The way digital investigators work in Germany and Europe today has changed fundamentally—something that not all stakeholders have noticed yet. As a criminal defense attorney, I have been observing how things are changing in my own cybercrime cases for years—in addition to the wealth of information I receive from my network of clients and colleagues. And I can only say: it’s time to wake up. German investigators in particular are extremely persistent and know how to make the most of international instruments. Above all, the special public prosecutor’s offices in Cologne, Frankfurt, and Bamberg must be kept on the international radar.
Cybercrime platforms targeted by investigators
I cannot avoid the obligatory introduction, but I would like to take a brief look at recent crackdowns: National and international law enforcement agencies are increasingly dismantling a number of significant cybercrime infrastructure platforms.
In its latest report on cybercrime in Germany, the Federal Criminal Police Office refers to “significant successes,” which correlates with increasing pressure on the organized digital underground. The targets range from ransomware infrastructures and phishing services to illegal trading platforms on the darknet and areas close to the clearnet. So what is there to report?
Genesis Market – Credential marketplace with global reach
In April 2023, Genesis Market, a central trading platform for stolen access data, was shut down. The FBI coordinated the international operation together with European authorities. The marketplace offered so-called “bots” – compromised access data including fingerprints, cookies, and device data, packaged in a user-friendly interface. Genesis was thus a key instrument for identity theft, account takeovers, and downstream fraud. According to the BKA, several arrests were made in Germany as part of Operation Cookie Monster, including a suspect with over 6,000 data records in his account.
Raidforums and BreachForums – Successors and Collapse
Back in 2022, Raidforums, a platform that played a central role in the exchange of large data leaks, was taken offline. In 2023, BreachForums was also shut down—a kind of successor on which, among other things, highly sensitive data sets such as those from Doxbin, health data, or leaked government information were sold and distributed. This blow was also coordinated internationally, with German IP addresses and users once again being affected.
Kingdom Market – Darknet drug trafficking and counterfeiting
Kingdom Market, a major darknet marketplace, was taken offline in December 2023. The platform was used to trade narcotics, identity documents, counterfeit money, and other illegal goods. The infrastructure was highly secure from a technical standpoint—the BKA (Federal Criminal Police Office) reports that multiple layers of encrypted servers and evasion routines were used. Here, too, international investigative alliances, including the FBI, Europol, and German authorities, gained access.
Exclu Messenger – Crypto communication for organized crime
The BKA is paying particular attention to dismantling the encrypted communication service “Exclu.” This was shut down in February 2023 as part of a concerted action. Exclu was a supposedly secure messenger service that was particularly popular in organized crime circles, including cybercrime actors such as ransomware groups and DDOS-as-a-Service providers. The platform was operated by a team of developers based in the Netherlands; here, too, Germany was once again actively involved in the investigations.
Phishing-as-a-Service provider “LabHost”
In April 2023, LabHost, a platform that enabled phishing-as-a-service on an industrial scale, was shut down. It provided phishing kits, hosting, and control interfaces for fake login pages for hundreds of banks, telecom providers, and online services. The platform was highly automated and enabled even technically inexperienced perpetrators to launch complex phishing campaigns. Here, too, the new pattern is evident: professionalization, division of labor, and service orientation in digital crime.
Further takedowns and trends
In addition to these prominent cases, the BKA refers to numerous other dismantling operations targeting smaller infrastructure: bulletproof hosting services such as Cyberbunker and ZServers, crypting services, and ransomware command-and-control servers. One provider mentioned in particular is “NoEscape,” whose infrastructure was compromised in 2023. The police are increasingly relying on the interaction of “Cyber Action Days,” OSINT, infiltrated Telegram groups, and classic undercover investigative work.
