Bureaucratic initiative redefines German law enforcement cyber operations
The logo of Germany’s federal criminal police, the Bundeskriminalamt (BKA), has been a fixture of recent law enforcement announcements of successes in disrupting malicious cyber activity. The agency participated in internationally coordinated takedowns of a series of dangerous malware networks: Qakbot, LockBit, Moobot, and Smokeloader.
Despite the high level of activity, legal ambiguity around the BKA’s powers prevents the organisation from proactively combatting threats. In 2021, a change of government stymied plans that would have allowed the BKA to dismantle criminal control nodes to stage ransomware attacks and distribute other malware. The organisation has therefore relied on a reinterpretation of search-and-seize rules to actively degrade cyber threats. This leaves the BKA with unusual latitude in shaping Germany’s approach to law enforcement hacking.
Clarifying powers
Aside from one high-profile case, the BKA has released few details about its own specific technical contributions in international takedown operations. One reason might be the need to clarify law enforcement powers. In 2021, the BKA reported the successful neutralisation of Emotet malware on at least 53,000 infected systems inside and outside German borders. In the globally coordinated effort, law enforcement apprehended an administrator in Ukraine and gained direct access to an unlocked control panel of a cybercrime network. This allowed the BKA to access compromised systems from Emotet command-and-control servers and identify victims.
In a briefing on the operation to the Internal Affairs and Community Committee of the German parliament, BKA President Holger Münch described the raid as a seizure by technical means. The operation quarantined installed Emotet versions, effectively neutralising the threat, but Münch noted that the raid was meant to collect information and use these findings in investigative and criminal proceedings.
Even though technically feasible, the federal legal framework provides no basis to clean up victim systems (such as the Emotet quarantining), a measure that would be considered an emergency response (Gefahrenabwehr, in German). Constitutionally, police action to avert danger is the remit of state police. The BKA, by contrast, is tasked with criminal prosecution. Under this distribution of power, operations that remove malware without prosecution objectives lack a clear legal framework. As the BKA’s actions in the Emotet case show, currently, the deactivation of malware is only possible in combination with efforts to secure evidence and is, legally, considered a side effect.
From an operational standpoint, Münch saw targeting and dismantling criminal infrastructure as a crucial strategy for law enforcement to combat Emotet. By pushing the boundaries of emergency responses, the Emotet takedown revealed the limitations of the BKA’s jurisdiction.
Reconciling these competing legal and operational assessments to create a unified mandate for federal emergency response would require a change in the constitution – a possibility raised in the BKA’s debrief to parliament in 2021.
Operational powers
Germany’s first-ever National Security Strategy (NSS) picked up this call in June 2023, when it noted the government’s commitment to establishing a federal-level competence through an amendment to the constitution. A similar constitutional revision related to emergency response powers was passed in 2006 to give the BKA the authority to avert threats from international terrorism.
One year after the NSS, a second strategic planning document appeared to dial back this ambition. In June 2024, the Framework Guidelines for Total Defence (RRGV) were updated to replace a Cold-War-era version adopted before the reunification of Germany.
For cyber defence, the document repeats the NSS verbatim in highlighting the need to detect cyber threats early and respond to them as they unfold. It calls for closer collaboration on emergency responses and federal support in other areas, such as disaster management. However, the RRGV makes no mention of plans to reorganise responsibilities for emergency responses in cyberspace.
Political roadblocks
The initial momentum for revising the constitution has also stalled because of changing politics. Any amendment requires a two-thirds majority in both chambers of parliament, where the ruling coalition relies on support from the opposition, specifically the Christian Democrats (CDU).
The CDU was in government during the Emotet takedown, and some of its members had expressed support for strengthening the BKA’s mandate. However, in early 2024, the party, now in the opposition, declared that there was no ground for collaboration with the government.
For its part, the government has dismissed working with the far-right party AFD, the other numerical solution. Besides, the AFD is monitored as a suspected extremist organisation, further disqualifying it as a partner.
In the Bundesrat, the upper house of parliament that convenes state governments, CDU-affiliated governments hold the majority and are unlikely to lend support to the federal government. In addition, states that have well-funded criminal police forces are equipped to collaborate internationally on emergency responses and are less dependent on federal coordination. These states are concerned about transferring competencies to the federal level.
As a result, three years after the Emotet takedown, the BKA still needs to find ways in existing law to combat cybercrime effectively.
Erring on the side of bureaucracy
That the BKA has been the contender for taking on responsibilities to disrupt cyber threats despite constitutional hurdles recognises the difficulty in coordinating action among Germany’s sixteen states. For example, in the past, the BKA struggled to implement offers from international partners to neutralise hijacked systems in Germany because they needed to get the green light from all states. A centralised emergency response mandate would streamline this decision.
Unlike in the United States or close European partners such as the United Kingdom, France, and the Netherlands, intelligence and law enforcement agencies in Germany may not regularly exchange data. They are governed by the principle of separation of information (Trennungsgebot). These provisions trace their origins to a decision by the military governors of the West German occupation zones in 1949, which allowed the creation of a domestic intelligence service on the condition that it would not receive executive powers.
As a result of this separation of powers, threats from foreign powers and criminals today fall into the purview of two different federal agencies – the BfV, Germany’s domestic intelligence service, and the BKA. In contrast to the emergency response responsibilities (Gefahrenabwehr) discussed with respect to the BKA, German intelligence services are tasked with reconnaissance to detect, analyse, and prevent threats (Gefahrenvorsorge). As part of this mission, the BfV is also tasked with identifying cyber operations by foreign threat actors that are conducted through infrastructure in Germany against targets abroad.
In line with this focus on counter-espionage and state-backed threats, the BfV acted as point of contact for the FBI in January 2024 to stop hacker group APT28, which is linked to Russia’s military intelligence service GRU, from accessing a fleet of hijacked devices, the Moobot botnet. Criminal actors had first commandeered these routers by infecting them with malware. Taking advantage of this foothold, GRU hackers were able to turn the botnet into a tool for espionage.
Cases like this take-over of infrastructure controlled by criminals show that a distinction between criminal and state-nexus threats is less clear-cut in practice than agency mandates might suggest.
To effectively defend against such threats that blend criminal and state elements, interagency coordination will remain a high priority within the German system, even if emergency response authorities are elevated to the federal level. The BfV had to coordinate with a network of 34 agencies in the Moobot case.
Formalising the mandate
Against this background, formalising the mandate for emergency response at the federal level has the potential to simplify coordination. Clearly designated responsibilities can strengthen democratic accountability through greater transparency.
At their core, takedowns such as Emotet and Moobot demonstrate the superiority of international law enforcement cooperation over secretive threat actors who may join forces for financial gain but are prone to conflict and mistrust.
To constrain threat actors, bureaucratic initiatives to overcome coordination challenges may seem like a tempting quick fix. Ultimately, however, clear institutional mandates that enable international collaboration and judicial oversight need to be the foundation to leverage and sustain this advantage.
Funding for the research presented in this article was provided to ECCRI by UK Research and Innovation (UKRI), as a member of the consortium for the Horizon Europe project Reigniting Multilateralism Through Technology (REMIT). REMIT research is conducted under the umbrella of the European Union’s Horizon Europe research and innovation program, grant agreement No 101094228. UKRI’s support to the project does not necessarily represent an endorsement of its findings. The views expressed in this article are those of the author.