CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

First reported
Last updated
4 unique sources, 10 articles

Summary

Hide ▲

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy. Additionally, Operation Synergia III, conducted between July 2025 and January 2026, involved authorities from 72 countries. The operation resulted in 94 arrests and 110 suspects under investigation. Police in Togo arrested 10 suspects operating a fraud ring involving social media hacking, romance scams, and sextortion. Bangladeshi police arrested 40 suspects and seized 134 electronic devices related to loan scams, job scams, identity theft, and credit card fraud. Chinese investigators in Macau identified over 33,000 phishing and fraudulent websites impersonating casinos, banks, government sites, and payment services.

Timeline

  1. 13.03.2026 15:28 1 articles · 23h ago

    Operation Synergia III arrests 94 suspects and identifies 33,000 phishing sites

    Operation Synergia III, conducted between July 2025 and January 2026, involved authorities from 72 countries. The operation resulted in 94 arrests and 110 suspects under investigation. Police in Togo arrested 10 suspects operating a fraud ring involving social media hacking, romance scams, and sextortion. Bangladeshi police arrested 40 suspects and seized 134 electronic devices related to loan scams, job scams, identity theft, and credit card fraud. Chinese investigators in Macau identified over 33,000 phishing and fraudulent websites impersonating casinos, banks, government sites, and payment services.

    Show sources
    Open in new tab
  2. 19.02.2026 13:24 3 articles · 23d ago

    Operation Red Card 2.0 arrests 651 suspects and recovers $4.3 million

    Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. Notable cases included the dismantling of a high-yield investment fraud ring in Nigeria, the arrest of six members of a sophisticated cybercrime syndicate in Nigeria, the arrest of 27 individuals in Kenya involved in a fraud scheme, and the arrest of 58 individuals in Côte d'Ivoire involved in a predatory mobile loan fraud scheme.

    Show sources
    Open in new tab
  3. 22.12.2025 20:38 4 articles · 2mo ago

    Operation Sentinel arrests 574 and decrypts 6 ransomware strains

    Operation Sentinel involved authorities from 19 countries, including Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe. The operation took down 6,000 malicious links and decrypted six distinct ransomware variants. Multiple suspects were arrested in connection with a ransomware attack targeting an unnamed Ghanaian financial institution that encrypted 100 terabytes of data and stole about $120,000. Ghanaian authorities took down a cyber fraud network operating across Ghana and Nigeria that defrauded more than 200 victims of over $400,000 using well-designed websites and mobile apps impersonating popular fast-food brands. As part of the effort, 10 individuals were apprehended, 100 digital devices were seized, and 30 fraudulent servers were taken offline. Law enforcement from Benin dismantled 43 malicious domains and 4,318 social media accounts used for extortion schemes and scams, resulting in the arrest of 106 people. The operation is part of the African Joint Operation against Cybercrime (AFJOC), which aims to enhance the capabilities of national law enforcement agencies in Africa and better disrupt cybercriminal activity in the region.

    Show sources
    Open in new tab
  4. 22.08.2025 13:08 6 articles · 6mo ago

    Operation Serengeti 2.0 leads to 1,209 arrests in Africa

    The operation targeted a gang behind $300 million in investment fraud, a group involved in a cybercrime scam center and human trafficking, and a syndicate of Chinese nationals illegally mining cryptocurrency. The operation also involved dismantling 25 cryptocurrency mining centers in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. The operation is part of a series of multi-month investigations and arrests highlighted by Interpol, including the original Operation Serengeti and Operation Cyber Surge. The efforts also show that cooperation between Interpol and national law enforcement agencies has resulted in a maturing capability for investigating and prosecuting cybercrime. The operation targeted ransomware, online scams, and business email compromise (BEC).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SocksEscort Proxy Network Disrupted by Law Enforcement

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Open in new tab

Ghanaian Fraud Ring Member Pleads Guilty to $100 Million Scam

Derrick Van Yeboah, a Ghanaian national, pleaded guilty to his role in a fraud ring that stole over $100 million from U.S. victims through business email compromise (BEC) attacks and romance scams. The operation, active from 2016 to May 2023, involved multiple accomplices and targeted vulnerable individuals and businesses. Van Yeboah, a high-ranking member, impersonated romantic partners to gain trust and then tricked victims into sending money. He also helped launder funds from other victims and participated in BEC attacks by impersonating senior corporate leaders or suppliers. Van Yeboah is set to pay over $10 million in restitution and faces up to 20 years in prison.

