NordVPN Names UK as Third Most Targeted Country for Internet Malware
The latest Q2 2025 threat protection report from NordVPN, which is a familiar Virtual Private Network (VPN) provider, has revealed that the UK now ranks third in the world for the number of cyberattacks it attracts – having seen a surge of 103 million incidents (up by 7% in Q1) of malware being sent to Brits via emails and texts, malicious sites and infected attachments etc.
First things first, NordVPN has a clear vested interest here as the data gathered for this report – between 1st Jan 2024 and 1st July 2025 – comes from their optional cybersecurity solution (‘Threat Protection Pro’), which is often an incentive to make the situation look as bad as possible to help drive sales. But the data itself does still carry some interest.
The UK follows only the United States (2.91bn total malware incidents) and Canada (1bn) in the global rankings for malware activity. But while the US saw more attacks overall, the UK’s concentration of malware per user remains one of the highest. For example, in the USA there were 1,281 incidents by device per month during Q2, but in the UK this hit 1,473. The UK also attracts much more malware than any other European country.
Advertisement
The main reason for this is that the UK has always been disproportionately big when it comes to its digital economy, including high smartphone use, widespread online banking, and a population that shops, works, and socialises online more than ever.
European Countries Most Affected by Total Malware Incidents (H1)
1. United Kingdom 1.05bn (1,473)
2. Germany 355m (661)
3. France 322.6m (521)
4. Netherlands 322.4m (1,272)
5. Norway 286m (4,044)NOTE: The figure in brackets represents incidents by device per month.
The data also reveals that Google is the most impersonated brand (32,420 fake web page addresses were associated with it), followed by Yahoo! (17.3k), Telegram (3.75k), Steam (3.74k), Outlook (3.59k) and Amazon (2.25k). Meanwhile, the web domain categories that attract the most malware include video hosting (2.17bn blocked malware incidents), streaming (2.13bn), content delivery (1.89bn), file sharing/storage (1.79bn) and entertainment (1.03bn).
Finally, the most commonly blocked malware during the first half of 2025 was identified as the APC (Advanced Persistent Cyber) virus and its many variants (e.g. APC.AVAHC, /APC and APC.YAV), which often targets system configurations and automated processes to cause disruptions. NordVPN said they blocked 717k “attacks” using this malware, which is significantly more than the next closest malware (the Redcap.ovgfv trojan – 43,298 attacks intercepted).
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Gov Consults on Fees for New Digital UK Map of Underground Cables
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person’s legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
To expand on the “video hosting” category: “Some web domain categories are particularly prone to harboring malware, with over half of all malware blocked by Threat Protection Proâ„¢ coming from pages with adult content.”
The same websites to whom the government now expects us to hand over personally identifying documents, btw. What could go wrong…
I do find the numbers a bit incredulous though. 1500 per month per device! That’s 50 malware blocks a day per device. Although perhaps this indirectly tells us what their customers are mainly using the service for! It’s hard to belive this is representative of every day internet use.
I don’t know, on the per month figures, this partly depends on how deeply they’re inspecting such traffic. Anybody who connects to the internet will be under daily probes and attack attempts (most of which are automated). But these days most of those don’t actually get through to the end-user – they may not even make it as far as your phone/computer (protection by the OS, network layer or router, as well as AV software / firewalls etc.).
You’re of course correct that end-users will encounter malware much more if they surf across dubious content/sites/servers, but even if you don’t, it’ll still be constantly trying to find a way into your system/home network. If anything, I’d say 1,500 per month seems low, if you take a more holistic view of malware traffic in general. But NordVPN is usually implemented at device level, thus it’ll be scanning javascript and URLs rather than at the main network or router layer.
My AdGuard on my Flint 2 router blocks on average 22 thousand DNS queries on my devices in a 24 hour period. Only me and the wife use the Wi-Fi and we don’t use it for anything dodgy.
A large percentage of these are from the fire stick alone.
It’s crazy times where all these companies want to track everything you do.
Seems to be the norm these days, even offline.
Gets annoying to be honest.
Doctor is gonna tell you that you need a doctor.
Lawyer is gonna tell you that you need a lawyer.
A hooker is gonna tell you that you REALLY need a hooker!
You mean that $2 million dollar inheritance that I’ve got coming from Nigeria isn’t real?
So is this saying everyone’s antivirus protection in the UK is deficient? I am not sure what this is trying to warn against? Is this a warning saying don’t use Windows defender?
Wealthy first-world countries most targeted by malware.
Also in other news, the sky is blue.
Russia’s enemy number 1. Does this surprise anyone?
disencrypt I would like access do my its please all I would like to read my that used to phone everything let me back online please VPN without
Standard encryption (TLS disencrypt