View of the cybercrime defense attorney in Germany
The aforementioned selection of dismantled cybercrime services marks a phase of increased repression, particularly against platforms that lower thresholds and decouple perpetrator competencies through their service orientation. I have been blogging about IT criminal law for years and have been documenting a development that has gradually come to fruition: The shift from individual “hackers” to a cybercrime economy organized around the division of labor, with front-end service providers, payment processors, and infrastructure operators, is now complete. The fact that investigative measures are now focusing on precisely these platform operators is an expression of this shift—but at the same time, it also reflects a growing uncertainty in the milieu regarding anonymity, trust, and sustainability.
It is no coincidence that the number of cases in which defendants invoke technical naivety, legal ambiguities, and lack of intent is also increasing. Services such as Genesis Market and LabHost in particular are creating new opportunities for defense—whether in terms of the subjective nature of the offense, the extent of involvement, or the (il)legality of the investigative measures.
Want to learn more about me? I have discussed the topic of digital evidence in two podcasts so far: In the Heise Podcast “Auslegungssache” (A Matter of Interpretation), I talked about digital investigations, which can be found here.
In the podcast “Rechtsbelehrung” (Legal Advice), I discussed digital forensics and evidence gathering in more technical detail—available here.
Investigators change the rules of the game
At some point, from today’s perspective a few years ago, a paradigm shift occurred relatively gradually but within a short period of time on the part of investigators. This change in working methods has had a massive impact in recent years – interestingly, it is now the “users” who have lost touch. While they continue to fantasize in forums and boards about investigators who are overwhelmed by technology, the investigators are achieving result after result. This is no coincidence.
Of course, we have to make a distinction here: the average local police officer is not a cybercrime specialist. But in cases of genuine cybercrime, they are no longer involved—and the professionalization of special cybercrime departments, at least at the State Criminal Police Office and the public prosecutor’s offices (above all in Cologne, Bamberg, and Frankfurt), is very impressive. It quickly becomes apparent that this can no longer be a meeting of equals when the standard defense attorney faces them and tries to work according to a set pattern. It is not without reason that colleagues from the public prosecutor’s office in these areas regularly meet outside their own authority at professional events or read specialist publications from this sphere. This also stands in stark contrast to the average German prosecutor, who tends to avoid the public eye and wants to work as they did 30 years ago.
Cybercrime: New avenues for investigators
Professional investigators have long been working with completely new methods. And even if you only notice it in passing, something like this would have been unthinkable in Germany a few years ago—they looked at some things from the US and narcotics investigations and then purposefully transferred them to cybercrime. The potential for defense, on the other hand, has melted away dramatically in real terms. Cybercriminals, who are often completely unprofessional in their preparations, then often do the rest to ensure that they are at the mercy of subsequent proceedings.
Investigators in the spotlight
Just a few years ago, investigators dutifully went about their work, made their arrests, and that was that. Then, at some point, charges were brought, and perhaps the press reported on it in the meantime. That has changed: It began with proactive, early press work, escalated to high-profile “action days” in conjunction with game-design-compatible logos(*) and prominent banners on shut-down websites … and has now evolved into dedicated information websites on specific measures that target users and other criminals. Prevention and repression are becoming increasingly intertwined.
(*) Although the French once again take the cake, while the German BND symbol is suspiciously reminiscent of the UCF logo from Verhoeven’s Starship Troopers.
Erst wird gelauscht, dann zugegriffen
Another aspect is the type of access: I still remember well the days when illegal offerings were uncovered and quickly shut down. Ideally, this was done in the classic manner: you go out and conduct a search. The FBI was ahead of the game in this respect: when they seized illegal servers, they continued to operate them under a different name for a while and collected as much data as possible, which they then passed on, for example to the Federal Criminal Police Office (BKA). On the other hand, we have known for a long time from narcotics proceedings that crimes are observed and deliberately allowed to take place under the eyes of the investigators for a certain period of time(*).
