Reviewing EUROPOL’s SOCTA Report
In an interview given by CyberLeaders in their last report Confiance 5.0 (2025), Vice-director of operations at Europol Jean-Philippe Lecouffe, declared that “Though Europol traditionally identifies three families of cybercrime : ransomware & DDoS ; Online Identity theft and CSAM (Child Sexual Abuse Material) ; our society being increasingly digitized, we tend to struggle to draw permanent lines between the different cyber-fields […] When a tremendous drug smuggling organization uses digital communication, isn’t that considered as cyber?” Indeed, within the years, we tend to see cybercrime taking a swelling share of cybercrime in serious organized crimes. Eurojust’s 2023 Annual Report indicates that more than 80% of criminal networks active in the EU use legal business structures to facilitate and disguise crimes, including cybercrime. Additionally, over 70% of these networks employ corruptive methods to obstruct law enforcement or judicial proceedings. Thus, EU’s internal security being threatened by new and traditional issues such as weapon, drug and migrant-smuggling, illegal immigration, violence in various forms and environmental crime is put to test into its geographical space – and as we know in its cyberspace because of the cybercrime landscape we’re going to explore. However, where do we draw the border between traditional [land] crime and cybercrime landscapes? Is there an actual line between mappable space and cyberspace?
Recently, EUROPOL has published its SOCTA (Serious and Organized Crime Threat Assessment) report. After having introduced the stakes of organized crimes and how it affects society as well as the digital world, this report explores the special tactics criminals use and the criminal landscape in Member States territories as well as in its cyberspace, with studying the geography of criminal networks. SOCTA report, released every 4 years, remains a comprehensive analysis of law enforcement information on serious and organized crime affecting the EU.
Through the report, besides the spun metaphor of the DNA notion in cybercrime, a thought-provoking matter is in the spotlight brought by the authors’ feathers: the room taken by cybercrime in serious organized crimes. Furthermore, how AI and advanced technology now drive traditional crimes in Europe’s geographical space. Through reporting Europe’s main cyberthreats Europol and other Police authorities are dealing with, this reflection will be dedicated to questioning to what extent the EU turns out to become increasingly threatened within its own borders via the digital area.
- Cyberthreats and cyberattacks, increasingly state-aligned and ideologically motivated, directly polluting European cyberspace
In our current evolving context, we are realizing that crime and cybercrime dynamics are predominantly a matter of international power relations and strategic state behavior. It remains often unilateral (sometime multilateral) dynamics, where outside of the EU boundaries, cyberattacks ‘are increasingly directed by networks and agents based’. Though Russia traditionally remains the leading country in cybercrime – with a WCI score of 58.39/60 (World Cybercrime Index), Ukraine follows (36.44), then China, U.S.A. and Nigeria with serious dynamics. The only countries where this index exceeds 2 are Poland and Germany (with respectively 2.22 and 2.17). In Europe, in 2023, locations aimed by cyberattacks turn out to be southern Germany, the UK, most densely populated regions of France and of course northern Ukraine (where the 2 leading cities of the country are located) – in the context of the ongoing war. Thus, the observed situation is, as mentioned in EUROPOL’s report, a significant increase in politically motivated cyber-attacks against critical infrastructure and public institutions, overall originating from Russia and its sphere of influence.
Besides public institutions, organizations and companies, European citizens’ online identity theft (OIDT) is put at stake since it appears as the first door to their home. It is the first step to stealing their wallet – OIDT gives criminals access to personal information like names, passwords, and banking details. For instance, phishing emails or fake websites are common tools for stealing identities. Once personal data is extracted, it can be commodified and resold within the thriving Crime-as-a-Service (CaaS) economy, often enabling more complex fraud schemes.
Frauds against payment systems represent another critical vector of attack. The transition from physical skimming to digital skimming highlights a shift in tactics — from bank machines to back-end servers and e-commerce infrastructures. Malware is tailored to target card-not-present transactions, while SIM swapping is increasingly used to bypass authentication. Such methods are closely tied to stolen identity credentials, underscoring the cross-cutting nature of OIDT in facilitating more elaborate scams. Business Email Compromise (BEC) attacks exemplify the operational sophistication of threat actors: emails and invoice documents are forged with precision, aided by AI and large language models (LLMs), allowing criminals to impersonate executives and trigger fraudulent transfers with growing ease.
As well, DDoS (Distributed Denial of Service) attacks and malware turn out to be key components of the Crime-as-a-Service (CaaS) market. DDoS is now used in “triple extortion” schemes, adding service disruption to data theft and encryption. Malware — including droppers and info-stealers — is enhanced by AI to evade detection and exploit system flaws. These tools, sold in ready-to-use kits, amplify the scale and impact of cyber-attacks across Europe.
One of the most disturbing evolutions in the European cyber threat landscape is the escalation of (online) Child Sexual Exploitation (CSE). The scale and severity of Child Sexual Abuse Material (CSAM) distribution has reached unprecedented levels, now increasingly driven by generative AI. Synthetic CSAM — fully AI-generated imagery or deepfakes of minors — introduces new ethical and forensic challenges. These materials are shared across both surface and dark web platforms, creating international, encrypted communities that further normalize the abuse.
Thus, this worrying direct organized cybercrime landscape in Europe underlines the work still to be done in terms of cyber-resilience and cyber-defence. Though, this remains only the outward manifestation of deeper systemic dynamics – as technology, in particular AI, is increasingly used in traditional serious organized crimes.
- Serious organized crimes enhanced by technology and AI
Indeed, this phenomenon turns out to be true in particular in firearm trafficking in Europe, which, according to this Europol’s study, poses a critical threat to EU’s internal security – taking account of recent changing dynamics of its black market.
