Germany Bundestag first reading of CRA domestic-implementation bill (Drucksache 21/6134)

Drucksache 21/6134 — "zur Durchführung der Verordnung (EU) 2024/2847" — had its first reading on 11 June, designating Germany's national CRA authorities, notified bodies and enforcement routes, with BSI the anticipated primary market-surveillance authority (Deutscher Bundestag). This is distinct from the general CRA notifying-authority deadline the W23 weekly tracked: it is the German legislative step starting the parliamentary clock (committee stage next, second/third readings and Bundesrat consent expected Q4 2026). The CRA's Chapter IV (notified bodies) entered force EU-wide the same day. What to do differently: Swiss ICT vendors exporting digital products to the German public sector, and German public-sector procurers, should track committee amendments now — the national authority designation determines who you report to and who surveils your products under the CRA.

Proofpoint reported this week that TA4922, a Chinese-speaking financially-motivated cluster running the highest campaign tempo of any cybercrime actor Proofpoint tracks, pivoted in March–April 2026 to localised campaigns against German, UK, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04; daily 2026-06-05). Native-language tax-authority, HR/payroll and invoice lures now pair the known ValleyRAT (Winos 4.0) with newly observed Atlas RAT (C-based), RomulusLoader, and SilentRunLoader (Python infostealer targeting Chrome credentials). A notable TTP shift: conversations are moved to LINE, WhatsApp and Microsoft Teams before payload delivery, pulling targets off enterprise email controls. DACH public-sector and finance staff are in direct scope. Hunt for DLL side-loading chains where AnyDesk/SyncFuture load from unexpected user-profile paths, for Python processes reaching Chrome DPAPI, and for unsolicited inbound contact on Teams/WhatsApp that pivots to a "document."

On 27 May 2026 the German Federal Cabinet adopted the Gesetzentwurf zur Stärkung der Cybersicherheit, now proceeding to Bundestag (German Federal Government, 2026-05-27; Digital Watch Observatory, 2026-05-31). The law grants: the BKA and Bundespolizei authority to shut down or disrupt attacker-controlled infrastructure including servers located outside Germany, reroute data traffic, and collect/modify/delete data on foreign systems; the BSI expanded authority to collect threat-preparation data and require telecoms and major platforms to relay BSI threat warnings to end users. Interior Minister Dobrindt: "In future, we will target the attacker, their servers, their software and their strategy." Personnel implications: BKA +264, Bundespolizei +90, BSI +21 positions by 2030. Civil-society analysis flags constitutional concerns (Basic Law, cross-border state action, jurisdictional conflict with Länder). For DACH/EU defenders: (a) once enacted, telecoms/platform operators gain a new duty-to-relay obligation for BSI warnings; (b) the law sets a precedent for EU active-cyberdefence norms that Swiss forthcoming cyber-resilience legislation (draft expected autumn 2026) will need to address.

Proofpoint reports that TA4922, a Chinese-speaking, financially-motivated cluster it assesses as running the highest campaign tempo of any cybercrime actor it tracks, expanded in March–April 2026 from its historical Japanese focus to localised campaigns against UK, German, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04). Lures are carefully tailored in the target's native language — tax-authority, HR/payroll and invoice themes — and the toolkit now pairs the known ValleyRAT (Winos 4.0) with newly observed families: Atlas RAT (a C-based RAT) and RomulusLoader, which DLL-side-loads (T1574.002) AnyDesk and SyncFuture, plus SilentRunLoader, a Python infostealer pulling Chrome credentials and cookies (T1555.003). A notable TTP shift is the deliberate move of conversations to LINE, WhatsApp and Microsoft Teams to pull targets off enterprise email controls before payload delivery.

Why it matters to us: German and UK targeting with native-language tax/payroll lures puts DACH public-sector and finance staff squarely in scope. Hunt for DLL side-loading chains where trusted binaries (AnyDesk, SyncFuture) load from unexpected working directories, for Python processes reaching DPAPI / Chrome credential stores, and for unsolicited inbound contact on LINE/WhatsApp/Teams that pivots to a "document" — the out-of-band channel is where the email gateway loses visibility.

The FBI issued PSA260527 on 27 May 2026 warning that a Chinese-speaking financially-motivated threat actor tracked by Group-IB as Ghost Stadium has deployed more than 300 phishing sites impersonating fifa.com, all reproducing the official site pixel-for-pixel including a fake single-sign-on authentication flow in multiple languages (FBI IC3 PSA260527, 2026-05-27; BleepingComputer, 2026-05-28). Typosquatted domains span alternative TLDs (.org, .xyz, .live, .sale) and character substitutions; additional fake employment portals impersonate FIFA HR functions. Criminal objectives include credential and financial-data theft via the fake SSO, counterfeit ticket and hospitality sales, fake merchandise and streaming-rights fraud. UK, Germany, Portugal, and Spain are explicitly named as target demographics. Browser-based security controls (Safe Browsing, SmartScreen) do not protect against freshly-registered domains before abuse is reported. For defenders at organisations with large employee populations purchasing World Cup tickets: advise bookmarking https://www.fifa.com directly; treat any search-result-sponsored result for FIFA ticket purchases as unverified. The high-intensity fraud window is the lead-up to the July 19 final.