Cybercrime works in a similar way, and not just since Encrochat, but it became clear then, if not before, that the aim is to find a way in and try to eavesdrop and collect data in order to then access the target. Encrochat was neither the first nor the last time—I know of other cases, one of which is very recent and has received a lot of media attention—in which the server is located, network traffic is recorded, investigations are carried out in the background, and then at some point… Action Day (that’s really the term used; I know it from a number of investigations ranging from narcotics to cybercrime). In some cases, months or even a year are spent preparing, collecting, and evaluating data; server images are even taken and evaluated while the service is still running and being used. It took me a long time to understand how to do this without being noticed (and no, I’m not going to reveal that here).
(*) There is now a wealth of case law from the Federal Court of Justice on sentencing—investigators are allowed to proceed in this manner, and it does not even help that you were being observed.
Where does cybercrime stand?
Investigators are currently doing a lot of things right—they are moving away from individual offerings toward hosting offerings, communication infrastructures, and platforms; but these are only investigative approaches to ideally eavesdrop at the highest network level (in the OSI model layers 1 and 2). Once you have collected enough data to burst the macroeconomy, you automatically have the associated mass microeconomy in tow. It took some time, but cybercrime investigators have responded to industrialized, professionalized cybercrime by adapting their investigative methods accordingly. Where “cybercrime as a service” prevails, there is now “crime fighting as a service,” which the BKA, for example, offers very cleverly to local police forces with its Cybertoolbox.
Anyone who doesn’t take cybercrime investigators seriously (and judging by the relevant forums, that’s a lot of people) hasn’t understood that the wind is blowing in a different direction today. Yes, Russian hackers in Russia will never be caught. But that has nothing to do with classic, profit-oriented cybercrime, whose offerings are falling like dominoes. The approach described, together with the networking of the vast amounts of data found in each case, is like a wildfire. I suspect that investigators are currently unable to decide where to strike next – whereas in the past, they were happy just to have any leads to investigate.
German case law, which does not recognize prohibitions on the use of evidence, allows for extremely borderline uses of evidence—as Encrochat has shown. At the latest since Encrochat—when many defense attorneys based their entire tactics on a foreseeable non-existent prohibition on the use of evidence—it should also be clear that bragging does not achieve good results. You should make sure early on that you have a lawyer of your own choosing at your disposal before you are forced to rely on stupid advice in prison and court-appointed defense attorneys because you don’t know what to do in the detention cell.
Wanted lists: Borders are no longer hard walls!
Anyone who still believes that a national border forms a real protective barrier has no idea what they are talking about and should return to legality while they still can: within Europe, cooperation is now routine, and in my opinion, cross-border server access is possible without any problems. The implementation of eEvidence will do the rest to make this work even better. And just as an aside: anyone who believes that France or the Netherlands are smart locations alongside Germany really has no idea. The Netherlands in particular is a hotspot with fantastic investigative opportunities at the network/server level – it’s no wonder that this small country so often appears in cybercrime operations, almost unnoticed on the sidelines.
However, cross-border investigations are also proving effective. Investigators are persistent and will continue their search until the statute of limitations expires (which, for these types of crimes, is typically 20 years). There are also some changes here: on the BKA’s public wanted list, I currently count 24 people who are wanted for cybercrime, and the “EU Most Wanted” list also includes more and more cybercriminals. This shows that, from an investigator’s perspective, cybercrime has long been comparable to other forms of organized crime and is taken seriously. For example, EUROPOL has recently added someone from the ransomware environment to the EU wanted list.
What does good cybercrime defense look like?
Good cybercrime defense begins long before investigators get involved. There are always two major problems at the moment of intervention: surprise and money. Both are completely avoidable annoyances.
Two factors that complicate cybercrime defense
surprise attack
One key aspect is the element of surprise, which is of course intentional on the investigators’ “action day”—searches thrive on the fact that you are not prepared for them. However, you are also taken by surprise in other ways: sometimes you are taken into custody and have no opportunity to communicate. When you suddenly find yourself in a detention cell, possibly abroad with an impending transfer to Germany, you can no longer take care of anything! This means that if you haven’t organized a lawyer in advance, you now have to try to find a real professional… or (eventually) be assigned a lawyer by the court. This lawyer may be knowledgeable in criminal law, but may not be familiar with the intricacies of cybercrime and may stoically take note of the police investigation.
