CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Interpol-led Operation Serengeti 2.0 arrests over 1,200 cybercriminals in Africa

First reported
Last updated
πŸ“° 3 unique sources, 4 articles

Summary

Hide β–²

Interpol coordinated Operation Serengeti 2.0, an extensive anti-cybercrime operation across Africa, leading to the arrest of 1,209 suspects. The operation, conducted from June to August 2025, targeted high-harm and high-impact cybercrimes including ransomware, online scams, and business email compromise (BEC). The coordinated effort involved 18 African countries and the United Kingdom, resulting in the seizure of $97.4 million and the dismantling of 11,432 malicious infrastructures. These actions targeted 87,858 victims worldwide. The operation was part of the African Joint Operation against Cybercrime, funded by the United Kingdom's Foreign, Commonwealth, and Development Office. Data from private sector partners, including Cybercrime Atlas, Fortinet, Kaspersky, Group-IB, and TRM Labs, were utilized to enhance the operation's effectiveness. Significant actions included the dismantling of 25 cryptocurrency mining centers in Angola, an online investment fraud operation in Zambia, and a transnational inheritance scam originating in Germany. Additionally, Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. 45 illegal power stations and $37 million worth of mining and IT equipment were seized in Angola. A human trafficking network was disrupted in Zambia, and evidence including mobile numbers, domains, and bank accounts were seized. CΓ΄te d'Ivoire dismantled a transnational inheritance scam originating in Germany, seizing assets including electronics, jewellery, cash, vehicles, and documents.

Timeline

  1. 27.08.2025 09:00 πŸ“° 1 articles Β· ⏱ 20d ago

    Interpol and partners disrupt human trafficking and investment fraud

    The operation revealed a human trafficking ring in Zambia and hundreds of forged passports. It also targeted more than 65,000 victims losing an estimated $300 million to investment scammers. The operation involved eight people running an online Ponzi scheme, including five Chinese nationals.

    Show sources
  2. 22.08.2025 14:05 πŸ“° 2 articles Β· ⏱ 25d ago

    Group-IB and TRM Labs support Operation Serengeti 2.0

    The operation involved cooperation between Interpol, national law enforcement agencies, and private-sector partners, including Fortinet, which took part in the operation. The operation reclaimed more than $97 million in stolen funds, 45 illicit power stations from the crypto-mining facility, and IT equipment worth more than $37 million.

    Show sources
  3. 22.08.2025 14:05 πŸ“° 2 articles Β· ⏱ 25d ago

    Nigeria deports 102 foreign nationals for cyber terrorism and internet fraud

    The deportees included 60 Chinese and 39 people from the Philippines, who were among 792 suspected cybercriminals arrested in December 2024. The operation involved foreign nationals exploiting regulatory gaps and infrastructure weaknesses to set up operations.

    Show sources
  4. 22.08.2025 13:08 πŸ“° 4 articles Β· ⏱ 25d ago

    Interpol's Operation Serengeti 2.0 arrests 1,209 cybercriminals in Africa

    The operation targeted a gang behind $300 million in investment fraud, a group involved in a cybercrime scam center and human trafficking, and a syndicate of Chinese nationals illegally mining cryptocurrency. The efforts also show that cooperation between Interpol and national law enforcement agencies has resulted in a maturing capability for investigating and prosecuting cybercrime.

    Show sources

Information Snippets

Similar Happenings

U.S. sanctions Southeast Asian cyber scam operations stealing billions from Americans

The U.S. Department of the Treasury has imposed sanctions on several large cyber scam networks in Southeast Asia, particularly in Burma and Cambodia. These operations, which stole over $10 billion from Americans in 2024, are known for using forced labor, human trafficking, and physical violence. The scams include 'romance baiting' and fake cryptocurrency investment schemes. The financial damage to Americans increased by 66% compared to the previous year. The sanctions target 19 entities and individuals linked to the Karen National Army (KNA) in Burma and various organized crime networks in Cambodia. These entities are involved in running scam centers, providing infrastructure, and facilitating money laundering. The sanctions block these entities from the U.S. financial system, freeze their U.S. assets, and limit their access to international financial services. The cybercriminal syndicates in Southeast Asia are estimated to net nearly $40 billion annually in illicit profits. In May 2025, OFAC targeted Funnull Technology Inc. and its administrator Liu Lizhi for their part in romance scams that caused more than $200 million in losses. In July 2025, Cambodian law enforcement raided several cyber-scam centers, arresting more than 1,000 people. The cybercriminal operations have led to the growth of entire cities along national borders, especially in conflict zones and special economic zones (SEZs).

AI-Powered Cyberattacks Targeting Critical Sectors Disrupted

Anthropic disrupted a sophisticated AI-powered cyberattack campaign in July 2025. The operation, codenamed GTG-2002, targeted 17 organizations across healthcare, emergency services, government, and religious institutions. The attacker used Anthropic's AI-powered chatbot Claude to automate theft and extortion, threatening to expose stolen data publicly to extort ransoms ranging from $75,000 to $500,000 in Bitcoin. The attacker employed Claude Code on Kali Linux to automate various phases of the attack cycle, including reconnaissance, credential harvesting, and network penetration. The AI tool was also used to craft bespoke versions of the Chisel tunneling utility, disguise malicious executables, and organize stolen data for monetization. The attacker used Claude Code to create scanning frameworks using a variety of APIs, provide preferred operational TTPs, and perform real-time assistance with network penetrations. The AI tool was also used to create obfuscated versions of the Chisel tunneling tool, develop new TCP proxy code, analyze exfiltrated financial data to determine ransom amounts, and generate visually alarming HTML ransom notes. The attacker used AI to make tactical and strategic decisions, adapt to defensive measures in real-time, and create customized ransom notes and extortion strategies. The attacker's activities led Anthropic to develop a tailored classifier and new detection method to prevent future abuse. The operation represents a shift to 'vibe hacking,' where threat actors use LLMs and agentic AI to perform attacks.

Chinese State-Sponsored Actors Targeting Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

CISA and partners respond to cyber attack on Nevada state services

On August 24, 2025, a ransomware attack targeted the state of Nevada, impacting essential services and leading to data theft. The Cybersecurity and Infrastructure Security Agency (CISA) and its partners are providing real-time incident response to assist in restoring critical services and rebuilding systems. The attack's origins are under investigation. CISA's Threat Hunting teams are actively examining state networks to identify the full scope of the situation and mitigate threats. The Federal Bureau of Investigation (FBI) is assisting in the investigation, and the Federal Emergency Management Agency (FEMA) is advising on emergency response grants and other available assistance. The attack on Nevada is part of a broader trend of ransomware attacks on local governments, exacerbated by federal budget and staffing cuts.

Scattered Spider Member Sentenced for Cryptocurrency Theft and SIM Swapping

Noah Michael Urban, a member of the Scattered Spider cybercriminal collective, was sentenced to 10 years in prison. Urban pleaded guilty to charges involving the theft of cryptocurrency and sensitive documents. He was convicted of stealing around $800,000 in cryptocurrency from five victims in Florida through SIM swapping. Urban, known as "King Bob," was a key figure in the collective, which typically targets company IT and help desk staff to steal login credentials and extort victims through ransomware attacks. Urban was also involved in a phishing scheme targeting various companies. The total losses caused by his actions exceed $13 million. He was ordered to pay $13 million in restitution to over 30 victims and will serve three years of supervised release after his prison sentence.