Full Report
INTERPOL-coordinated operation leads to 1,209 arrests LYON, France – In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims. The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation. Operation Serengeti 2.0 (June to August... Source
Analysis Summary
# Incident Report: INTERPOL Operation Serengeti 2.0 Dismantles African Cybercrime Networks
## Executive Summary
A massive, coordinated enforcement action named Operation Serengeti 2.0, led by INTERPOL and involving 18 African countries and the UK, successfully dismantled significant cybercrime and fraud networks between June and August 2025. The operation targeted high-impact crimes including ransomware, BEC, and online scams, resulting in 1,209 arrests and the recovery of USD 97.4 million. This effort highlights effective international collaboration and private sector partnership in combating cyber threat actors operating across the African continent.
## Incident Details
- **Discovery Date:** Intelligence sharing occurred leading up to June 2025.
- **Incident Date:** Operation conducted from June to August 2025.
- **Affected Organization:** Numerous organizations and nearly 88,000 individual victims targeted globally.
- **Sector:** Cross-sector (targeting victims of ransomware, online scams, and BEC).
- **Geography:** Coordinated across 18 African countries and the United Kingdom.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing activity leading up to the June 2025 operation start.
- **Vector:** Attacks involved methods consistent with Ransomware, Online Scams, and Business Email Compromise (BEC).
- **Details:** Specific initial access points are not detailed, but the infrastructure targeted was related to these high-harm cybercrimes.
### Lateral Movement
- Not explicitly detailed for specific compromised entities, but the dismantling of 11,432 malicious infrastructures suggests targeting command and control points necessary for sustained operations.
### Data Exfiltration/Impact
- The operation focused on disrupting criminal networks rather than remediating specific breaches. The impact was significant, affecting nearly 88,000 victims across various crime types (ransomware, scams, BEC).
### Detection & Response
- **How it was discovered:** Detection relied on intelligence sharing provided by INTERPOL and private sector partners, specifying suspicious IP addresses, domains, and C2 servers.
- **Response actions taken:** A major, multi-nation enforcement operation (Serengeti 2.0) was executed, leading to physical arrests, infrastructure takedowns, and financial seizure.
## Attack Methodology
- **Initial Access:** Methods consistent with Ransomware deployment, phishing/social engineering (for BEC/Scams).
- **Persistence:** Not detailed, but infrastructure dismantlement suggests targeting mechanisms used to maintain long-term criminal operations.
- **Privilege Escalation:** Not detailed for specific victims.
- **Defense Evasion:** Implied through the sophistication required to run established fraud networks.
- **Credential Access:** Likely involved in BEC-related attacks, though not explicitly detailed.
- **Discovery:** Threat actor reconnaissance techniques are not specified, but intelligence gathering preceded the operation.
- **Lateral Movement:** Not detailed specific to victim networks.
- **Collection:** Data gathering was presumed for BEC and scam operations targeting victims.
- **Exfiltration:** Not detailed, though financial fraud and potential data theft were byproducts of the criminal activities.
- **Impact:** Financial loss to victims from scams and ransomware demands; operational disruption; and potential compromise of sensitive information.
## Impact Assessment
- **Financial:** USD 97.4 million recovered by authorities.
- **Data Breach:** Affected nearly 88,000 victims, implying exposure or impact across various data types related to scams and BEC victims.
- **Operational:** Dismantlement of 11,432 malicious infrastructures.
- **Reputational:** Not specified for any particular entity, but the law enforcement action signals significant disruption to established criminal enterprises.
## Indicators of Compromise
- **Network indicators (Defanged):** Suspicious IP addresses, domains, and C2 servers were identified and shared with participating countries prior to the operation. (Specific IoCs were withheld pending release).
- **File indicators:** None specified in the source text.
- **Behavioral indicators:** Activities related to ransomware execution, financial fraud schemes, and BEC spear-phishing.
## Response Actions
- **Containment measures:** Global, coordinated law enforcement action targeting criminal infrastructure simultaneously.
- **Eradication steps:** Takedown of 11,432 malicious infrastructures.
- **Recovery actions:** Recovery of USD 97.4 million; arrests of 1,209 cybercriminals.
## Lessons Learned
- **Key takeaways:** Cross-border law enforcement coordination (INTERPOL-led) is highly effective against transnational cybercrime networks originating or operating from specific regions. Private sector intelligence sharing is crucial for successful enforcement actions.
- **What could have been done better:** The report implies that ongoing collaboration is needed to address the sharp rise in cybercrime noted in the INTERPOL Africa Cyberthreat Assessment Report.
## Recommendations
- **Prevention measures for similar incidents:** Enhance intelligence sharing regarding suspicious IPs, domains, and C2 infrastructure related to BEC, ransomware groups, and financial fraud schemes. Increase participation in international coordinated cyber-takedowns, focusing on disrupting the underlying criminal enterprise infrastructure rather than just reacting to individual victim incidents.