Open in new tab

Global Law Enforcement Dismantles Major Pirate IPTV Services

A coordinated global law enforcement operation, led by Europol, Eurojust, Interpol, and Italy’s District Prosecutor’s Office of Catania, has seized three industrial-scale illegal IPTV services. The operation, known as Operation Switch Off, targeted 11 cities across 14 countries, identifying 31 individuals suspected of involvement in illicit IPTV services. The action aimed to prevent illegal broadcasts during the upcoming Winter Olympics in Milan, scheduled for February 6–22. The seized services, including IPTVItalia, migliorIPTV, and DarkTV, were distributing unauthorized pay-TV and on-demand content, impacting major platforms like Sky, DAZN, Mediaset, Amazon Prime, Netflix, Paramount, and Disney+. The operators used cryptocurrency payments and shell companies to obfuscate their activities. The operation also dismantled six servers in Romania and one in Africa, affecting at least 250 resellers and 100,000 IPTV subscribers in Italy alone. Additionally, the U.S. Department of Justice announced the dismantling of three pirate services in Bulgaria, which were among the top 10 most visited domains in the country.

Open in new tab

FBI Seizes RAMP Cybercrime Forum

The FBI has seized the RAMP cybercrime forum, a platform known for facilitating ransomware operations and other cybercriminal activities. The seizure includes both the forum's Tor site and its clearnet domain, ramp4u[.]io, which now display a seizure notice. The forum was a hub for ransomware gangs to advertise their operations and recruit affiliates. The seizure provides law enforcement with access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, and private messages. This could lead to the identification and potential arrest of threat actors who failed to follow proper operational security (opsec). RAMP was created in 2021 by individuals linked to the now-defunct Babuk ransomware group and was administered by key operators such as Mikhail Matveev (also known as Orange, Wazawaka, and BorisElcin) and Stallman. The forum was a prime hub for various ransomware groups, including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, Nova, Radiant, and RansomHub. Following the seizure, Stallman confirmed there were no plans to rebuild the forum, indicating a significant disruption to the cybercriminal ecosystem. Additionally, the FBI has seized the LeakBase cybercrime forum, a major online forum used by cybercriminals to buy and sell hacking tools and stolen data. The forum had over 142,000 members and more than 215,000 messages between members as of December 2025. The seizure is part of an international joint operation coordinated by Europol, known as 'Operation Leak,' involving law enforcement agencies in 14 countries. The operation included the shutdown of LeakBase's domains, posting seizure banners, and warning members of the seizure. Law enforcement executed search warrants, made arrests, and conducted interviews in multiple countries. The seizure banner notes that the forum's database and all its contents, including IP logs and private messages, will be used for evidentiary purposes in future investigations. The domain nameservers have been switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The operation involved around 100 enforcement actions worldwide, including measures against 37 of the most active users of the platforms. LeakBase was active since 2021 and had over 142,000 members, offering access to databases, a market for selling leaks, exploits, and other cybercrime services, and an escrow payment system.

Open in new tab

Latin American Organizations Struggle with Cybersecurity Defenses and Skills Shortage

Latin American organizations report low confidence in their nations' cyber defenses, with only 13% confident in their country's ability to protect critical infrastructure. The region faces a significant cybersecurity skills gap, with 69% lacking critical personnel and capabilities. Cyberattacks have surged by 53% year-over-year, driven by cybercrime syndicates from Southeast Asia and China. Latin American organizations now face an average of around 3,100 cyber threats per week, nearly double the 1,500 threats faced by US organizations. The lack of skilled professionals and investment in cyber resilience infrastructure hampers the region's digital progress, making it vulnerable to systemic risks. Phishing campaigns are particularly effective, and the healthcare and financial services sectors are heavily targeted.

Open in new tab