The changing DNA of organized crime in Europe: key insights from the 2025 EU-SOCTA

Kamile Viezelyte
Cybersecurity Content Writer
Socta2025

Organized crime is no longer out on the streets—it has seeped into the very fiber cables that keep the internet running, creating new hybrid and wholly virtual threats that require unprecedented strategies to tackle. In March, Europol published the 2025 EU Serious and Organized Crime Threat Assessment, or the EU-SOCTA. It revealed that the DNA of organized crime has been undergoing serious shifts, posing threats that may be more dangerous and destabilizing than ever before.

EU-SOCTA 2025 at a glance

The EU-SOCTA is a report issued by Europol every 4 years that assesses serious and organized crime activities in the EU and the evolution of criminal tendencies and practices. It serves as the foundation for the EU’s strategic approach toward tackling serious and organized crime.

The data is extracted from Europol’s investigations and contributions from other law enforcement partners around the globe. The EU-SOCTA helps decision-makers, whether at the governmental, business, or individual level, to set priorities and to effectively prepare for and combat serious threats.

Europol is the EU’s law enforcement agency, focusing on combating serious international crime and terrorism in all Member States. It collaborates with other EU agencies and international partners to strengthen global security cooperation and share intelligence on ongoing threats.

For the 2025 assessment, Europol gathered data from thousands of law enforcement investigations and used the expertise of EU agencies and international organizations to create the most comprehensive analysis of serious and organized crime to date.

Destabilizing the Union

The 2025 EU-SOCTA makes it clear—as the world evolves, so does the DNA of organized and serious crime. The online space has become its new home and facilitator, as criminals increasingly rely on the internet to conduct their activities.

Switching their primary headquarters to the digital world—spaces like the dark web, social media platforms, and e-commerce sites—allows criminals to utilize digital tools for more malicious attacks. Developments in the tech world facilitate speedier execution on a larger scale and make it harder to track down perpetrators, particularly those relying on decentralized blockchain systems.

The report names the destabilization of the EU as one of the biggest threats posed by serious and organized crime. Criminal organizations aim to reduce trust in the legal system and government through the spreading of violence, illicit proceeds, and corruption. They rely on digital innovations like AI to conceal their activities and make it harder to trace crime back to its source.

The offender profile: younger and more violent than before

As the way the crimes are committed shifts, so does the profile of the criminal. As the 2025-SOCTA reveals, the criminals are becoming younger, more tech-savvy, and more brutal than before. In an interview with NordPass in 2024, Adrianus Warmenhoven mentioned that people working for cybercriminals may not know the nature of their work, instead assuming they’re hired as IT consultants.

The report notes the exploitation of younger perpetrators to conduct illegal trade and commit crimes for a reward. Young recruits—including minors—are preferred as they’re more willing to conduct illicit activities without financial reward. Blackmail is often used to maintain this working relationship.

Criminals use end-to-end communication services to plan and execute their attacks. Encrypted channels make it harder to intercept communication and offer anonymity, IP obfuscation, rotating IDs, or automatic message deletion after a set period of time.

One aspect remains largely unchanged: financial interest. Criminal networks use illicit means to fund their operations, whether via corruption or money laundering. Some may be working for hire, receiving funding from larger organizations to disrupt society and conduct their activities.

Part of the shift is relying less on legal tender and more on cryptocurrencies to funnel illicit funds. Cybercriminals use blockchain technology to transfer the money as crypto, making it harder for investigators to track down or recover. Crypto technology has also been combined with malware to bolster cryptojacking, a type of attack where a device is infected and hijacked to be used as a crypto mining machine.

Threat actors tend to start with smaller misdemeanors, building up the damage over time, leading to the so-called woodpecker effect. By acting small at first, they make it harder to see the bigger picture and prevent illicit actions in the early stages of organized attacks.

As these acts grow in scale, so does the use of violence. The report notes that violence related to organized crime has spilled over into public places, with a new service model emerging. Violence-as-a-service sees actors working with state agents or criminal organizations to promote and provoke violence in EU Member States and outside their borders. It involves both physical and digital activities, such as extortion, blackmail, and psychological violence.

Hybridizing crime: the online spills into the offline

The report's title, “The changing DNA of serious and organized crime,” hints at the big shift over the years as new types of hybrid threats emerge, mixing a variety of criminal activities to maximize profits and success rates.

Europol notes a close link between the increasingly hybrid nature of serious and organized crime and recent geopolitical tensions. The intersection of online and offline criminal activities, technological advancements, and the role of state and ideological actors in these crimes create more dangerous threats and unprecedented challenges.

For criminals, each technological development is a new opportunity to increase their toolkit and create new, unpredictable threats. The internet has done a massive service to cybercriminals, who now rely on the dark web or decentralized blockchain networks to obfuscate their activities, infiltrate their targets, and participate in illegal data trades.

Some serious crimes aren’t even conducted offline anymore—every step, from the initial idea to its execution, is 100% online. In fact, Europol notes that nearly all forms of serious and organized crime have a digital footprint.

Through hybridization, criminal networks act more as proxies on behalf of other organizations or even hostile states to destabilize the EU and weaken its economy. The report lists fraud, child sexual exploitation, migrant smuggling, cyberattacks, waste crime, and trafficking of illicit goods and weapons as some of the key activities facilitated by hybrid threat actors.

Cybercrime expertise has become a requirement. Ransomware attacks have proven to be profitable, targeting high-profile businesses or government agencies. Such attacks can impact essential services, particularly those in the public sector, further sowing distrust in institutions.

The (continuous) emergence of artificial intelligence

As with seemingly all things tech lately, AI is the name of the cybercrime game. Europol lists AI developments and quantum computing among the potential accelerators for serious and organized crime, particularly given the rapid developments in these fields.

