CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

First reported
Last updated
4 unique sources, 9 articles

Summary

Hide ▲

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy.

Timeline

  1. 19.02.2026 13:24 2 articles · 11h ago

    Operation Red Card 2.0 arrests 651 suspects and recovers $4.3 million

    Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. Notable cases included the dismantling of a high-yield investment fraud ring in Nigeria, the arrest of six members of a sophisticated cybercrime syndicate in Nigeria, the arrest of 27 individuals in Kenya involved in a fraud scheme, and the arrest of 58 individuals in Côte d'Ivoire involved in a predatory mobile loan fraud scheme.

    Show sources
    Open in new tab
  2. 22.12.2025 20:38 4 articles · 1mo ago

    Operation Sentinel arrests 574 and decrypts 6 ransomware strains

    Operation Sentinel involved authorities from 19 countries, including Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe. The operation took down 6,000 malicious links and decrypted six distinct ransomware variants. Multiple suspects were arrested in connection with a ransomware attack targeting an unnamed Ghanaian financial institution that encrypted 100 terabytes of data and stole about $120,000. Ghanaian authorities took down a cyber fraud network operating across Ghana and Nigeria that defrauded more than 200 victims of over $400,000 using well-designed websites and mobile apps impersonating popular fast-food brands. As part of the effort, 10 individuals were apprehended, 100 digital devices were seized, and 30 fraudulent servers were taken offline. Law enforcement from Benin dismantled 43 malicious domains and 4,318 social media accounts used for extortion schemes and scams, resulting in the arrest of 106 people. The operation is part of the African Joint Operation against Cybercrime (AFJOC), which aims to enhance the capabilities of national law enforcement agencies in Africa and better disrupt cybercriminal activity in the region.

    Show sources
    Open in new tab
  3. 22.08.2025 13:08 6 articles · 6mo ago

    Operation Serengeti 2.0 leads to 1,209 arrests in Africa

    The operation targeted a gang behind $300 million in investment fraud, a group involved in a cybercrime scam center and human trafficking, and a syndicate of Chinese nationals illegally mining cryptocurrency. The operation also involved dismantling 25 cryptocurrency mining centers in Angola, confiscating 45 illicit power stations, and disrupting an online investment fraud operation in Zambia with 65,000 victims and $300 million in losses. The operation is part of a series of multi-month investigations and arrests highlighted by Interpol, including the original Operation Serengeti and Operation Cyber Surge. The efforts also show that cooperation between Interpol and national law enforcement agencies has resulted in a maturing capability for investigating and prosecuting cybercrime. The operation targeted ransomware, online scams, and business email compromise (BEC).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Black Basta Leader Identified and Added to Interpol's Red Notice List

Law enforcement in Ukraine and Germany have identified Oleg Evgenievich Nefedov, a 35-year-old Russian national, as the leader of the Black Basta ransomware gang. Nefedov, known by multiple aliases, has been added to Europol's 'Most Wanted' and Interpol's 'Red Notice' lists. Ukrainian police, in collaboration with German authorities, identified two additional individuals involved in initial network breaches and privilege escalation for ransomware attacks. These individuals were found to be 'hash crackers', specializing in extracting passwords from account databases. Raids in Ukraine seized digital storage devices and cryptocurrency assets. Black Basta has targeted over 500 companies globally and is estimated to have earned hundreds of millions of dollars in cryptocurrency. Nefedov is believed to have ties to Russian intelligence agencies and was arrested in Armenia but secured his freedom. The group's internal chat logs leaked, revealing its structure and key members, and its data leak site was taken down in February 2025. Former affiliates may have migrated to the CACTUS ransomware operation.

