Germany ransomware and cyber extortion policy

Operation Endgame's June Strike Shows Enforcement, Not NIS2 Paperwork, Is Doing the Real Work Against Ransomware

BKA's fourth Operation Endgame action disabled 320+ malware servers feeding ransomware, while Germany's new NIS2 law adds compliance duties for 29,500 firms.

Operation Endgame vs. NIS2: Two Approaches to German… People of Internet Research · Germany 320+ Servers taken offline 40 of the disabled servers were ph… 27M Credentials recovered Stolen from more than 385,000 vict… $47M Crypto assets frozen Identified and restricted across t… 29,500 Firms now BSI-regulated Up from ~4,500 before Germany's NI… peopleofinternet.com
Operation Endgame vs. NIS2: Two Approa… People of Internet Research · Germany 320+ Servers taken offline 27M Credentials recovered $47M Crypto assets frozen 29,500 Firms now BSI-regulated peopleofinternet.com

Key Takeaways

The Fourth Strike

Between June 15 and 19, 2026, the Bundeskriminalamt (BKA) and the Frankfurt am Main public prosecutor's cybercrime unit (ZIT), working with counterparts in the Netherlands, Denmark, the UK, the US and Canada, dismantled the infrastructure behind three malware families — SocGholish, StealC and Amadey. The action, coordinated with Europol, Eurojust, Microsoft and private security firms, took down more than 320 servers (40 of them physically in Germany), seized over 140 domains, and neutralized roughly 15,000 compromised websites. Investigators recovered 27 million stolen credentials from over 385,000 victims and identified around $47 million in cryptocurrency tied to the operation (BKA press release; Europol).

This was not a one-off. It is the latest phase of Operation Endgame, an initiative BKA cybercrime chief Carsten Meywirth launched in May 2024 on a specific theory of the case: instead of chasing ransomware gangs directly, go after the "initial access" loaders and droppers — SocGholish's fake browser-update lures, Amadey's phishing-delivered backdoors, StealC's credential harvesting — that feed the entire ransomware-as-a-service supply chain. StealC has been tied to delivery of LockBit Black payloads via secondary loaders, and SocGholish has long been a preferred entry vector for Evil Corp-linked operators (Bleeping Computer). Meywirth's framing is blunt: "International law enforcement deployed every legal tool against technical infrastructures relied upon by numerous cybercriminals globally."

Regulation's Steelman Case

Germany's other major cybersecurity move this cycle points in a different direction. The NIS-2-Umsetzungsgesetz — the national transposition of the EU's NIS2 directive — entered into force on December 6, 2025, with no transition period. It expanded the BSI's regulatory reach from roughly 4,500 to about 29,500 companies now classified as "important" or "particularly important" entities, each carrying registration, incident-reporting and risk-management obligations (BSI).

The case for that expansion deserves a fair hearing. Mandatory incident reporting is precisely what feeds threat intelligence to agencies like the BSI and BKA — the botnet telemetry, victim counts and infrastructure maps that make an operation like Endgame possible in the first place come from somewhere, and much of it is from regulated entities disclosing what hit them. A regulator that only ever hears from the roughly 4,500 firms sophisticated enough to volunteer information is flying blind on the other 25,000. NIS2 supporters are also right that board-level accountability for basic hygiene — patching, segmentation, credential management — closes off a meaningful share of the entry points loaders like Amadey exploit in the first place.

Where the Burden Falls Short of the Benefit

But the two initiatives make an instructive contrast, and it favors enforcement. Operation Endgame's June action, on BKA's own accounting, is one of at least three coordinated phases since May 2024, each disabling infrastructure that criminal groups had already rebuilt after the last strike. That recurrence is sometimes read as failure — the whack-a-mole critique is fair as far as it goes. But each phase has compounded costs on the criminal side: fresh domains, fresh servers, fresh laundering routes, all while credential databases and crypto wallets get seized outright. It is a strategy with a visible, falsifiable track record measured in servers down and dollars frozen, executed by a concentrated, well-resourced unit (ZIT Frankfurt plus BKA) operating across five allied jurisdictions.

NIS2's payoff is harder to see by comparison. Applying uniform 24-hour reporting and risk-management documentation duties to 29,500 organizations — a nearly sevenfold jump in scope with essentially zero phase-in — spreads compliance spend across firms with wildly different risk profiles and security maturity. A mid-sized logistics company now carries much of the same paperwork burden as a critical infrastructure operator, without evidence that the marginal firms being newly captured are where the next Amadey infection chain actually originates. Compliance capacity, especially for smaller "important entities" without existing security teams, gets spent satisfying the BSI's portal rather than hardening the systems loaders actually exploit.

The Payment-Ban Question Cuts the Same Way

Germany's posture on ransom payments illustrates the same instinct toward proportionality worth preserving. Berlin has consistently declined to criminalize payment by ransomware victims, instead advising against it while leaving the decision to the victim — even as more than twenty German security researchers have pushed an open letter demanding an outright ban (eGovernment). That restraint is correct: criminalizing a victim's last resort does nothing to the criminal infrastructure and simply adds legal jeopardy on top of extortion. The lesson of Operation Endgame's June strike is the same lesson — go after the infrastructure and the money, not the downstream compliance surface of everyone who might one day be a target.

Germany doesn't have to choose between the two tracks entirely, and NIS2's reporting pipeline genuinely feeds operations like Endgame. But as the fourth phase of infrastructure disruption again outproduces a still-bedding-in compliance regime in demonstrable results, BSI and the Bundestag should resist scope creep in future NIS2 revisions and keep funding the BKA/ZIT model that just froze $47 million and downed 320 servers in five days.

Sources & Citations

  1. BKA — Operation Endgame press release (June 24, 2026)
  2. Europol — Global cyber strike disrupts SocGholish, Amadey and StealC
  3. BSI — NIS-2-Umsetzungsgesetz in force
  4. Bleeping Computer — Amadey, StealC disrupted in Operation Endgame
  5. eGovernment — Should Germany ban ransomware payments?