Author: Robert Brestan, HlidaciPes.org
Ransomware and DDoS attacks are the most pressing cyber threats facing the Czech Republic, according to the National Cyber and Information Security Agency (NÚKIB). The agency notes that “Russian hacktivists are punishing us for supporting Ukraine.” Meanwhile, scams targeting individuals and businesses are on the rise, with cybercriminals increasingly successful in draining bank accounts.
Until recently, Czech government agencies and ministries operated their official websites across some 350 different domains. “Many of these addresses were quite obscure, remnants of the 1990s,” says Martin Charvát, head of communications for Digital Czechia.
By year’s end, all are set to transition to a unified format under the gov.cz domain—190 have already fully migrated, with 85 partially completed. While the state expects this shift to enhance clarity, credibility, and security, it has also caught the attention of fraudsters.
“Dozens of fake websites with ‘gov’ in their addresses pop up daily, used for phishing and other online scams,” Charvát warns. “It’s a transitional phase, but having a single domain is easier to secure than protecting 350 different ones,” he adds.
Theft, Extortion, and Retribution
NÚKIB reports a steady rise in cyber incidents, with a fivefold increase in reported cases between 2018 and 2024. “This is tied to IT advancements, digitalization, and the growing number of institutions required to report incidents. However, the severity of these incidents has been decreasing over time,” says NÚKIB analyst Kryštof Havelka.
A further surge is expected with the adoption of a new cybersecurity law, which will expand the range of entities obligated to report incidents.
“In Belgium, for example, the implementation of the NIS 2 directive led to an 80% increase in reports,” Havelka notes. The main domestic threats are “ransomware gangs and DDoS attacks by pro-Russian activists.”
Ransomware groups steal and encrypt data from companies or institutions, demanding ransoms to restore access. “We’re seeing a slight uptick, with about four to six attacks reported monthly, though the real number is likely higher,” Havelka says, emphasizing that “NÚKIB strongly advises against paying any ransoms.”
Three years ago, the Czech Directorate of Roads and Motorways faced a major ransomware attack, with hospitals and schools also among the targets. DDoS attacks, which overwhelm websites or online services with fake traffic, have spiked since Russia’s invasion of Ukraine in February 2022.
“New hacktivist groups have emerged in Russia, declaring cyberwar on the West to punish us for supporting Ukraine. These attacks typically cause brief website outages and serve as propaganda. While primarily non-state actors, they operate with the knowledge of state authorities, indirectly serving the Kremlin,” Havelka explains.
When a “Banker” or “Police Officer” Calls
Businesses and individuals are also prime targets for online scams, particularly those using WhatsApp, where fraudsters pose as bankers or police officers claiming to “protect” people’s money from misuse while tricking them into sharing bank card or online banking credentials.
According to Zuzana Pidrmanová, head of the Crime Prevention Department at the Czech Police, cybercrime peaked in 2022 and 2023, with a slight dip last year but a renewed upward trend in 2025. “We saw around 20,000 cybercrimes in 2022, but many attempted frauds don’t even make it to the statistics because banks often intercept them,” she says.
The average loss from account theft is roughly 440,000 CZK. “Losses range from 500 CZK to as high as 3.6 million CZK in one case. And it’s a myth that having an empty account keeps you safe—once attackers gain access to your banking credentials, they can easily take out pre-approved loans in your name,” Pidrmanová warns.
She also cautions against schemes promising easy money for allowing one’s bank account to be used for transferring funds domestically or abroad. “Laundering proceeds from criminal activity is a crime, punishable by at least one year in prison—even if done negligently.”
