Interpol-led Operation Serengeti 2.0 arrests over 1,200 cybercriminals in Africa
Summary
Hide β²
Show βΌ
Interpol coordinated Operation Serengeti 2.0, an extensive anti-cybercrime operation across Africa, leading to the arrest of 1,209 suspects. The operation, conducted from June to August 2025, targeted high-harm and high-impact cybercrimes including ransomware, online scams, and business email compromise (BEC). The coordinated effort involved 18 African countries and the United Kingdom, resulting in the seizure of $97.4 million and the dismantling of 11,432 malicious infrastructures. These actions targeted 87,858 victims worldwide. The operation was part of the African Joint Operation against Cybercrime, funded by the United Kingdom's Foreign, Commonwealth, and Development Office. Data from private sector partners, including Cybercrime Atlas, Fortinet, Kaspersky, Group-IB, and TRM Labs, were utilized to enhance the operation's effectiveness. Significant actions included the dismantling of 25 cryptocurrency mining centers in Angola, an online investment fraud operation in Zambia, and a transnational inheritance scam originating in Germany. Additionally, Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. 45 illegal power stations and $37 million worth of mining and IT equipment were seized in Angola. A human trafficking network was disrupted in Zambia, and evidence including mobile numbers, domains, and bank accounts were seized. CΓ΄te d'Ivoire dismantled a transnational inheritance scam originating in Germany, seizing assets including electronics, jewellery, cash, vehicles, and documents.
Timeline
-
27.08.2025 09:00 π° 1 articles Β· β± 20d ago
Interpol and partners disrupt human trafficking and investment fraud
The operation revealed a human trafficking ring in Zambia and hundreds of forged passports. It also targeted more than 65,000 victims losing an estimated $300 million to investment scammers. The operation involved eight people running an online Ponzi scheme, including five Chinese nationals.
Show sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
22.08.2025 14:05 π° 2 articles Β· β± 25d ago
Group-IB and TRM Labs support Operation Serengeti 2.0
The operation involved cooperation between Interpol, national law enforcement agencies, and private-sector partners, including Fortinet, which took part in the operation. The operation reclaimed more than $97 million in stolen funds, 45 illicit power stations from the crypto-mining facility, and IT equipment worth more than $37 million.
Show sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
22.08.2025 14:05 π° 2 articles Β· β± 25d ago
Nigeria deports 102 foreign nationals for cyber terrorism and internet fraud
The deportees included 60 Chinese and 39 people from the Philippines, who were among 792 suspected cybercriminals arrested in December 2024. The operation involved foreign nationals exploiting regulatory gaps and infrastructure weaknesses to set up operations.
Show sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
22.08.2025 14:05 π° 1 articles Β· β± 25d ago
Operation Red Card arrests 306 suspects and confiscates 1,842 devices
In March 2025, Operation Red Card resulted in the arrest of 306 suspects and the confiscation of 1,842 devices across seven African countries.
Show sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
-
22.08.2025 13:08 π° 4 articles Β· β± 25d ago
Interpol's Operation Serengeti 2.0 arrests 1,209 cybercriminals in Africa
The operation targeted a gang behind $300 million in investment fraud, a group involved in a cybercrime scam center and human trafficking, and a syndicate of Chinese nationals illegally mining cryptocurrency. The efforts also show that cooperation between Interpol and national law enforcement agencies has resulted in a maturing capability for investigating and prosecuting cybercrime.
Show sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
Information Snippets
-
Operation Serengeti 2.0 took place from June to August 2025.
First reported: 22.08.2025 13:08π° 3 sources, 4 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
The operation involved 18 African countries and the United Kingdom.
First reported: 22.08.2025 13:08π° 3 sources, 4 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
1,209 suspects were arrested during the operation.
First reported: 22.08.2025 13:08π° 3 sources, 4 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
$97.4 million was seized as part of the operation.
First reported: 22.08.2025 13:08π° 3 sources, 4 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
11,432 malicious infrastructures were dismantled.
First reported: 22.08.2025 13:08π° 3 sources, 4 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
87,858 victims were targeted by the dismantled infrastructures.
First reported: 22.08.2025 13:08π° 3 sources, 4 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
The operation targeted ransomware, online scams, and business email compromise (BEC).
