In today’s Europe, your personal data is more likely to be stolen than your wallet. And in the hands of cybercriminals, or hostile regimes, it’s no longer just a privacy issue. It became a security risk for the union itself.
That’s the message behind Europol’s IOCTA (Internet Organised Crime Threat Assessment), presented to the European Parliament’s LIBE committee. Titled “Steal, deal and repeat: how cybercriminals trade and exploit your data”, The report describes an online ecosystem where stolen information is extracted, monetised and recycled at an industrial scale.
“For 2025, we picked the topic of data. Because data is everything”, Edvardas Sileris, head of Europol’s European Cybercrime Centre, told MEPs. It’s not just cybercrime, he stressed: “all the other fields of crime are fuelled by data”, from drugs and terrorism to financial crime, propaganda and disinformation.
From commodity to coercion
As the IOCTA study shows, in today’s online crime world, data is leveraged. Once stolen, personal information becomes the raw material for cybercrime’s supply chain. It is sold, repackaged, resold and weaponised. Access to remote desktops, VPNs, firewalls or corporate cloud accounts is traded by “initial access brokers” on dark web forums and, increasingly, on encrypted messaging channels. Those same credentials are used by ransomware gangs, fraud networks or even state-aligned actors.
For 2025, we picked the topic of data. Because data is everything. – Edvardas Sileris, Europol
Mr Sileris offered a scenario as an example. A medium-sized European company suddenly finds all its systems encrypted. “They realise they don’t have any more access to the data. Extortion follows. Usually, they lose a few million euros. Also, they lose reputation as they’ve lost customers’ data. And surprisingly, they have never been hacked directly”. Instead, their data was leaked through the supply chain, then appeared for sale in criminal forums. “You can be victimised without doing anything wrong”, he warned.
Facing these threats, reputation is a new currency. Data brokers advertise everything from infostealer logs and payment card dumps to verified access to corporate networks. Sileris described how cheaply this can start. “If I want to buy a credit card for 5€, I can do it. This might have €5k on the account, and the data broker doesn’t care how I use it”.
You might be interested
AI accelerates cybercrime
The IOCTA details how cybercriminals are rapidly integrating LLMs (large language models) and other generative AI tools into their business models. With this, phishing campaigns can now be automated. One academic study cited in the report found that while human-written phishing emails generated click-through rates of around 12 per cent, LLM-generated messages reached about 54 per cent.
“It’s a new trend with generative AI, with deepfakes, with voice cloning”, Sileris told MEPs. Online fraud is “skyrocketing” because attackers can call or video-call victims with a synthetic voice and image that appear indistinguishable from a real CEO, family member or bank official. “You cannot recognise that it’s fake”, he warned.
But AI’s criminal use isn’t limited to communications. New attacks are targeting Europe’s software supply chains. “Slopsquatting” is the name of the tactic used. Attackers monitor AI coding assistants, wait for them to “hallucinate” a non-existent software package, then upload a real malicious package under that name to public repositories. Developers who trust the AI suggestion end up installing the attacker’s malware, turning the software supply chain into an infection vector.
Going dark: the blind spot of encryption
If the threat is evolving fast, Europol argues that the EU’s legal tools are behind. Especially when it comes to access to data. Criminals are increasingly moving from open dark-web forums to E2EE (end-to-end encrypted) apps.
While encryption is a tool to block surveillance, law enforcement believes it can also complicate investigations. Metadata of who contacted whom, when and from where is important for mapping networks and identifying suspects. But the IOCTA flags a structural gap, as the EU has no harmonised rules on metadata retention.
Instead, there is a patchwork of national laws. Subscriber information and IP logs are often kept for short or inconsistent periods, and in cross-border investigations, the data is frequently gone by the time authorities request it, critics say.
Brussels is preparing to reopen that fight. After years of political and legal stalemate, the Commission is drafting new proposals on data retention for criminal investigations. The High-Level Group on Access to Data, known as the “Going Dark” group, has already recommended an EU-wide regime requiring providers, including messaging apps, to retain enough data to clearly identify users, including IP addresses and port numbers.
However, law enforcement ambitions collide with Europe’s civil liberties positions. In the past year, a coalition of 55 civil society and professional organisations sent an open letter to EU ministers. They warned that the group’s proposals promote “maximal access possible to personal data” and “risks of mass surveillance as well as substantial security and privacy threats”.
Fighting against cyber threats
To cope with what it calls the “changing DNA” of serious and organised crime, Europol urges a mix of societal resilience and stronger law enforcement powers.
They call for lawful access mechanisms by design in cooperation with service providers, particularly for E2EE services. Also, create clear, harmonised EU rules on targeted metadata retention. Besides, investing in digital literacy and critical thinking, with specific guidance on privacy management and online risks.