Despite their relative novelty, AI systems like large language models (LLM) and generative AI have already been put to practical use by criminal networks. Through AI tools, criminals can improve their efficiency, act more seamlessly, and perform operations that are harder to prevent or combat.

Generative AI, in particular, has been helpful thanks to its low entry level. Any criminal can put in a prompt to create a script in their chosen language, which can then be used for spoofing, creating deepfake materials, or otherwise facilitating illicit activities. AI-powered voice notes and video materials pose a high risk of identity theft.

AI has also broadened the scope of attacks even further. Although online attacks were already far-reaching, AI requires fewer resources than previously observed. Some cybercriminals have been utilizing AI to brute-force more complex passwords, making credentials that were previously considered relatively resistant to threats vulnerable.

Although quantum computing is still relatively theoretical, criminals already operate with the anticipation of its eventual practical application. Access to quantum computing may pave the way for more efficient and sophisticated decryption technology, which would make data currently protected by encryption algorithms easier to breach.

The timeliness of AI is both its advantage and its downside for criminals. Its applicability is still relatively limited, and if illicit AI use increases, developers will likely implement preventative measures. Legislation will catch up, too, as legal entities are already starting to implement policies that regulate AI usage.

For-profit cybercrime flourishes

Europol notes the emergence of crime-as-a-service, where criminals act as corruption brokers and use digital tools for profit-driven operations. Corruption remains one of the biggest threats to businesses and government institutions, “embedded in the very DNA of crime.” Due to its massive impact on economic systems, corruption is interspersed in practically every form of serious and organized crime.

Criminals rely heavily on money laundering to procure funds. The infiltration of legitimate funds for money laundering is high-risk, high-reward. Transactions require an intricate system of hard-to-trace financial systems. However, the biggest operations can generate as much as billions of euros, making them an intrinsic part of serious and organized crime.

Crime-as-a-service is favored by state actors. It can help sanctioned states circumvent financial embargoes. In exchange for illicit services, criminals may receive a safe haven in the state that hired them. Criminals—particularly those working fully online—receive access to resources funded by the state to conduct disinformation campaigns or supply chain disruptions. This grants state actors plausible deniability, as attacks are conducted by proxy, and the state’s involvement may be too obscure to be proven.

Social media accounts have also been broadly utilized for serious and organized crime, especially on political grounds. Criminals may create fake social media accounts—often referred to as troll farms—to spread misinformation or propaganda, manipulate the newsfeed, and further instill doubt and confusion.

Cash-intensive businesses are the target

Although it may appear that government agencies are all criminals care about, small and medium-sized businesses are just as lucrative as targets for serious and organized crime. In fact, the report lists business email compromise fraud as one of the most effective ways to extract data.

According to the EU-SOCTA, all business sectors are potentially at risk of being infiltrated or exploited by criminals. However, the 3 most affected sectors are construction and real estate, hospitality, and logistics.

In some cases, data holds more value than money. It’s treated as a commodity and is at the forefront of illicit trade. Its value is in its reusability. Possession of valuable information puts a massive target on the potential victims’ backs. If stolen, strategically important data can be sold for espionage, economic advantage, or used for coercion.

Large-scale data breaches often involve login credentials dating 5 years back or older. This puts breached organizations in a particularly vulnerable situation—they may not know that their data has been compromised until years later, when a folder containing terabytes of sensitive information suddenly appears on a dark web forum.

Europol emphasizes that protecting the victims is essential to successfully tackling serious and organized crime. One key way to achieve this is cutting off the funding source for serious and organized crime at its root. Although recovering assets can be complicated, shutting criminals out from accessing them in the first place has proven to be effective. Asset recovery has proven to deter cybercriminals from pursuing further operations, as they can’t reintegrate stolen assets into the mainstream economy.

How can you improve digital defenses against serious and organized crime?

The 3 core pillars of the new DNA of serious and organized crime are:

  • Destabilization of society through illicit proceeds and the use of proxies.

  • Nurturing of crime in online spaces.

  • Acceleration of crime thanks to AI and other emerging technologies.

The 2025 EU-SOCTA can paint a grim first impression of the current threat landscape. However, the situation is not hopeless. This research doesn’t just help Europol discover malicious agents faster and with more precision—it indicates the potential future trends, allowing businesses and individuals alike to prepare for evolving risks.

For businesses concerned about serious and organized crime, one of the best ways to stay protected is to conduct transparent operations in accordance with legal requirements and compliance policies, such as ISO-27001, NIST, or NIS2. Upon detecting suspicious activities that could be caused by serious and organized crime actors, companies should contact their legal authorities immediately.

Employee education also goes a long way. Ensure your organization is practicing proper digital hygiene and adhering to a strong and flexible password policy and secure credential usage and sharing norms. Keep your team aware of emerging threats, common scam tactics, and risks posed by AI-powered technologies.

Hybrid problems require hybrid solutions, and Nord Security offers you exactly that. Start proofing your business against complex cybercrimes with a custom-tailored cybersecurity bundle of NordPass, NordStellar, and NordLayer.

  • NordPass is a password manager that helps organizations handle and share sensitive data without compromising its integrity.

  • NordLayer is a network security, threat detection, and response platform that integrates seamlessly with any technology stack.

  • NordStellar is a threat exposure management platform that monitors the dark web, helping organizations stay ahead of cyber threats.

If you’re new to NordPass, make sure to get in touch with our team at [email protected] to claim a bundle deal with other Nord Security products. And if you’re already on board with NordPass, contact us to learn more about a special NordStellar and NordLayer offer for your organization.







Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.