Geld
The other aspect is money, and yes: this is a highly relevant issue. When investigators strike, everything that could be digital evidence or (digital) value is seized. Even if you can somehow find a good lawyer, you now have the problem of not being able to pay them because everything has been seized. And this problem should not be underestimated: it is embarrassing, to say the least, when I see that I have inquiries from people who are on the FBI’s wanted list, for example, and cannot even come up with a decent advance payment.
Both of these factors together continuously prevent professional support—and I’m not even at the point where cybercrime professionals sometimes become aware of lawyers through TikTok videos and believe that this is a suitable quality criterion. Experienced cybercrime defense attorneys respect that their cybercrime clients only tolerate a certain amount of publicity. The most important thing is to find a good criminal defense attorney in “good times” who is either paid in advance so they can jump in immediately when something happens, or to make provisions through a trusted trustee. There are solutions for this (and please, no cryptocurrencies—in case of doubt, wallets are monitored as closely as P2P networks!), but you have to take care of it.
For years, I have also been accompanying people who are wanted abroad and are seeking advice—believe me: unless you have a lot of money and are staying in Dubai permanently (and very few people do), everything always looks rosy at first, but it gets worse as the years go by. There are definitely options available! It is a common scenario that people are confident at the beginning, but after a few months, the first signs of disillusionment set in.
Defense approaches to cybercrime
What makes a good cybercrime defense attorney?
A common belief in relevant forums is: Once they’re at the door, it’s too late anyway and nothing matters anymore. This may be true in some cases, but not entirely.
The first thing you notice about competent cybercrime defense attorneys is the way they work: anyone who wants to discuss things via Teams and uses Dropbox and Word has not understood how investigators work. How I work: my entire email infrastructure is hosted by Protonmail, I categorically do not use any of the Big Four Big Tech companies, and all my devices are fully encrypted. Communication is via GPG encryption or Threema; no cheap hardware, only the latest devices, which are disposed of as soon as there are no more updates. Encrypted file containers with Cryptomator or Veracrypt. And, of course, I offer hands-on experience with Kali Linux, can read log files, know how Unix and Windows-based systems generate log files, and understand network protocols.
Secondly, it is important to be aware of certain legal details: there are effectively no rules prohibiting the use of evidence in Germany, and theoretical interpretations of evidence alone are not a compelling argument. In both respects, Germany differs from other jurisdictions! So if a criminal defense attorney tries to use “legal finesse” to pull tricks with the evidence at hand, it is useless and only blinds the client. More important is the ability to assess what is really useful as evidence—and where investigations can realistically be made more difficult. The ability to predict what investigators will find out, so as not to make bad statements too early, is also worth its weight in gold—but it also requires knowledge of the work of investigators.
A good criminal defense attorney who is familiar with cybercrime does not ultimately secure an acquittal when a conviction is already certain—that kind of nonsense only happens on television. However, they can save years and, especially in cases of minor involvement, work out probationary sentences that were not clearly on the table. Good criminal defense is not just about making the impossible possible, but also about achieving a realistic, best possible outcome. In Germany, there is a surprising amount of leeway in this regard, for example because procedural (partial) dismissals can be purposefully worked out in our country. But to do that, you have to know the rules of the game.
Availability: By email, callback, Threema or Whatsapp. Information about our fees.
Our law firm specializes in criminal defense, cybercrime, commercial criminal law including criminal tax law as well as IT law and manager liability. We only take on criminal defense cases for consumers—we are based in the Aachen area and operate nationwide.
- When East Meets West: The Legal and Cultural Minefield for Chinese Companies Expanding into Germany - 18. January 2026
- The new EU product liability landscape for software, AI and open source - 30. December 2025
- Shutdown of Cryptomixer.io - 2. December 2025