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Law to Strengthen Cybersecurity) on 2026-05-27, granting three federal agencies — the Bundeskriminalamt (BKA), the Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundespolizei — new authority to conduct what the government frames as active cyber defence rather than offensive hackback (Heise Security, 2026-05-27; onvista / dpa, 2026-05-27; t-online, 2026-05-27). Under the law the agencies may redirect attacker-controlled traffic, selectively intervene in IT systems used to attack Germany, delete or modify data on attacker servers, and shut down dangerous C2 nodes — explicitly including foreign infrastructure. Interior Minister Alexander Dobrindt (CSU) positioned the measure as active cyber defence targeting attacker command-and-control infrastructure rather than retaliatory hackback. The bill funds the order of 350 new positions across the three agencies and approximately €50 million per year in personnel and material (per onvista/dpa; t-online reports a smaller initial figure — see § 7). The Bundesverband der Deutschen Industrie (BDI) and civil-society voices warned of collateral-damage risk on shared hosting and VPN servers and flagged constitutional concerns. The bill next proceeds to the Bundestag; it does not yet have force of law.

Why it matters to us: German LE gaining the legal authority to sinkhole, redirect, or disable attack infrastructure will change the threat-intel attribution picture across Europe. SOC managers should expect that unexplained C2 outages on Germany-adjacent hosting may be LE action rather than malware infrastructure rotation. Threat-intel teams tracking takedown patterns should add de.bka, de.bsi, de.bpol as expected actors in the takedown attribution stack alongside CrowdStrike Counter Adversary Operations, Microsoft DCU and Europol.

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Cyber Security Strengthening Act) on 2026-05-27 — the daily caught the Heise news hit; the primary government sources confirm the substance and, importantly, that it is a draft bill still requiring Bundestag passage and is not yet in force. Per the government's framing, it shifts the state from purely defending the target to acting directly against the attacker — "their servers, their software and their strategy" — with the BSI, BKA and Bundespolizei among the bodies gaining expanded authority to detect and counter large-scale, high-damage attacks (the announcement does not break the new powers down per agency in technical detail). For CH/EU defenders the watch item is the cross-border incident-response implication: once in force, German-authority active operations against infrastructure that may be hosted in or transit other jurisdictions raise coordination and deconfliction questions for any SOC running IR across the DACH region. Track the Bundestag passage; nothing changes operationally until it lands.

BKA arrested Dream Market lead administrator "Speedstepper" in Germany; OPSEC failure traced to cryptocurrency-to-physical-gold conversion patterns (daily 2026-05-16). Complements the W20 BKA Crimenetwork takedown (daily 2026-05-12) — two consecutive German federal LE actions against darknet-market administrative-tier operators in the same week. For European cybercrime ecosystem analysis: the BKA tempo on darknet-administrator pursuit is materially elevated through Q2 2026 and likely informs the broader operator OPSEC environment.

Check Point's April 2026 monthly threat report (published early May 2026) confirms Qilin / Agenda leading all ransomware operators with 15% of 707 published attacks in April; Germany is the third-most-targeted country globally at 5.0% of victims (US 41.6%); Europe accounts for 27% of ransomware victims globally. Sector targeting in April 2026: Business Services (33.8%), healthcare, manufacturing. The Gentlemen — despite the May 4 backend breach — remained in the top-7 operators with 320+ victims (Check Point Research, 2026-05-08). The synthesis the dailies did not yet absorb: Germany's 5% share of global ransomware victims is materially elevated compared to the 2024–2025 baseline (~2–3%); the Qilin DLS lists 65 German victims total as of 2026-05-16 (Check Point blog, dataset reference). For Swiss defenders: CH-DE cross-border operations (Swiss subsidiaries in DE, German subsidiaries of Swiss parents) inherit the German exposure level; this is the empirical basis for a DACH-region threat-modelling premium on ransomware-readiness exercises.

W19 long-running record (item:qilin-agenda-raas-die-linke-confirms-q2-2026-german-activity) tracked Qilin's continued German activity. W20 status: Check Point's April 2026 report confirms Qilin leads all RaaS operators at 15% of 707 published attacks in April; Germany's share at 5% of global ransomware victims is the elevated-DACH-exposure data point (Qilin DLS German-victim count cited by W1 horizon research as approximately 65 as of 2026-05-16 — uncorroborated leak-site enumeration that should be treated as a lower bound); Die Linke (German political party) confirmed Qilin compromise in March 2026 (W19 carry-over); no new Swiss-specific victim named in window (Check Point Research).

