Europol's 2025 SOCTA reveals the growing areas of organized crime and the latest tactics offenders are employing in Europe.
On March 18th 2025, Europol released the European Union’s Serious and Organised Crime Threat Assessment (SOCTA). The EU’s SOCTA is released every 4 years and covers critical areas of crime that the union’s law enforcement and policy-makers should pay attention to. The report is based on Europol’s investigations, along with information from other EU agencies and international partners, and the private-sector.
In the foreword, the Executive Director of Europol, Catherine De Bolle, explained the impact of the assessment. “The insights provided by the EU-SOCTA 2025 will shape strategic decision-making, operational priorities, and legislative developments to strengthen the EU resilience against serious and organised crime. Addressing this evolving threat landscape demands continuous innovation, enhanced collaboration, and long-term engagement. Together, through intelligence-sharing, strategic and technological adaptation and decisive joint action, we can turn the tide against serious and organised crime.”
The three main findings of the 2025 SOCTA were that serious organized crime is:
- Destabilizing society: Through internal work (think corruption, money laundering and criminal exploitation) and external work (collaboration between organized criminals and hybrid threat actors), criminals have hurt the EU economy, critical infrastructure, and diminished trust in public institutions with disinformation campaigns. This week, Bitdefender highlighted a hybrid threat: RedCurl, a threat actor known for their corporate espionage that recently crossed over to ransomware with unclear motivations. The emergence of these hybrid threats may be connected to shifting geopolitical tensions (which aligns with RedCurl allegedly being a Russian-speaking group).
- Nurtured online: Digital infrastructures have become an essential part of many crime networks, as they provide anonymity, security, and the ability to work without meeting in-person. Encrypted communication tools are necessary for several activities, ranging from sexual exploitation, to sales of illicit substances, and of course, cybercrime. Data has become an increasingly attractive target to threat actors, who may use ransomware, Distributed Denial of Service (DDo) attacks, email fraud and phishing schemes, and extortion to access sensitive data.
- Accelerated by artificial intelligence (AI) and other new technologies: AI reduces the technical skill required for digital crimes, while making extortion, disinformation, and identity theft much easier with factitious but realistic media. AI also allows for far-reaching cyber attacks to be organized and launched at once, increasing efficiency for threat actors. Other technologies, like cryptocurrency, CCTV surveillance, drones, GPS and 3D printing are similarly being used by criminal networks.
The assessment also covered the emerging and growing tactics of organized crime, centering on criminal finances and money laundering, exploitation of legal business structures, corruption, violence, and the criminal exploitation of young perpetrators (more and more networks are recruiting younger participants for acts ranging from money laundering to violence, in order to hide from law enforcement - others are grooming children specifically for sexual abuse and more acts of cruelty).
Cyber attacks are the primary issue discussed in the chapter on the EU criminal landscape. The SOCTA describes the appeal of attacks on critical infrastructure: “Cyber-attacks targeting critical infrastructure, governments, businesses and private citizens are highly threatening and impactful due to a broadening attack-surface, and data theft acquiring a central role. Lines are further blurring between profit-oriented and ideologically-motivated cyber-attacks, and the cybercrime landscape is further fragmenting.” Political and ideological reasons have clearly become a driving force behind more cybercrime. Countries like Russia and Iran have tried to interfere in the Olympics and elections in the US, with Russia also taking actions against countries in the EU.
The investigation also found that the increasing use of digital service providers like the cloud, e-mail, and virtual privacy networks (VPNs) makes supply-chain attacks more probable. Attacks based on malware, like ransomware, continue to be a pervasive concern for data security in Europe. Ransomware attacks have become both more impactful and targeted, with organizations in critical infrastructure sectors like healthcare, along with small and medium-sized businesses weathering a new wave in recent years. Data continues to be a significant commodity in the malware space - supporting attacks, motivating them, and even being the by-product of the attacks. Still, the main driver of cyber attacks is financial gain.
The 2025 SOCTA concludes the report with a reflection by the Academic Advisory Group, whose insights were also credited in the foreword. The conclusion emphasizes the value of this SOCTA as a “strategic asset for law enforcement”, as the latest edition of the assessment comes from more research than previous versions. In the press release, Catherine De Bolle echoed the sentiment: “Breaking this new criminal code means dismantling the systems that allow these networks to thrive – targeting their finances, disrupting their supply chains and staying ahead of their use of technology. Europol is at the heart of Europe’s fight against organised crime, but staying ahead of this evolving threat means reinforcing our capabilities – expanding our intelligence, operational reach and partnerships to protect the EU’s security for the years to come.”
While the assessment does not explicitly lay out what “reinforcing our capabilities” would mean for the EU, the 100-page document does lay the groundwork for what areas law enforcement in Europe should monitor and the trending tactics used by criminals and threat actors alike.