What cybercrime means

Cybercrime is a professional business these days. In the shadow economy, there are many online markets where illegal goods such as drugs, weapons, child pornography, and stolen data and identities are traded. Cybercrime execution services are also offered, which is called "cybercrime-as-a-service."

Cybercrime is a highly complex and criminal industry with its own value chains.

What is cybercrime?

Cybercrime what is it

Cybercrime is one of the most rapidly changing forms of crime today. The perpetrators adapt flexibly to technical and social developments and operate worldwide. They strike wherever it is financially attractive.

In the police context, a distinction is made between Two types of cybercrime.

Definition according to BKA - cybercrime in the narrower sense

Crimes directed against the Internet, information technology systems or their data.

The "narrower" forms refer to crimes that directly affect the Internet, computer networks, information systems or their data.

Definition according to BKA - cybercrime in a broader sense

Crimes committed with the use of information technology (Internet).

The "further" forms include crimes in which information technology is used as a means of commission. Cybercrime in the broader sense includes - that is, acts that could also be committed outside the digital world, such as drug trafficking.

The narrower forms require highly technical crimes and correspondingly demanding investigative work on the part of the police.

Federal Situation Report Cybercrime of the BKA

Once a year, the Federal Criminal Police Office publishes the Federal Situation Report Cybercrime. The document provides up-to-date information on the development of cybercrime in Germany. In the process, current Trends and patterns in cybercrimes, progress charts of specific cases and practical examples are presented. The results of police investigative actions are also presented.

Police crime statistics (PKS)

The Federal Criminal Police Office (BKA) compiles the Police Crime Statistics (PKS) for the whole of Germany on the basis of data provided by the police authorities. The PKS contains information on registered crimes, including attempts, as well as further details on recorded cases of cybercrime. Crimes are only documented after police investigations have been completed. The PKS is thus a statistic that only records what is actually known to the police.

Cybercrime - bright field vs. dark field

In the area of cybercrime, the so-called dark field, i.e., crimes that are not recorded by the police, is significantly larger than for other forms of crime. This is due to various reasons:

  • Many crimes on the Internet remain stuck at the attempted stage because technical security measures such as antivirus software prevent the perpetrators from successfully launching a cyber attack. These attempts often go unnoticed by the victims.
  • Those affected do not realize that they are victims of cybercrime. For example, when their identity is stolen from an online store. Often, their own technical devices are misused for criminal activities without their knowledge, as when infected PCs or routers are used in botnets for DDoS attacks. These terms will be discussed in more detail later on.
  • Crimes are often not reported. Especially if no financial damage has been incurred, as in the case of the discovery of a virus on a PC, or if the damage is covered by third parties, such as an insurance company. Companies particularly often refrain from reporting detected cyber attacks in order not to jeopardize their reputation as a trustworthy partner in the customer relationship.
  • Aggrieved parties only file charges in certain cases, such as extortion, if their systems, previously encrypted by the perpetrators, are not decrypted despite payment of a ransom.

Overall cybercrime statistics

The continuous increase in the number of cases of cyber attacks is due in particular to the following factors:

  • The rapid digitization in all areas of life, which has been further accelerated due to the Corona pandemic. This creates more opportunities for cybercriminals to commit crimes.
  • An increasing professionalization of perpetrators as well as an increasing ability of malware to hide from security mechanisms - such as antivirus software.
  • The low barriers to entry into the world of cybercrime. Through "cybercrime-as-a-service," hardly any technical knowledge is needed to commit cybercrimes.
Cybercrime Case volume of cybercrimes by offense area since 2020
Source: BKA, Cybercrime Bundeslagebild 2022 "Fallaufkommen der Cyberstraftaten nach Deliktsbereich seit 2020".
  • Since 2020, foreign offenses have been rising steadily, while domestic offenses have been declining.
  • Compared to the previous year, there is an increase of over 8 % in foreign acts.
  • The number of foreign offenses registered in 2022 exceeds the number of domestic offenses from the previous year.
  • Especially in the area of cybercrime, foreign crimes are disproportionately represented.
  • Cybercrimes in Germany account for 2.4 % of total crimes, while they are about ten times higher for crimes committed abroad.
  • Almost a quarter of all registered foreign crimes are cybercrime cases.
Cybercrime Proportion of cybercrime offenses in total offenses
Source: BKA, Cybercrime Bundeslagebild 2022 "Anteil Cybercrime-Delikte an den Gesamtstraftaten" (Proportion of Cybercrime Offenses in Total Offenses)

Central phenomena of cybercrime

The following provides more detailed information on important types of cybercrime specifically related to the Internet, computer networks, and information systems. For more details and recent developments on these phenomena, please refer to the annual "Federal Situation Report Cybercrime" of the BKA.

