CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. The operation was supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Group-IB provided circumstantial intelligence on a cryptocurrency investment scam and BEC campaigns, while TRM Labs pursued leads tied to the Bl00dy ransomware group in Ghana and RansomHub. Notable actions included dismantling 25 cryptocurrency mining centres in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. Additionally, a transnational inheritance scam originating in Germany was disrupted, with losses estimated at $1.6 million. Nigeria deported 102 foreign nationals convicted of cyber terrorism and internet fraud. Earlier, Operation Red Card in March 2025 resulted in the arrest of 306 suspects and confiscation of 1,842 devices. The operation was part of the 'African Joint Operation against Cybercrime.' Participating countries included Seychelles, Tanzania, Ghana, Kenya, and others. Operation Serengeti 2.0 is part of a series of multi-month investigations and arrests highlighted by Interpol. The original Operation Serengeti involved two months of investigations with the African Union's Afripol and raids against 1,006 suspects in September and October 2024. In 2022, Interpol and 27 African nations conducted joint investigations as part of Operation Cyber Surge, following up in April 2023 with Operation Cyber Surge II. These joint investigations aim to train local law enforcement and prosecutors, which Interpol has noted are often hard-pressed to deal with the technical requirements of cybercrime prosecutions. In addition, the race is to deter cybercrime, redirect youth into more productive activities, and train law enforcement before the cybercriminals become too smart.

Timeline

  1. 22.08.2025 13:08 4 articles · 1mo ago

    Operation Serengeti 2.0 leads to 1,209 arrests in Africa

    The operation targeted a gang behind $300 million in investment fraud, a group involved in a cybercrime scam center and human trafficking, and a syndicate of Chinese nationals illegally mining cryptocurrency. The operation also involved dismantling 25 cryptocurrency mining centers in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. The operation is part of a series of multi-month investigations and arrests highlighted by Interpol, including the original Operation Serengeti and Operation Cyber Surge. The efforts also show that cooperation between Interpol and national law enforcement agencies has resulted in a maturing capability for investigating and prosecuting cybercrime. The operation targeted ransomware, online scams, and business email compromise (BEC).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

U.S. sanctions cyber scam operations in Southeast Asia

The U.S. Department of the Treasury has sanctioned several large cyber scam networks in Southeast Asia, primarily in Burma and Cambodia. These operations, which used forced labor and human trafficking, stole over $10 billion from Americans in 2024, a 66% increase from the previous year. The scams included romance baiting and fake cryptocurrency investments. The sanctions target individuals and entities linked to the Karen National Army (KNA) and various organized crime networks. The sanctions block these entities from the U.S. financial system, freeze their U.S.-based assets, and limit their access to international financial services. The move aims to disrupt the operations and impose legal and financial consequences on the perpetrators. The cybercriminal syndicates in Southeast Asia net nearly $40 billion annually in illicit profits. The U.S. actions are part of a broader effort to degrade the infrastructure supporting these scams and punish the system enabling their crimes.

Open in new tab

Russian Hackers Exploit Old Cisco Vulnerability to Target U.S. Critical Infrastructure

Russian hackers, tracked as Static Tundra and associated with the FSB's Center 16 or Military Unit 71330, have been exploiting a seven-year-old vulnerability (CVE-2018-0171) in unpatched end-of-life Cisco networking devices to target enterprise and critical infrastructure networks in the U.S. and abroad. The attacks, ongoing since at least August 2024, have compromised thousands of devices, allowing the attackers to collect configuration files, change settings, and gain unauthorized access. The U.S. Department of State is offering a reward of up to $10 million for information on three FSB officers involved in these cyberattacks. The targets include organizations in the manufacturing, telecommunications, higher education, and energy sectors. The attackers use stolen SNMP credentials to control compromised devices, enabling them to run commands, change settings, and steal configurations while evading detection. They also create new local user accounts and enable remote access services like Telnet to maintain access. The attacks highlight the persistent threat of unpatched vulnerabilities and the need for robust cybersecurity measures to protect critical infrastructure. The three FSB officers, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, targeted more than 380 foreign energy-sector companies in 135 countries. The suspects targeted American and foreign oil and gas firms, nuclear power plants, renewable energy firms, utility and electrical grid entities, consulting and engineering groups, and advanced technology companies. In August 2021, these officers were indicted in the US with charges of computer fraud and abuse, wire fraud, and aggravated identity theft. The Dragonfly campaign involved obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise. In the second phase, known as Dragonfly 2.0, the three allegedly targeted over 3,300 users at more than 500 US and international companies and entities, including US government agencies, in spear-phishing attacks.

Open in new tab

Scattered Spider member sentenced to 10 years for wire fraud and conspiracy

Noah Michael Urban, a key member of the Scattered Spider cybercrime collective, was sentenced to 10 years in prison for wire fraud and conspiracy. Urban, also known by several aliases, was arrested in January 2024 and pleaded guilty in April. He was involved in stealing millions from cryptocurrency wallets, hacking companies to loot confidential data, and running phishing schemes targeting various companies. Urban will also pay $13 million in restitution to more than 30 victims. Scattered Spider is a fluid collective known for sophisticated social engineering attacks, including phishing, SIM swapping, and MFA bombing. They have targeted high-profile organizations worldwide, such as Twilio, Coinbase, and Reddit. The group escalated their attacks in September 2023, breaching MGM Resorts and encrypting over 100 VMware ESXi hypervisors using BlackCat ransomware. They have also partnered with various ransomware operations, including Qilin, RansomHub, and DragonForce.

Open in new tab

North Korean State Actors Exploit Fake Employee Schemes to Infiltrate Companies

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue.

Open in new tab

Warlock Ransomware Exploits Vulnerable SharePoint Servers

Warlock ransomware, potentially linked to Black Basta, targets unpatched on-premises Microsoft SharePoint servers. The ransomware leverages multiple vulnerabilities (CVE-2025-49706, CVE-2025-49704, CVE-2025-53770, CVE-2025-53771) to gain initial access, escalate privileges, and deploy ransomware. The campaign includes extensive reconnaissance and evasion techniques, targeting security software to avoid detection. The threat actor Storm-2603, associated with China-backed groups, has been observed using Warlock ransomware in these attacks. The ransomware gang recently auctioned files stolen from Colt Technology Services, confirming customer data was compromised. Organizations are urged to apply available patches and implement comprehensive security measures to mitigate the risk.

Open in new tab