CrowdStrike: Europe second only to North America for cyber attacks

Europe is second only to North America as a theatre of attack for cyber criminals, nation-state actors and hacktivists, according to CrowdStrike’s 2025 European threat landscape report, with European organisations accounting for nearly 22% of global ransomware and extortion victims.

Ransomware operations are moving faster than ever, with CrowdStrike observing groups such as Scattered Spider, which famously disrupted Marks and Spencer’s business this year, increasing deployment speed by 48%. The average attack now takes just 24 hours.

Attackers are benefiting from underground marketplaces which make malware as a service, initial access brokerage and phishing toolkits easily and readily available, according to the cyber security services provider.

Cyber attackers sponsored by nation-states – namely Russia, China, North Korea and Iran – hostile to Western countries have increased operations across European industry sectors, reflecting what CrowdStrike describes as a growing convergence of cyber crime and geopolitical threats. Academia is a top target, according to threat specialists.

Adam Meyers, head of counter adversary operations at CrowdStrike, said in statement accompanying the publication of the threat report: “The cyber battlefield in Europe is more crowded and complex than ever. We’re seeing a dangerous convergence of criminal innovation and geopolitical ambition, with ransomware crews using enterprise-grade tools and state-backed actors exploiting global crises to disrupt, persist and conduct espionage. In this high-stakes environment, intelligence-led defence powered by AI and guided by human expertise is the only combination designed to stop cyber threats.”

The supplier’s counter adversary operations unit tracks more than 265 named adversaries. It noted that since 1 January, more than 2,100 victims across Europe were named on extortion leak sites. Unsurprisingly, the UK, Germany, France, Italy, and Spain were the most targeted nations, with 92% of cases involving file encryption and data theft.

Some 260 initial access brokers (IABs) advertised to more than 1,400 European organisations, CrowdStrike’s researchers found. IABs are individual cyber criminals or organised cyber crime groups that gain unauthorised network access and sell it to other criminals. They play an increasingly vital role in the ransomware ecosystem, establishing entry points from which ransomware-as-a-service groups can facilitate attacks.

English and Russian-language fora, including BreachForums, a successor to RaidForums whose administrators were linked to criminals in France and the UK, remain central to Europe’s eCrime ecosystem, said CrowdStrike. These make traffic in stolen data, malware and criminal services possible, with Platforms such as Telegram, Tox and Jabber facilitating cyber criminal activity, according to the report.

Disturbingly, criminals are using Telegram-based networks to coordinate physical attacks, kidnappings and extortion tied to cryptocurrency theft. Again, according to CrowdStrike, groups connected to what the report calls “The Com” ecosystem and groups such as Renaissance Spider are combining cyber with physical operations.

The geopolitical front

Chinese state-sponsored attackers targeted industries in 11 countries, exploiting cloud infrastructure and software supply chains to steal intellectual property, said CrowdStrike. A group the supplier dubs VixenPanda is the most prolific threat to European government and defence authorities.

Russian-backed cyber attackers are continuing to target Ukraine in Putin’s war against the country. Credential phishing, intelligence collection and destructive operations targeting government, military, energy, telecom and utilities all feature in what is effectively Russia’s cyber-warfare, according to CrowdStrike.

North Korean cyber attackers have expanded the scope of their manoeuvres against European defence, diplomatic and financial institutions, combining espionage with cryptocurrency theft, according to the supplier’s threat research team.

Meanwhile, Iranian-backed Haywire Kitten claimed authorship, according to the researchers, of a DDoS attack against a Dutch news outlet.