IANAL but the few cases I'm aware off have all been thrown out. The hacker tool provision in question starts out from a position of intent [0] (which was part of why a high profile case where a journalist sued themselves was thrown out). I'm honestly not aware of a case where this was successfully applied in court since it's inception in 2007. I might have missed some smaller stuff over the years but as long as you're not actively advertising your make-pretend "dual use" malware exclusively on the dark net you'd likely be fine. Germany's supreme court has relatively early on argued on a pretty strict interpretation of the paragraph (according to various publications related to [1] back around 2010).

There have apparently been a few search warrants that referenced it but otherwise it's pretty much the toothless tiger you'd expect from a country that relies on potentially "dual use" software the paragraph would likely apply to in wider interpretations (or at least seems to be in constant talks with spyware manufacturers for their own executive branches).

[0] https://dejure.org/gesetze/StGB/202c.htm

[1] https://dejure.org/dienste/vernetzung/rechtsprechung?Text=2%...

edit: Okay, apparently I've missed a few [3] where it was actually applied. Maybe don't spy on people using keyloggers, but I'm sure other laws cover that part as well.

[3] https://dejure.org/dienste/lex/StGB/202c/1.html