Malicious software (malware) - central element of cybercrime

Virtually every form of cybercrime involves the use of malicious software (malware) or improperly deployed technical tools. These are used to spy on, monitor, and steal data, manipulate traffic (e.g., online banking), or carry out extortion (e.g., ransomware attacks).

There are countless types of malware that are continuously adapted by the perpetrators.

Definition according to BKA - Malware

The term malware refers to all programs that perform malicious functions on an IT system. These malicious functions include:

  • Spying and forwarding account data such as usernames and passwords,
  • Manipulation or destruction of data,
  • Illegitimate use of computing power for cryptomining,
  • Encrypt data,
  • Integration into a botnet and misuse for DDoS attacks,
  • Abusive remote control of a third-party IT system.
Cybercrime the global malware value chain
Source: BKA, Cybercrime Bundeslagebild 2020 "Die globale Malware-Wertschöfpungskette" (The global malware value chain)

Maleware case study

As shown in the Cybercrime Bundeslagebild 2020, the Central Cybercrime Contact Point (ZAC) of the Brandenburg police reported on January 22, 2020, that several servers in the Potsdam city administration were attacked by hackers. This security incident resulted in several servers in various offices of the Potsdam city administration having to be shut down for security reasons. As a result, some online services, including parts of the local road traffic and registration office, were unavailable for several weeks.

On February 23, 2020, there was a similar report from the city administration in Brandenburg an der Havel, but fewer systems were affected here. After investigations by the central IT service provider of the state of Brandenburg and an external service provider, it was determined that unknown attackers exploited a security vulnerability in the so-called "Citrix application" and installed a cryptominer for the digital currency "Monero".

Mail Spam and Phishing - The access to the victim data

Stolen digital identities such as passwords, email addresses or bank data often serve as a starting point for further crimes. Cybercriminals typically use spam and phishing emails with malicious content, such as "hiding" malware in attachments, to gain access to these digital identities. The sent emails are designed to trick victims into clicking or downloading the malware. To make their fraudulent campaigns particularly effective, cybercriminals often use current issues as a lure or suggest that the emails come from an authority or even a known email contact.

Definition - Mail Spam, Phishing and Hoax

The Federal Office for Information Security defines and distinguishes these terms as follows.

What cybercrime means - mail spam

Spam is a collective term for all forms of unsolicited e-mails sent en masse, electronic chain letters or advertising posts on social networks. A large proportion of these are unsolicited advertising e-mails. However, many spam e-mails are not only annoying, but also dangerous. Sometimes spam is also referred to as junk - meaning junk or garbage. Thus, in the Internet age, spam has become synonymous with the unwanted flood of e-mail. The most common forms of spam are

  • Scam: Also called advance fee fraud. Such mails usually promise the quick way to big money. The only difference is that you have to pay a comparatively small amount beforehand, for example, for alleged lawyer fees. This mail spam is used comparatively rarely, which is why we will not go into it in more detail below.
  • Phishing: With this spam variant, cyber criminals try to elicit personal information from you - such as the access data to your bank account.
  • Hoax: False message or bad joke - usually associated with the request to forward the mail to other recipients.

What cybercrime means - phishing

Spam also includes phishing emails, which cybercriminals use to "fish" for passwords and other personal information - hence the name. We explain how you can recognize phishing emails and how you can protect yourself from them. Contaminated email attachments are still the most common way for malware to spread.

Phishing occurs in different formswhere fraudsters pose as reputable organizations to steal personal data. This is often done through fake emails asking recipients to update their details by pretending to be from banks or internet service providers. The fraudulent emails and associated websites are often perfectly imitated to inspire trust and entice recipients to click on links.

On social networks, well-known brand names are used to abuse users' trust and collect personal information.

Smishing is a form of phishing via SMS, in which scammers pretend to be from parcel services or online shopping platforms in order to steal access data.

It is important to be careful, watch out for spelling mistakes and suspicious characters in messages, and if in doubt, do not open links in messages.

Learn more about phishing. We link you to the primary source BSI:

How to recognize phishing emails and websites, how to protect yourself from phishing and true phishing cases.

What cybercrime means - Hoax

Hoax means "newspaper hoax" or "bad joke". On the Internet, the term stands for false reports. Mass e-mails and posts on social networks are increasingly being used to spread false news. Sometimes these are harmless hoaxes, but often hoax message writers are trying to influence your opinion on certain topics with fake information. If you receive some kind of electronic chain letter, you should be especially skeptical. It is advisable not to forward such hoax messages to other recipients, either via email, social networks or messaging apps.