These dynamics radiate westward from the East. Coming from outside EU’s member states borders within Europe, in some Western Balkan Eastern Europe states and like Bosnia or Ukraine, illegal firearms and explosives pass through Slovakia and Bayern region until arriving to Belgium, Denmark, or Marseille. Given the current geopolitical climate, the situation shows no signs of abating as the ongoing war in Ukraine also involves drones and other recent war-technologies. Additionally, and overall, AI is very likely to enhance access to and the precision of weapon designs for 3D printed weapons. It eases the production of homemade metal firearms parts and enables more knowledge of weapon conversion. Furthermore, an increasing number of manufactured firearms are made privately, which, according to Europol, eases its printing and its spreading. Via darknet marketplaces like AlphaBay for example and even via some classic messaging apps, firearms and 3D printed pieces are transiting through the continent, its internal and external borders. Thus, this illicit network, though physically recurring on land, turns out to be increasingly managed and enhanced in the cyberspace.
In the same dynamic, though less evident, migrant smuggling takes a considerable part of the insecurity landscape of our continent. Also geopolitically-related, hybrid threat provider and overall digitalized [to some way], migrant smuggling network puts at stake the integrity of EU’s member states violating its borders. But how can this particular organized crime become digitalized as we’re talking about people illicitly going through our borders, “helped” by criminal networks? As always in the cyberspace, this is all about information transmission. Via applications and online platforms, routes are now mapped out for migrants using open-source geospatial data and money transfers are operated online. This market isn’t taking to its end by soon, as the demand is highly growing. Furthermore, criminals use geopolitical motives in instrumentalizing irregular migrants – a striking example that provides SOCTA report shows how criminals appeal migrants by paying them large amounts of money (equivalent to 3 to 5,000€) for diverse services provided. Coming from Iraq towards western Europe via Russia and Türkiye, illegal migrants deal with smugglers’ modus operandi that directly, via digital platforms and other means (digital or not) are directly contributory [not in their will] to the crime-as a service (CaaS) market. This criminal ecosystem now thrives online: smugglers advertise via Telegram or WhatsApp, using fake job offers to recruit. Encrypted apps, VPNs, and even AI-generated documents ensure anonymity and security. Payments are handled through cryptocurrencies, often laundered via digital networks. Unknowingly, migrants fuel a broader crime-as-a-service economy, where digital tools amplify reach and resilience. Unwittingly, migrants’ movements are not only geographic but also embedded in a digital landscape as their journey takes place in cyberspace as well.
- What actual border between land-space and cyberspace?
But where on earth [and it’s worth saying] can we draw an actual line between mappable space and cyberspace, in particular in this worrying serious organized crime landscape ? How, first, is comprehended cyberspace; what’s more, at the European level?
The European commission’s defines cyberspace as “the virtual global and common domain within the information environment consisting of all interconnected and interdependent networks of global, organizational and national information infrastructure, based on the Internet and telecommunications.” Therefore, cyberspace, geographically speaking, is an area from a dimension that to some extent, breaks the rules of traditional geo-referenceable and multi-scale territories. Though being incorporated physically by evolving machines and technologies it remains a “non-place”[1] as it is functional, transitional, and disembodied to some way. Cyberspace is being represented in 4 layers[2].
- Physical (backbone of the internet): all the material on which internet depends. Marine cables. Those infrastructures are geo-referenceable.
- Logical infrastructures: services for transmitting data between two points on the network, i.e. for moving information, broken down into small packets, from sender to recipient.
- Applications, which are user-friendly computer programs that enable anyone to use the Internet without knowing anything about computer programming (Web, e-mail, social networks, search engines, etc.).
- Semantic and cognitive: layer of users, discussions and exchanges in real time around the world, the most difficult to capture and represent from a geographical point of view.
In this sense, the boundary between space and cyberspace becomes increasingly porous: cyberspace both relies on physical infrastructures rooted in geographic space, while simultaneously escaping traditional spatial representation through its abstract, cognitive layers. Thus, in the field of serious organized crime, the line is not drawn — it is blurred, constantly shifting, and fundamentally hybrid. A striking example is the use of AI-powered voice cloning by criminal groups to impersonate executives or family members in virtual kidnapping scams or CEO fraud, deceiving victims into transferring large sums of money across borders — all without physical contact, yet with real-world consequences. This illustrates how cyberspace becomes a criminal environment in its own right, intertwined with but no longer confined to traditional geography.
Thus, that is why this current stage we’re going through in defending our cyberspace is critical, crucial. Though being comprehended, to some way, as a non-place, it remains vital to protect it, as it is, in this such particular dimension, our home, our ethos. Able to be represented in several scales, even the individual one, it is our duty to prevent our online identity from violation, from personal and particular scope to the European one. Though this idea of blurred limits between space and cyberspace, Europol’s SOCTA report, with its conclusions of the current serious organized crime landscape will have allowed us to understand the importance of advanced technologies in such crimes – [traditional] crimes we could even to some extent qualify cybercrime as it increasingly comes from [or at least enhanced] in the cyberspace.
PSC-Europe
Sources:
Eurojust’s 2023 Annual Report, European Union Agency for Criminal Justice Cooperation
Exploring the global geography of cybercrime and its driving forces, Shuai Chen and al.
Mapping the global geography of cybercrime with the World Cybercrime Index , Miranda Bruce and al.
European Crime Prevention Network , EUCPN
Confiance 5.0 report, CYBERLEADERS
[1] Non-place (“non-lieu”) as anthropologist Marc Augé explains it in 1992 in Non-lieux : introduction à une anthropologie de la surmodernité
[2] According to Frédérick Douzet in La géopolitique pour comprendre le cyberespace