Adds to the BKA Crimenetwork takedown (covered daily 2026-05-12 as a separate W20 LE action). Two consecutive German federal LE actions against darknet-administrator-tier operators within the same week — a notable tempo signal for the EU cybercrime LE ecosystem. The OPSEC failure (cryptocurrency-to-physical-gold conversion patterns over seven years) is forensically interesting but the policy-horizon implication is that BKA's investigative throughput on darknet-administrator pursuits is materially elevated through Q2 2026 (daily 2026-05-16).

Owe Martin Andresen, a 49-year-old German national alleged by US and German prosecutors to be "Speedstepper" — the lead administrator of the Dream Market darknet narcotics marketplace from 2013 until its 2019 voluntary shutdown — was arrested in Germany on 2026-05-07 and publicly identified on 2026-05-13–14 (The Record, 2026-05-14 · US DEA, 2026-05-13). The action was a coordinated multi-agency operation: the Bundeskriminalamt and the Zentrale Kriminalinspektion Oldenburg for the German side, with the US DEA Miami, IRS-CI Cyber Crimes Unit, FBI, USPIS, and HSI executing in parallel. A US federal grand jury in the Northern District of Georgia had returned a sealed indictment on 2026-01-13 charging Andresen with six counts of international concealment money laundering and six counts of concealment money laundering (240 years aggregate maximum); German charges carry up to five years. The OPSEC failures that closed the seven-year gap were operational, not technical: in late 2022 Andresen allegedly accessed Dream Market's dormant cryptocurrency wallets — an action only the holder of the original private keys could perform — and consolidated the contents into a single wallet, providing prosecutors with a definitive on-chain link; and in August 2023 he used an Atlanta-based cryptocurrency-to-physical-asset service to purchase gold bars that were shipped directly to his home address in Germany, providing the geographic and identity link. At arrest, German authorities seized approximately USD 1.7 million in gold bars, USD 23,000 in cash, and approximately USD 1.2 million in cryptocurrency. Three Dream Market co-administrators ("Oxymonster", "KITT3N", "GOWRON") had been convicted previously. The case is operationally interesting to public-sector intelligence liaisons because it illustrates that long-tail attribution of darknet operators is increasingly driven by post-cessation financial behaviour — wallet reactivation, regulated-service touchpoints, physical-asset conversion — rather than on-platform OPSEC; the seven-year delay between the marketplace's closure and the arrest is the operational signal.

Germany's KRITIS-DachG (Act to Strengthen Physical Resilience of Critical Installations), implementing EU CER Directive 2022/2557, entered into force in late March 2026 following Bundesrat approval on 6 March 2026 (Luther Lawfirm, 2026-04-10 · Morrison Foerster European Digital Compliance, 2026-05-01). The Act establishes the first cross-sectoral physical and organisational resilience framework covering energy, transport, healthcare, water, finance, and — for the first time — municipal waste disposal and aspects of public administration. Registration deadline 17 July 2026 (or within three months of later qualification). Post-registration obligations cascade over nine–ten months: risk assessments every four years covering natural / technical / sabotage / cross-border scenarios, resilience plans, and 24-hour incident reporting to a joint BSI/BBK reporting point. Fines for non-compliance: up to €100,000 for registration/cooperation failures; up to €1,000,000 for concealing non-registration status; up to €200,000 for missing resilience evidence or plan. Key ambiguity: the BMI implementing ordinance defining which specific services and installations qualify as "critical" is not yet published, leaving scope uncertain for borderline operators. What defenders need to do differently: German public-sector and critical-sector organisations need to self-assess KRITIS-DachG applicability before 17 July; ISG-style 24-hour reporting obligation now applies to physical as well as cyber incidents; Swiss entities with German subsidiaries operating in scope sectors are directly affected. Cross-references NIS2 and BSI Act obligations — the three frameworks overlap operationally and require coordinated incident-response runbook design.

The German federal party Die Linke confirmed in April 2026 that the Qilin ransomware group (also known as Agenda, a Rust-based RaaS platform known for double extortion) encrypted and exfiltrated its systems, with the gang claiming 1.5 TB of internal data. The party's data protection officer notified the responsible Landesdatenschutzbehörde (state DPA). Die Linke issued a victim statement acknowledging operational disruption; no ransom figure has been publicly disclosed. Qilin has targeted political parties and civil-society organisations across Western Europe since 2023. This breach is approximately four weeks old but has not been previously covered in this brief series.