A hoax can actually be dangerousif you follow the instructions in the message. For example, the message may suggest deleting a certain file from your computer, supposedly to clean up your system due to a supposed malware infection. However, in reality, this file is often an important system file that is necessary for the proper operation of your computer.

Hoaxes can also cause economic damageby taking up a lot of time and attention. For example, if a thousand employees in a company spend three minutes reading and forwarding a chain email, this means a total loss of working time of 50 hours. Companies whose reputations are affected by hoax defamation run the risk of suffering significant damage to their image and sales.

Read more about how you can protect from a hoax and find current Hoax case studies on the official website of the BSI.

The following graph shows developments in global phishing volumes:

Cybercrime Number of phishing sites detected by the Anti-Phishing Working Group since 2019.
Source: BKA, Cybercrime Bundeslagebild 2022 "Number of phishing sites detected by the Anti-Phishing Working Group since 2019".

Mail spam almost always has a fake sender address

These characteristics will tell you if the specified one is also the real sender:

  • E-mail address: Check the sender's email address carefully. Look for discrepancies or slightly altered spellings that could indicate it is a fake address.
  • Domain: Examine the domain (the part of the email address after the "@" sign) of the sender. Make sure it matches the organization or company that is supposedly sending the message. Unusual or suspicious domains should be alarming.
  • Spam folder: Many email service providers have spam filters that move suspicious messages to the Spam folder. Check your Spam folder regularly to make sure that no legitimate messages have been accidentally moved there.
  • Message Contents: Look for misspellings, grammatical errors, and unusual language use in the message. Reputable organizations tend to use professional and error-free communication.
  • Phishing Indicators: Be wary if the message asks for sensitive information such as passwords or personal data asks. Legitimate organizations usually do not request such information in unsolicited emails.
  • Contact the sender: If you have doubts about the authenticity of a message, especially if it is an important or financially relevant communication. Contact the sender directly through the official website or the ones you know Contact informationto verify the authenticity.
  • Verification Measures: Some organizations use special verification methods, such as digital signatures or two-factor authentication, to ensure the authenticity of their messages. Verify that such Security features are present.
  • Antivirus software: Use antivirus software that scans emails for malicious attachments or links and warns you about dangerous messages.
  • Heed warnings: Pay attention to warnings and notices from your email service provider or other trusted sources that warn about known phishing or spoofing attacks.

How do cybercriminals get my email address?

There are several ways in which your email address can end up in the hands of cybercriminals and spammers. One of them is automatic collection by so-called "harvesters", which means "harvesting machines" in English. These small programs systematically search websites and collect all email addresses found, for example from guestbook entries or the imprint of websites. Often, however, e-mail addresses are also created randomly from frequently occurring combinations, such as [email protected].

Furthermore, sweepstakes in newspapers or in shopping malls are a lucrative source for mail address collectors.

It is advisable to read the fine print before entering your e-mail address in an (online) form.

Commercial trading of e-mail addresses has become a thriving business for advertising purposes. Professional traders often have huge databases with millions of e-mail addresses. In addition, according to observations by the German Federal Office for Information Security (BSI), trade in illegally obtained addresses stolen from infected computer systems is also steadily increasing.

Ransomware - Digital extortion by encrypting systems

Among the various approaches in cybercrime, ransomware has the greatest potential for damage. In a ransomware attack, the victim's computer systems are encrypted and the cybercriminals demand a ransom to release the data. Increasingly, they also try to steal data during the attack for additional blackmail opportunities by threatening the possible release of the stolen data. This approach is known as "double extortion" and is gradually becoming the standard procedure in the field of cybercrime.

A ransomware attack usually leads to significant and costly business interruptions and serious repercussions for affected companies. In some cases, a ransomware attack even threatens the existence of the attacked company. Cyberattacks on critical infrastructure such as hospitals and waterworks have shown that successful ransomware attacks have a drastic impact on civilians.

Definition according to BKA - Ransomware

Ransomware - malicious software that uses encryption of user data or databases to prevent access to data and systems that can be accessed locally or over the network. If you fall victim to such an attack, the perpetrators usually demand a ransom - in digital currency - and only remove the encryption once they have received the ransom. To increase the pressure on the victims, short deadlines are also set. In addition, data is threatened with deletion or publication if the demand is not met in time.

Cybercrime metrics on ransomeware attacks in 2022
Source: BKA, Cybercrime Bundeslagebild 2022 "Key figures on ransomware attacks in 2022".


