Full Report
Law enforcement authorities in seven African countries have arrested 306 suspects and confiscated 1,842 devices as part of an international operation codenamed Red Card that took place between November 2024 and February 2025. The coordinated effort "aims to disrupt and dismantle cross-border criminal networks which cause significant harm to individuals and businesses," INTERPOL said, adding it
Analysis Summary
# Incident Report: International Operation Red Card - Takedown of Cybercrime Networks
## Executive Summary
Operation Red Card was a multi-national law enforcement effort spanning November 2024 to February 2025 across seven African nations, resulting in 306 arrests focused on dismantling cross-border cybercriminal networks. The primary targets were mobile banking, investment, and messaging app scams, impacting over 5,000 victims, with significant assets seized and data recovery achieved in some cases. The operation highlights the necessity of global cooperation to combat sophisticated, borderless cybercrime.
## Incident Details
- **Discovery Date:** Operation conducted between November 2024 and February 2025 (Ongoing enforcement phase).
- **Incident Date:** Ongoing criminal activities targeted by the operation (specific start dates for individual fraud schemes vary, some predating 2024).
- **Affected Organization:** Individual victims and businesses targeted by mobile banking, investment, and messaging app scams across multiple countries.
- **Sector:** Financial Services, Mobile Technology, Telecommunications, General Consumers.
- **Geography:** Benin, Côte d'Ivoire, Nigeria, Rwanda, South Africa, Togo, and Zambia (Primary engagement countries).
## Timeline of Events
### Initial Access
- **Date/Time:** Varied, with some activities spanning 2024.
- **Vector:** SMS Phishing links, social engineering (impersonating telecom employees or injured family members).
- **Details:** In South Africa, SIM cards were used for large-scale SMS phishing. In Zambia, malware was installed via SMS phishing links to gain unauthorized access to banking apps.
### Lateral Movement
- **Vector:** Malware installed on targeted phones.
- **Details:** In Zambia, malware enabled bad actors to gain control over messaging applications, allowing them to propagate the fraudulent link to new potential victims.
### Data Exfiltration/Impact
- **Impact:** Financial loss through unauthorized transfers from mobile banking apps, theft via social engineering scams, and potential exposure of sensitive information. Rwanda reported defrauding victims of over $305,000 in 2024.
### Detection & Response
- **Detection:** Coordinated intelligence sharing between INTERPOL, participating national law enforcement agencies, and cybersecurity vendors (e.g., Kaspersky sharing analysis on malicious Android applications).
- **Response Actions:** Coordinated raids and arrests across seven countries throughout Nov 2024 - Feb 2025, resulting in 306 arrests and seizure of 1,842 devices.
## Attack Methodology
- **Initial Access:** Vector varied, including SMS phishing linking to malware installation (Zambia) and social engineering lures via phone calls (Rwanda).
- **Persistence:** Malware installed via attack links likely provided persistence, allowing illicit access to banking applications.
- **Privilege Escalation:** Gaining unauthorized access to victims' mobile banking functionality, effectively escalating control over financial assets.
- **Defense Evasion:** Using established threat vectors like SMS/mobile channels that relied on human trust vulnerabilities.
- **Credential Access:** Gaining access to mobile banking credentials (implicitly or via malware functionality).
- **Discovery:** Not explicitly detailed for automated reconnaissance, but social engineering required prior intelligence concerning target demographics or common scams.
- **Lateral Movement:** Propagation of malicious links through compromised messaging apps.
- **Collection:** Gathering sensitive information via social engineering (e.g., impersonating utilities to extract data).
- **Exfiltration:** Direct financial theft from compromised mobile banking apps.
- **Impact:** Direct financial loss and large-scale disruption via organized scam centers (Nigeria).
## Impact Assessment
- **Financial:** Over 5,000 victims targeted. In Rwanda alone, over $305,000 was defrauded; $103,043 has been recovered.
- **Data Breach:** Sensitive information extracted during social engineering scams; access to mobile banking databases compromised.
- **Operational:** Disruption of organized scam centers in countries like Nigeria.
- **Reputational:** Negative impact on trust in mobile banking and telecommunications services.
## Indicators of Compromise
*Note: Specific IoCs were subject to law enforcement action and are not publicly detailed, but the *types* of IoCs involved are:*
- **Network indicators:** Malicious destinations hosting malware or command/control infrastructure associated with Android banking malware (analysis provided by Kaspersky).
- **File indicators:** Malicious Android applications designed to intercept banking data.
- **Behavioral indicators:** Unauthorized access or transactions initiated from mobile banking apps following suspicious SMS link interaction; dissemination of scam messages from previously compromised accounts.
## Response Actions
- **Containment:** Coordinated law enforcement operations across seven countries to shut down physical scam centers and infrastructure. Seizure of 1,842 devices, including over 1,000 SIM cards in South Africa.
- **Eradication:** Arrest of 306 suspects involved in the organized criminal networks. Focus on dismantling the operational hubs.
- **Recovery:** Recovery of $103,043 of defrauded funds linked to the Rwandan case.
## Lessons Learned
- The effectiveness of cross-border, multi-agency cooperation (INTERPOL, national police) in dismantling organized cyber syndicates that exploit regional vulnerabilities.
- Mobile-centric attacks (banking malware via SMS/phishing) remain a highly successful and damaging vector in the region.
- The link between cybercrime and wider criminal issues, such as human trafficking, where victims are forced into serving in scam centers.
## Recommendations
- Enhance public awareness campaigns specifically targeting SMS phishing related to mobile banking login and unsolicited "jackpot" notifications.
- Implement stronger authentication requirements for mobile banking applications, particularly those vulnerable to overlay or remote access malware.
- Increase intelligence sharing mechanisms between cybersecurity vendors and regional law enforcement to preemptively analyze and block malicious Android infrastructure discovered by vendors like Kaspersky.