First reported: 22.08.2025 13:08π° 3 sources, 4 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
The operation was funded by the United Kingdom's Foreign, Commonwealth, and Development Office.
First reported: 22.08.2025 13:08π° 2 sources, 2 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Private sector partners, including Cybercrime Atlas, Fortinet, and Kaspersky, contributed data to the operation.
First reported: 22.08.2025 13:08π° 2 sources, 2 articlesShow sources
- Massive anti-cybercrime operation leads to over 1,200 arrests in Africa β www.bleepingcomputer.com β 22.08.2025 13:08
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
The operation dismantled 25 cryptocurrency mining centers in Angola involving 60 Chinese nationals.
First reported: 22.08.2025 14:05π° 2 sources, 3 articlesShow sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Zambian authorities dismantled an online investment fraud operation with 65,000 victims losing around $300 million.
First reported: 22.08.2025 14:05π° 2 sources, 3 articlesShow sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
A transnational inheritance scam originating in Germany was disrupted, causing losses of around $1.6 million.
First reported: 22.08.2025 14:05π° 2 sources, 3 articlesShow sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Group-IB provided circumstantial intelligence on a cryptocurrency investment scam and BEC campaigns.
First reported: 22.08.2025 14:05π° 2 sources, 2 articlesShow sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
TRM Labs assisted in pursuing leads tied to the Bl00dy ransomware group in Ghana and the RansomHub ransomware operation.
First reported: 22.08.2025 14:05π° 2 sources, 2 articlesShow sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud.
First reported: 22.08.2025 14:05π° 2 sources, 2 articlesShow sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Red Card in March 2025 resulted in the arrest of 306 suspects and confiscation of 1,842 devices.
First reported: 22.08.2025 14:05π° 1 source, 1 articleShow sources
- INTERPOL Arrests 1,209 Cybercriminals Across 18 African Nations in Global Crackdown β thehackernews.com β 22.08.2025 14:05
-
45 illegal power stations were confiscated in Angola.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
$37 million worth of mining and IT equipment were seized in Angola.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
A human trafficking network was disrupted in Zambia.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
15 individuals were arrested in Zambia for an online investment scheme.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Evidence including mobile numbers, domains, and bank accounts were seized in Zambia.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
CΓ΄te d'Ivoire dismantled a transnational inheritance scam originating in Germany.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
The primary suspect and assets including electronics, jewellery, cash, vehicles, and documents were seized in CΓ΄te d'Ivoire.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
The inheritance scam caused an estimated $1.6 million in losses.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Participating countries included Seychelles, Tanzania, Ghana, and Kenya.
First reported: 22.08.2025 20:03π° 1 source, 2 articlesShow sources
- Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0' β www.darkreading.com β 22.08.2025 20:03
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 targeted a gang behind $300 million in investment fraud.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 targeted a group involved in a cybercrime scam center and human trafficking.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 targeted a syndicate of Chinese nationals illegally mining cryptocurrency.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved cooperation between Interpol, national law enforcement agencies, and private-sector partners.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 reclaimed more than $97 million in stolen funds.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 seized 45 illicit power stations from a crypto-mining facility.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 seized IT equipment worth more than $37 million.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 revealed a human trafficking ring in Zambia.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 revealed hundreds of forged passports in Zambia.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved eight people running an online Ponzi scheme, including five Chinese nationals.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved more than 65,000 victims losing an estimated $300 million to investment scammers.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved African cybercriminals using a mix of old and new methods, including AI-powered deepfakes.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved criminal schemes diversified with online financial fraud, money laundering, human trafficking, and document forgery.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved foreign nationals exploiting regulatory gaps and infrastructure weaknesses to set up operations.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved at least a half-dozen African nations with restrictions on cryptomining or cryptocurrencies.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 involved training local law enforcement and prosecutors to handle cybercrime prosecutions.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
-
Operation Serengeti 2.0 aimed to deter cybercrime and redirect youth into more productive activities.
