. If the number of attacks does not decrease but more victims refuse to pay, this is likely to be reflected in an increase in the leak victim statistics.