Einhaus Group, a German mobile phone insurance, repair, and logistics company, has disclosed the financial impact of a ransomware attack in 2023.
At its peak, Einhaus operated in over 5,000 German retail stores, partnering with major telecommunication companies like Deutsche Telekom and 1&1 and generating up to 70 million euros in annual revenue. However, in 2023, a ransomware group named ‘Royal’ infiltrated the venture’s systems and encrypted critical data, including contracts, billing, and communications, leaving the company battling to make up losses thereafter.
The attackers halted operations and locked down the systems by using office printers to leave messages alerting the company to the hack.
As per Wilhelm Einhaus, the inventor of cell phone insurance in Germany (and the founder of the Einhaus Group), the attack happened in spring 2023.
“I came into the office in the morning, and there was a printout on every printer: We’ve hacked you. All further information can be found on the dark web,” Einhaus told WA.de in July 2025. No computer or server could boot up anymore.
“The perpetrators had planted the ‘Royal’ ransomware and encrypted all systems – including contract, billing, and communication data. They demanded a ransom in cryptocurrencies – in this case, Bitcoin. Access to critical data was completely blocked, and daily business operations came to a standstill within hours,” WA.de stated.
Einhaus contacted the police, and the State Criminal Police Office was quickly brought into the investigation. The public prosecutor’s office in Verden an der Aller, which specialises in cybercrime in the state of Lower Saxony, is currently investigating the incident. Three suspects have now been identified, with details emerging about other companies being harmed. However, the company was forced to pay a large ransom to the hackers to restore access to the data. Central data processing was disrupted for months.
Premium and commission settlements with insurance partners could not be processed properly, and the entire claims processing had to be switched to manual procedures. This resulted in delays and lost revenue. The company’s revenue losses and operational delays in the ensuing months totalled millions, pushing the total damages into the mid-seven-figure range, ultimately bringing about Einhaus Group’s downfall in the form of insolvency.
“To generate short-term liquidity, the company property on Romerstrasse was sold in mid-2024, among other things. Capital investments were liquidated, and the workforce was reduced from over 100 employees at the time of the cyberattack to just eight. Particularly irksome for the Einhaus Group: crypto assets in the high six-figure euro range, discovered and seized by the public prosecutor’s office during the investigation, have not been repaid to the group. This is the main reason for the impending collapse. The fact that we, as the proven victims, are not recouping the extorted funds, even though they have been confiscated, has derailed our restructuring efforts,” WA.de reported.
The ransom-paid cryptocurrency was seized by public prosecutors, but it was never returned to Einhaus, preventing the company from completing a full recovery. Since then, German cybercrime investigators have identified three suspects. To offset some of the losses, Einhaus had to sell off real estate and investments after being forced to reduce its workforce from a peak of about 170 to just eight since the ransomware attack.
The mobile phone repair services have been discontinued, and three businesses under the Einhaus Group, including 24logistics, have declared insolvency.
The Einhaus Group has joined the growing list of businesses forced to close due to ransomware attacks, including Finland’s Vastaamo, the United Kingdom’s Knights of Old transport company, and Stoli USA. Cyberattacks are becoming more frequent and increasingly costly.
Additionally, Arctic Wolf reported a surge in ransomware activity in late July 2025, targeting SonicWall firewall devices for initial access. In a short period, multiple pre-ransomware intrusions were identified, all involving VPN access through SonicWall SSL VPNs.