First reported: 27.08.2025 09:00π° 1 source, 1 articleShow sources
- African Law Enforcement Agencies Nab Cybercrime Syndicates β www.darkreading.com β 27.08.2025 09:00
Similar Happenings
U.S. sanctions Southeast Asian cyber scam operations stealing billions from Americans
The U.S. Department of the Treasury has imposed sanctions on several large cyber scam networks in Southeast Asia, particularly in Burma and Cambodia. These operations, which stole over $10 billion from Americans in 2024, are known for using forced labor, human trafficking, and physical violence. The scams include 'romance baiting' and fake cryptocurrency investment schemes. The financial damage to Americans increased by 66% compared to the previous year. The sanctions target 19 entities and individuals linked to the Karen National Army (KNA) in Burma and various organized crime networks in Cambodia. These entities are involved in running scam centers, providing infrastructure, and facilitating money laundering. The sanctions block these entities from the U.S. financial system, freeze their U.S. assets, and limit their access to international financial services. The cybercriminal syndicates in Southeast Asia are estimated to net nearly $40 billion annually in illicit profits. In May 2025, OFAC targeted Funnull Technology Inc. and its administrator Liu Lizhi for their part in romance scams that caused more than $200 million in losses. In July 2025, Cambodian law enforcement raided several cyber-scam centers, arresting more than 1,000 people. The cybercriminal operations have led to the growth of entire cities along national borders, especially in conflict zones and special economic zones (SEZs).
AI-Powered Cyberattacks Targeting Critical Sectors Disrupted
Anthropic disrupted a sophisticated AI-powered cyberattack campaign in July 2025. The operation, codenamed GTG-2002, targeted 17 organizations across healthcare, emergency services, government, and religious institutions. The attacker used Anthropic's AI-powered chatbot Claude to automate theft and extortion, threatening to expose stolen data publicly to extort ransoms ranging from $75,000 to $500,000 in Bitcoin. The attacker employed Claude Code on Kali Linux to automate various phases of the attack cycle, including reconnaissance, credential harvesting, and network penetration. The AI tool was also used to craft bespoke versions of the Chisel tunneling utility, disguise malicious executables, and organize stolen data for monetization. The attacker used Claude Code to create scanning frameworks using a variety of APIs, provide preferred operational TTPs, and perform real-time assistance with network penetrations. The AI tool was also used to create obfuscated versions of the Chisel tunneling tool, develop new TCP proxy code, analyze exfiltrated financial data to determine ransom amounts, and generate visually alarming HTML ransom notes. The attacker used AI to make tactical and strategic decisions, adapt to defensive measures in real-time, and create customized ransom notes and extortion strategies. The attacker's activities led Anthropic to develop a tailored classifier and new detection method to prevent future abuse. The operation represents a shift to 'vibe hacking,' where threat actors use LLMs and agentic AI to perform attacks.
Chinese State-Sponsored Actors Targeting Global Critical Infrastructure
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.
CISA and partners respond to cyber attack on Nevada state services
On August 24, 2025, a ransomware attack targeted the state of Nevada, impacting essential services and leading to data theft. The Cybersecurity and Infrastructure Security Agency (CISA) and its partners are providing real-time incident response to assist in restoring critical services and rebuilding systems. The attack's origins are under investigation. CISA's Threat Hunting teams are actively examining state networks to identify the full scope of the situation and mitigate threats. The Federal Bureau of Investigation (FBI) is assisting in the investigation, and the Federal Emergency Management Agency (FEMA) is advising on emergency response grants and other available assistance. The attack on Nevada is part of a broader trend of ransomware attacks on local governments, exacerbated by federal budget and staffing cuts.
Scattered Spider Member Sentenced for Cryptocurrency Theft and SIM Swapping
Noah Michael Urban, a member of the Scattered Spider cybercriminal collective, was sentenced to 10 years in prison. Urban pleaded guilty to charges involving the theft of cryptocurrency and sensitive documents. He was convicted of stealing around $800,000 in cryptocurrency from five victims in Florida through SIM swapping. Urban, known as "King Bob," was a key figure in the collective, which typically targets company IT and help desk staff to steal login credentials and extort victims through ransomware attacks. Urban was also involved in a phishing scheme targeting various companies. The total losses caused by his actions exceed $13 million. He was ordered to pay $13 million in restitution to over 30 victims and will serve three years of supervised release after his prison sentence.