Ransomware actors work in well-organized groups and share the work, giving rise to the "ransomware-as-a-service" model in the underground economy. In this model, a group of cybercriminals develops the ransomware and then hires other collaborators to transfer the software to target computers. Through an affiliate program, all parties benefit: the collaborators receive a share of the extorted ransom for each successful attack, while the majority goes to the ransomware developers.

Cybercrime Division of labor within a RaaS grouping
Source: BKA, Cybercrime Bundeslagebild 2022 "Division of labor within a RaaS grouping analogous to the structure of a medium-sized company with approx. 30 - 100 employees".

Definition according to BKA - Ransomware-as-a-Service

Ransomware that is operated in the form of a "service" represents a special form of ransomware - so-called "ransomware-as-a-service".

From programming to blackmail to ransomware

Cybercrime Ransomeware Value Chain
Source: BKA, Cybercrime Bundeslagebild 2020 "Ransomeware Value Chain

Ransomware case study: double payer

The Federal Criminal Police Office first identified the ransomware Doppelpaymer in 2019. Since 2020, there has been an increase in the use of this ransomware in Germany, with companies and public institutions being targeted in particular. Doppelpaymer is believed to belong to the Bitpaymer family and specializes in permanently encrypting IT systems.

The malware enters target systems by using compromised Windows remote maintenance protocols. It then uses exploits to gain user privileges and move inside the system. Before it encrypts the system, Doppelpaymer first collects data and transmits it to the outside. After that, victims receive a ransom note. The group behind Doppelpaymer uses the previously stolen data as leverage against the victims and threatens to release it (double extortion).

In 2020, various corporate networks were affected by double-payer attacks, including critical infrastructure and large listed companies. A particularly serious incident occurred on September 10, 2020, when the IT system of Düsseldorf University Hospital was affected by a ransomware attack. The encryption of the imaging systems meant that emergency care could no longer be provided and patients had to be transferred to other hospitals. Before the encryption, the attackers had probably stolen about 100,000 patient data from the network.

Cybercrime Proportion of companies that paid ransom after a ransomware attack
Source: BKA, Cybercrime Bundeslagebild 2022 according to data from Coveware in Chainalysis 2023 "Proportion of companies that paid a ransom after a ransomware attack".

DDoS attacks - overloading the systems

Denial of Service attacks, also known as DDoS attacks, aim to overload the target system and thereby cause damage to the people, companies and objects under attack. In recent years, there has been a steady increase in both the number and intensity of these DDoS attacks.

Definition according to BKA - Distributed Denial of Service (DDoS) attacks

By deliberately causing an overload, an attempt is made to disrupt the availability of an Internet service or a target system. The DDoS attack is characterized by the fact that the attack usually comes from a large number of individual requests or a large number of computers - often by means of large, remote-controlled botnets.


Botnets are created when malicious software is secretly installed on the computers of unsuspecting victims. The infected devices are then controlled via so-called "command & control servers" without their owners' knowledge and connected to form a botnet, enabling mass requests to be made.

The 9 pillars of cybercrime

In the field of cybercrime in the narrower sense, a strong division of labor between the participants and the components required for the overall crime is characteristic. Few cybercriminals today can commit cybercrimes alone and without significant help from third parties. This has led to an increasing specialization of individual cybercrime-as-a-service providers. This enables less technically skilled perpetrators to commit more complex crimes. Consequently, these players are able to increasingly outsource technically demanding tasks and hire competent service providers to do so.

Currently, the Federal Criminal Police Office (BKA) has identified nine main pillars of this development:

9 pillars of cybercrime
Source: BKA, Cybercrime Bundeslagebild 2020, p. 46

Cybercrime outlook - shift in cyberattacks

Cybercrime remains at a high level, having risen sharply in recent years, particularly due to increased digitization during the COVID-19 pandemic.

Outlook cybercrime
Source: BKA, Cybercrime Bundeslagebild 2022, p. 1

However, there are still many undetected cases of cybercrime, so information from IT security service providers is important. Cooperation between companies, security service providers and law enforcement agencies is of utmost importance. It is also important to note that many cybercrimes are committed from abroad, which is not captured in police crime statistics and leaves room for estimates of unreported cases. Measures to record and evaluate these cases are underway in order to obtain a realistic picture of cybercrime.

Damage in Germany - Perpetrators Abroad. The international aspect of cybercrime continues to come to the fore.

Do you have questions about cybercrime or want to learn how to protect yourself or your company most effectively from cyberattacks?

Write us a message. Our experts will get back to you promptly.

    Charlotte Goetz Avatar

    Latest articles