Full Report
A law enforcement operation coordinated by INTERPOL has led to the recovery of $3 million and the arrest of 574 suspects by authorities from 19 countries, amidst a continued crackdown on cybercrime networks in Africa. The coordinated effort, named Operation Sentinel, took place between October 27 and November 27, 2025, and mainly focused on business email compromise (BEC), digital extortion, and
Analysis Summary
# Incident Report: Operation Sentinel - Global Cybercrime Disruption
## Executive Summary
Operation Sentinel, a month-long coordinated law enforcement effort led by INTERPOL across 19 countries, successfully disrupted significant cybercrime networks primarily targeting Business Email Compromise (BEC), digital extortion, and ransomware. The operation, running from October 27 to November 27, 2025, resulted in 574 arrests, the recovery of $3 million, the takedown of over 6,000 malicious links, and the decryption of six ransomware variants. The broader scope of investigated incidents implicated estimated losses exceeding $21 million.
## Incident Details
- **Discovery Date:** Not explicitly stated (Operation period conclusion: November 27, 2025)
- **Incident Date:** October 27 – November 27, 2025 (Operation Period)
- **Affected Organization:** Multiple entities targeted; specific financial institution in Ghana mentioned.
- **Sector:** Financial, various sectors targeted by BEC and ransomware.
- **Geography:** Africa (19 participating nations, including Benin, Nigeria, South Africa, Ghana, etc.)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-Operation to November 27, 2025 (Ongoing criminal activity targeted)
- **Vector:** Business Email Compromise (BEC), digital extortion tactics, and deployment of ransomware.
- **Details:** In one specific case, a cyber fraud network used well-designed websites and mobile apps impersonating fast-food brands to collect payments for fake orders.
### Lateral Movement
- **Details:** Implied movement within victim networks to deploy ransomware and conduct data exfiltration, particularly in the Ghanaian financial institution case, where 100 TB of data was encrypted.
### Data Exfiltration/Impact
- **Details:** Estimated total losses for investigated incidents exceeded $21 million. $120,000 was stolen from a Ghanaian financial institution after 100 TB of data was encrypted via ransomware. Extortion schemes were also actively utilizing social media.
### Detection & Response
- **Date/Time:** October 27 – November 27, 2025 (Operation Sentinel period)
- **Details:** Coordinated international law enforcement action involving authorities from 19 countries, under the INTERPOL AFJOC program.
## Attack Methodology
- **Initial Access:** BEC, phishing attempts (implied by extortion focus), and possibly credential theft leading to ransomware deployment. Fraudulent websites/mobile apps used for payment fraud.
- **Persistence:** Not explicitly detailed, but reliance on ongoing criminal networks for extortion schemes.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Infiltration/operation likely occurred targeting known vulnerabilities or social engineering successes before the coordinated takedown.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Suspects associated with the Nefilim affiliate case researched target company net worth and contact information using online databases.
- **Lateral Movement:** Implied in ransomware attack on the financial institution.
- **Collection:** Data encryption (100 TB) on the financial institution network. Collection of payments via fraudulent payment apps/sites.
- **Exfiltration:** Not explicitly detailed beyond the data encryption indicating potential exfiltration prior to impact.
- **Impact:** Financial loss ($21M total estimated), data encryption (100 TB in one case), and fraud losses ($400,000 from fast-food scam).
## Impact Assessment
- **Financial:** Estimated losses exceeding $21 million across all investigated incidents. $3 million recovered during the operation. $120,000 taken from the targeted Ghanaian bank. $400,000 defrauded via fast-food scam network.
- **Data Breach:** High impact: 100 terabytes of data encrypted in one targeted ransomware attack.
- **Operational:** Significant disruption to the targeted financial institution due to 100 TB of data being encrypted.
- **Reputational:** N/A (No specific organizational reputation damage disclosed, but the operation signals severe risk to sectors dealing with cybercrime in the region).
## Indicators of Compromise
*Note: Indicators for specific threats were not provided in the article summary, but generic takedown statistics are listed.*
- **Network indicators:** Over 6,000 malicious links taken down; 43 malicious domains dismantled (Benin action).
- **File indicators:** Six distinct ransomware variants were decrypted (specific file hashes/names not provided).
- **Behavioral indicators:** Impersonation of popular fast-food brands via websites/apps to solicit payments; extortion schemes utilizing numerous social media accounts (4,318 taken down).
## Response Actions
- **Containment measures:** 30 fraudulent servers taken offline.
- **Eradication steps:** 43 malicious domains dismantled; 4,318 social media accounts suspended/removed. Decryption tools/knowledge deployed resulting in the decryption of six ransomware variants.
- **Recovery actions:** $3 million recovered by law enforcement.
## Lessons Learned
- **Key takeaways:** Cybercrime operations across Africa are accelerating in scale and sophistication, particularly targeting critical sectors (finance, energy). Multi-national coordination (19 countries) is effective in disrupting large-scale decentralized criminal networks.
- **What could have been done better:** The context implies ongoing success against BEC and extortion, suggesting these remain persistent and evolving threats despite the operation.
## Recommendations
- Enhance multi-national intelligence sharing capabilities via channels like AFJOC to preemptively disrupt the development and deployment phases of ransomware and BEC campaigns.
- Increase investment in network segmentation and immutable backups to ensure rapid recovery from large-scale encryption events like the 100 TB incident.
- Implement rigorous verification processes for digital payment channels to counteract social engineering tactics utilizing domain or mobile application impersonation.