Full Report
Operation Serengeti 2.0 dismantled almost 11,500 malicious infrastructures between June and August. Officials arrested more than 1,200 alleged cybercriminals. The post Interpol-led crackdown disrupts cybercrime networks in Africa that caused $485 million in losses appeared first on CyberScoop.
Analysis Summary
# Incident Report: Global Cybercrime Network Disruption (Operation Serengeti 2.0)
## Executive Summary
Operation Serengeti 2.0, a globally coordinated law enforcement action led by Interpol, successfully dismantled extensive cybercrime infrastructures operating across Africa and other regions between June and August 2025. This operation resulted in 1,209 arrests and the disruption of over 11,400 malicious infrastructures, attributing to an estimated $485 million in financial losses across ransomware, online scams, and Business Email Compromise (BEC). The response highlights significant international cooperation as a key strategy for combating transnational cyber threats.
## Incident Details
- **Discovery Date:** Not specified (Continuous investigation leading to the operation period of June - August 2025)
- **Incident Date:** Operation conducted between June and August 2025
- **Affected Organization:** 87,858 identified victims across various syndicates involved in the crimes spanning Africa.
- **Sector:** Varied (Including victims of online investment fraud, ransomware targeting education/healthcare/public sector, and inheritance scams).
- **Geography:** Primarily Africa (including Angola, Ghana, Zambia, Seychelles, Côte d’Ivoire) with cooperation involving the UK and nine security organizations.
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-operation timeframe (Attributed crimes occurred over a period leading up to and during June-August 2025).
- **Vector:** Varied, including initial access methods related to ransomware targeting specific sectors, online investment fraud schemes, and inheritance scams.
- **Details:** Specific initial vectors are aggregated under the types of crime targeted.
### Lateral Movement
- **Details:** Not explicitly detailed in the context of the takedown, but implied within the scope of ransomware operations (e.g., Bl00dy ransomware group activity).
### Data Exfiltration/Impact
- **Details:** Financial losses totaled nearly **$485 million**. At least 65,000 victims lost an estimated **$300 million** in an online investment fraud scheme in Zambia. A transnational inheritance scam in Côte d’Ivoire caused approximately **$1.6 million** in losses. Ransomware campaigns (like Bl00dy) targeted education, healthcare, and public sector victims.
### Detection & Response
- **How it was discovered:** Through intelligence sharing and coordination between Interpol, 18 African countries, the UK, and nine security organizations (e.g., TRM Labs, Fortinet, Kaspersky).
- **Response actions taken:** Operation Serengeti 2.0 was conducted between June and August 2025, leading to arrests and infrastructure takedowns.
## Attack Methodology
- **Initial Access:** Varied, inferred activity associated with online investment fraud, BEC, and ransomware deployment (e.g., Bl00dy group operations).
- **Persistence:** Not explicitly detailed.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Not explicitly detailed, though relevant for ransomware operations.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Inferred reconnaissance conducted by criminal groups against potential victims.
- **Lateral Movement:** Implied through the operation of ransomware affiliates (Conti spin-off Bl00dy).
- **Collection:** Financial data related to scams, and potentially sensitive data from ransomware targets.
- **Exfiltration:** Directly related to the execution of fraud schemes and recovery of funds ($97.4 million recovered).
- **Impact:** Large-scale financial loss across multiple fraud types and operational disruption via ransomware.
## Impact Assessment
- **Financial:** Estimated total losses of **$485 million**. $97.4 million recovered. $300 million lost by victims of one Zambian fraud scheme alone.
- **Data Breach:** Data related to victims of ransomware and scams are implied.
- **Operational:** Significant disruption to criminal networks; some legitimate infrastructure (e.g., crypto mining centers) was seized.
- **Reputational:** The operation boosted international confidence in coordinated cybercrime fighting capabilities across Africa.
## Indicators of Compromise
- **Network indicators:** Infrastructure associated with the Bl00dy ransomware group and RansomHub operations were identified and dismantled. (Specific IPs/domains not provided).
- **File indicators:** Relating to ransomware payloads or malware used in the identified syndicates.
- **Behavioral indicators:** Large-scale execution of transnational inheritance scams and high-value investment fraud schemes across multiple jurisdictions.
## Response Actions
- **Containment measures:** Dismantling of **11,432** pieces of malicious infrastructure across various types of criminal operations.
- **Eradication steps:** Arrest of **1,209** alleged cybercriminals. Seizure of IT and mining equipment valued at over $37 million in Angola.
- **Recovery actions:** Recovery of **$97.4 million** potentially belonging to victims across the various schemes.
## Lessons Learned
- International, coordinated law enforcement operations (Interpol-led) are highly effective in dismantling transnational cybercrime networks operating across multiple African nations.
- Cooperation and information sharing across member countries significantly increase the scale and impact of operational results.
- Focused efforts can successfully target specific evolved threats, such as investigating Conti spin-offs like the Bl00dy ransomware group.
## Recommendations
- Maintain and deepen the existing cooperation framework established during Operation Serengeti 2.0 to ensure ongoing information sharing regarding emerging threats.
- Increase investment in digital forensics and cyber skills within participating African law enforcement agencies to better investigate complex threats like ransomware and crypto-based fraud.
- Prioritize intelligence sharing with private sector partners (e.g., TRM Labs, Fortinet) to identify and map out financial laundering infrastructure used by criminal syndicates.