Germany's federal cabinet approves Cybersicherheitsstärkungsgesetz — BKA, BSI and Federal Police gain authority to redirect attacker traffic and disable infrastructure

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Law to Strengthen Cybersecurity) on 2026-05-27, granting three federal agencies — the Bundeskriminalamt (BKA), the Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundespolizei — new authority to conduct what the government frames as active cyber defence rather than offensive hackback (Heise Security, 2026-05-27; onvista / dpa, 2026-05-27; t-online, 2026-05-27). Under the law the agencies may redirect attacker-controlled traffic, selectively intervene in IT systems used to attack Germany, delete or modify data on attacker servers, and shut down dangerous C2 nodes — explicitly including foreign infrastructure. Interior Minister Alexander Dobrindt (CSU) positioned the measure as active cyber defence targeting attacker command-and-control infrastructure rather than retaliatory hackback. The bill funds the order of 350 new positions across the three agencies and approximately €50 million per year in personnel and material (per onvista/dpa; t-online reports a smaller initial figure — see § 7). The Bundesverband der Deutschen Industrie (BDI) and civil-society voices warned of collateral-damage risk on shared hosting and VPN servers and flagged constitutional concerns. The bill next proceeds to the Bundestag; it does not yet have force of law.

Why it matters to us: German LE gaining the legal authority to sinkhole, redirect, or disable attack infrastructure will change the threat-intel attribution picture across Europe. SOC managers should expect that unexplained C2 outages on Germany-adjacent hosting may be LE action rather than malware infrastructure rotation. Threat-intel teams tracking takedown patterns should add de.bka, de.bsi, de.bpol as expected actors in the takedown attribution stack alongside CrowdStrike Counter Adversary Operations, Microsoft DCU and Europol.

BKA arrested Dream Market lead administrator "Speedstepper" in Germany; OPSEC failure traced to cryptocurrency-to-physical-gold conversion patterns (daily 2026-05-16). Complements the W20 BKA Crimenetwork takedown (daily 2026-05-12) — two consecutive German federal LE actions against darknet-market administrative-tier operators in the same week. For European cybercrime ecosystem analysis: the BKA tempo on darknet-administrator pursuit is materially elevated through Q2 2026 and likely informs the broader operator OPSEC environment.

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

W19 long-running record (item:qilin-agenda-raas-die-linke-confirms-q2-2026-german-activity) tracked Qilin's continued German activity. W20 status: Check Point's April 2026 report confirms Qilin leads all RaaS operators at 15% of 707 published attacks in April; Germany's share at 5% of global ransomware victims is the elevated-DACH-exposure data point (Qilin DLS German-victim count cited by W1 horizon research as approximately 65 as of 2026-05-16 — uncorroborated leak-site enumeration that should be treated as a lower bound); Die Linke (German political party) confirmed Qilin compromise in March 2026 (W19 carry-over); no new Swiss-specific victim named in window (Check Point Research).

Adds to the BKA Crimenetwork takedown (covered daily 2026-05-12 as a separate W20 LE action). Two consecutive German federal LE actions against darknet-administrator-tier operators within the same week — a notable tempo signal for the EU cybercrime LE ecosystem. The OPSEC failure (cryptocurrency-to-physical-gold conversion patterns over seven years) is forensically interesting but the policy-horizon implication is that BKA's investigative throughput on darknet-administrator pursuits is materially elevated through Q2 2026 (daily 2026-05-16).

Owe Martin Andresen, a 49-year-old German national alleged by US and German prosecutors to be "Speedstepper" — the lead administrator of the Dream Market darknet narcotics marketplace from 2013 until its 2019 voluntary shutdown — was arrested in Germany on 2026-05-07 and publicly identified on 2026-05-13–14 (The Record, 2026-05-14 · US DEA, 2026-05-13). The action was a coordinated multi-agency operation: the Bundeskriminalamt and the Zentrale Kriminalinspektion Oldenburg for the German side, with the US DEA Miami, IRS-CI Cyber Crimes Unit, FBI, USPIS, and HSI executing in parallel. A US federal grand jury in the Northern District of Georgia had returned a sealed indictment on 2026-01-13 charging Andresen with six counts of international concealment money laundering and six counts of concealment money laundering (240 years aggregate maximum); German charges carry up to five years. The OPSEC failures that closed the seven-year gap were operational, not technical: in late 2022 Andresen allegedly accessed Dream Market's dormant cryptocurrency wallets — an action only the holder of the original private keys could perform — and consolidated the contents into a single wallet, providing prosecutors with a definitive on-chain link; and in August 2023 he used an Atlanta-based cryptocurrency-to-physical-asset service to purchase gold bars that were shipped directly to his home address in Germany, providing the geographic and identity link. At arrest, German authorities seized approximately USD 1.7 million in gold bars, USD 23,000 in cash, and approximately USD 1.2 million in cryptocurrency. Three Dream Market co-administrators ("Oxymonster", "KITT3N", "GOWRON") had been convicted previously. The case is operationally interesting to public-sector intelligence liaisons because it illustrates that long-tail attribution of darknet operators is increasingly driven by post-cessation financial behaviour — wallet reactivation, regulated-service touchpoints, physical-asset conversion — rather than on-platform OPSEC; the seven-year delay between the marketplace's closure and the arrest is the operational signal.

Germany's KRITIS-DachG (Act to Strengthen Physical Resilience of Critical Installations), implementing EU CER Directive 2022/2557, entered into force in late March 2026 following Bundesrat approval on 6 March 2026 (Luther Lawfirm, 2026-04-10 · Morrison Foerster European Digital Compliance, 2026-05-01). The Act establishes the first cross-sectoral physical and organisational resilience framework covering energy, transport, healthcare, water, finance, and — for the first time — municipal waste disposal and aspects of public administration. Registration deadline 17 July 2026 (or within three months of later qualification). Post-registration obligations cascade over nine–ten months: risk assessments every four years covering natural / technical / sabotage / cross-border scenarios, resilience plans, and 24-hour incident reporting to a joint BSI/BBK reporting point. Fines for non-compliance: up to €100,000 for registration/cooperation failures; up to €1,000,000 for concealing non-registration status; up to €200,000 for missing resilience evidence or plan. Key ambiguity: the BMI implementing ordinance defining which specific services and installations qualify as "critical" is not yet published, leaving scope uncertain for borderline operators. What defenders need to do differently: German public-sector and critical-sector organisations need to self-assess KRITIS-DachG applicability before 17 July; ISG-style 24-hour reporting obligation now applies to physical as well as cyber incidents; Swiss entities with German subsidiaries operating in scope sectors are directly affected. Cross-references NIS2 and BSI Act obligations — the three frameworks overlap operationally and require coordinated incident-response runbook design.

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.