Open in new tab

RedVDS Cybercrime-as-a-Service Disrupted by Microsoft

Microsoft, in coordination with legal partners in the US and UK, has disrupted RedVDS, a cybercriminal subscription service that facilitated phishing and fraud campaigns. RedVDS offered cheap, effective, and disposable virtual computers running unlicensed software, enabling cybercriminals to operate anonymously. The service caused over $40 million in losses in the US alone since March 2025, with nearly 190,000 organizations worldwide affected. RedVDS utilized AI to tailor phishing and business email compromise (BEC) scams, including deepfake videos and voice cloning to impersonate individuals. The disruption involved legal action in the US and UK, supported by international law enforcement, including Europol. Microsoft emphasized the importance of reporting cybercrime to prevent future attacks and protect potential victims. RedVDS operated since 2019 and rented servers from third-party hosting providers across multiple countries. The service was used for various malicious activities, including credential theft, account takeovers, and real estate payment diversion scams. In one month, cybercriminals using RedVDS sent an average of 1 million phishing messages per day to Microsoft customers alone, compromising nearly 200,000 Microsoft accounts over the last four months. RedVDS was advertised as a way to 'increase your productivity and work from home with comfort and ease.' The service was first founded in 2017 and operated on Discord, ICQ, and Telegram. The website was launched in 2019. RedVDS provided a reseller panel to create sub-users and grant them access to manage the servers without having to share access to the main site. The service did not maintain activity logs, making it an attractive choice for illicit use. RedVDS was used to host a toolkit comprising both malicious and dual-use software, including mass spam/phishing email tools, email address harvesters, privacy and OPSEC tools, and remote access tools. RedVDS used a single Windows Server 2022 image to create cloned Windows instances, which were created on demand using Quick Emulator (QEMU) virtualization technology combined with VirtIO drivers. RedVDS's Terms of Service prohibited customers from using the service for sending phishing emails, distributing malware, transferring illegal content, scanning systems for security vulnerabilities, or engaging in denial-of-service (DoS) attacks.

Open in new tab

Record $158bn in Illicit Crypto Activity in 2025

Illicit crypto wallets received an estimated $158bn in 2025, marking the highest level observed in five years. This represents a 145% increase from the previous year, driven by factors such as sanctions-evading activity, improved detection methods, large-scale hacks, and increased enforcement by stablecoin issuers. Despite the rise in absolute terms, illicit activity as a share of total blockchain flows declined to 1.2% in 2025, indicating a smaller proportion of new capital entering the crypto ecosystem being absorbed by bad actors. The increase in illicit activity was attributed to several factors, including a surge in sanctions-evading activity by countries like Venezuela, Iran, and Russia, improved identification of illegal crypto activity through the Beacon Network, and large-scale hacks such as the raid of Bybit by North Korean actors. Additionally, there was growth in blocklisted activity across multiple crime types, including sanctions evasion, terrorism financing, fraud, and hacking. Despite the significant increase in illicit activity, the proportion of illicit activity relative to total blockchain flows has decreased, suggesting that bad actors are absorbing a smaller share of new capital entering the crypto ecosystem.

Open in new tab

Global Law Enforcement Disrupts Black Axe Cybercrime Operations

A coordinated international law enforcement operation led by Europol has resulted in the arrest of 34 individuals associated with the Black Axe cybercrime gang. The operation, conducted with the support of the Spanish National Police and the Bavarian State Criminal Police Office, targeted key members of the group across Spain. The arrests and seizures have caused significant disruptions to Black Axe's operations, which include business email compromise (BEC) attacks, romance scams, phishing campaigns, and other forms of online fraud. The group is believed to generate billions annually, with the Spanish branch alone responsible for nearly €5.93 million in damages. Black Axe is a hierarchical criminal group that originated in Nigeria in 1977 and has spread to dozens of countries across the world, with about 30,000 registered members and other affiliates such as money mules and facilitators. The group specialized in man-in-the-middle (MITM) scams, including business email compromise (BEC). The damages caused by the cybercriminals in the last 15 years exceed $6 million, with $3.5 million linked to this operation. Four main suspects have been put into pretrial detention facing charges of aggravated continuous fraud, membership in a criminal organization, money laundering, document forgery, and obstruction of justice. The investigation is ongoing, and more arrests may follow.

Open in new tab

European Authorities Dismantle Ukraine-Based Call Center Fraud Ring

European law enforcement dismantled a fraud network operating call centers in Ukraine that scammed victims across Europe out of over 10 million euros. The operation involved arrests, seizures, and the disruption of multiple call centers employing approximately 100 people. The criminals used various schemes, including impersonating bank employees and police officers, to defraud over 400 known victims. The network operated as a commission-based criminal enterprise, promising bonuses for successful scams. Authorities from the Czech Republic, Latvia, Lithuania, and Ukraine, supported by Eurojust, arrested 12 suspects out of 45 identified. The operation included 72 searches across three Ukrainian cities, leading to the seizure of vehicles, weapons, a polygraph machine, computers, cash, and counterfeit identification documents. The fraud ring used remote access software to steal banking logins and directed victims to transfer funds to 'safe' accounts under their control. Members of the network had different roles, including making scam phone calls, forging official documents, and collecting cash from victims.

Open in new tab