INTERPOL-coordinated operation leads to 1,209 arrests
interpol.int - LYON, France 22.08.2025 – In a sweeping INTERPOL-coordinated operation, authorities across Africa have arrested 1,209 cybercriminals targeting nearly 88,000 victims.
The crackdown recovered USD 97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation.
Operation Serengeti 2.0 (June to August 2025) brought together investigators from 18 African countries and the United Kingdom to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC). These were all identified as prominent threats in the recent INTERPOL Africa Cyberthreat Assessment Report.
The operation was strengthened by private sector collaboration, with partners providing intelligence, guidance and training to help investigators act on intelligence and identify offenders effectively.
This intelligence was shared with participating countries ahead of the operation, providing critical information on specific threats as well as suspicious IP addresses, domains and C2 servers.
Operational highlights: From crypto mining to inheritance scams
Authorities in Angola dismantled 25 cryptocurrency mining centres, where 60 Chinese nationals were illegally validating blockchain transactions to generate cryptocurrency. The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than USD 37 million, now earmarked by the government to support power distribution in vulnerable areas.
Zambian authorities dismantled a large-scale online investment fraud scheme, identifying 65,000 victims who lost an estimated USD 300 million. The scammers lured victims into investing in cryptocurrency through extensive advertising campaigns promising high-yield returns. Victims were then instructed to download multiple apps to participate. Authorities arrested 15 individuals and seized key evidence including domains, mobile numbers and bank accounts. Investigations are ongoing with efforts focused on tracking down overseas collaborators.
Also in Zambia, authorities identified a scam centre and, in joint operations with the Immigration Department in Lusaka, disrupted a suspected human trafficking network. They confiscated 372 forged passports from seven countries.
Despite being one of the oldest-running internet frauds, inheritance scams continue to generate significant funds for criminal organizations. Officers in Côte d'Ivoire dismantled a transnational inheritance scam originating in Germany, arresting the primary suspect and seizing assets including electronics, jewellery, cash, vehicles and documents. With victims tricked into paying fees to claim fake inheritances, the scam caused an estimated USD 1.6 million in losses.
Valdecy Urquiza, Secretary General of INTERPOL, said:
"Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries. With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims."
Prior to the operation, investigators participated in a series of hands-on workshops covering open-source intelligence tools and techniques, cryptocurrency investigations and ransomware analysis. This focused training strengthened their skills and expertise, directly contributing to the effectiveness of the investigations and operational successes.
The operation also focused on prevention through a partnership with the International Cyber Offender Prevention Network (InterCOP), a consortium of law enforcement agencies from 36 countries dedicated to identifying and mitigating potential cybercriminal activity before it occurs. The InterCOP project is led by the Netherlands and aims to promote a proactive approach to tackling cybercrime.
Operation Serengeti 2.0 was held under the umbrella of the African Joint Operation against Cybercrime, funded by the United Kingdom’s Foreign, Commonwealth and Development Office.
Operational partners:
Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs and Uppsala Security.
Participating countries:
Angola, Benin, Cameroon, Chad, Côte D’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, United Kingdom, Zambia and Zimbabwe.
Discover how the FIN6 cybercrime group, also known as Skeleton Spider, leverages trusted cloud services like AWS to deliver stealthy malware through fake job applications and resume-themed phishing campaigns. Learn about their tactics, infrastructure, and how to defend against these evolving threats.
Skeleton Spider, also known as FIN6, is a long-running financially motivated cybercrime group that has continually evolved its tactics to maximize impact and profit. While the group initially gained notoriety for point-of-sale (POS) breaches and large-scale payment card theft, it has since shifted to broader enterprise threats, including ransomware operations.
In recent years, FIN6 has sharpened its focus on social engineering campaigns that exploit professional trust. By posing as job seekers and initiating conversations through platforms like LinkedIn and Indeed, the group builds rapport with recruiters before delivering phishing messages that lead to malware. One of their preferred payloads is more_eggs, a stealthy JavaScript-based backdoor that facilitates credential theft, system access, and follow-on attacks, including ransomware deployment.
This research combines technical insights and practical analysis for both general audiences and cybersecurity professionals. We examine how FIN6 uses trusted cloud services, such as AWS, to host malicious infrastructure, evade detection, and ultimately deploy malware through socially engineered lures.
Des escrocs inondent Facebook de promotions sur des sacs à dos Decathlon notamment. Voici leur technique et leurs objectifs.
Les faux concours sur Facebook nous divertissent depuis plus de dix ans, et l’arnaque reste efficace: depuis quelques mois, les posts rémunérés se multiplient, promettant notamment un sac à dos Decathlon à deux francs.
Ainsi, une certaine Nadine Keller ou encore une Sophie Delacroix – bref, une jeune femme sympathique avec un petit chien trop mignon – nous raconte que sa mère a été licenciée de manière totalement injustifiée par son employeur (pour Sophie Delacroix, c'est son mec), mais passons. L'employeur? Decathlon.
Elle révèle donc quelque chose que seuls les employés du fabricant sons censés savoir: en remplissant un petit sondage en ligne, on recevra un sac à dos The North Face. Pour se venger de Decathlon, elle partage le lien vers l'enquête afin d'en faire profiter le plus de personnes possible.
Des publications de ce genre sont envoyées en masse par de faux profils créés tous les jours. Et ce, avec à chaque fois un libellé légèrement modifié et de nouvelles «photos de preuve» de sacs à dos soi-disant achetés pour deux francs. L'arnaque dure depuis des mois notamment en France et en Belgique, aujourd'hui, elle est chez nous.
Des dizaines de comptes proposent des arnaques avec Decathlon. En français, on trouve pas mal d'offres en euro.
Image: facebook/watson
Les criminels ont par ailleurs un bon argument pour justifier un prix si bas: avec les droits de douane de Trump sur les produits de l'UE, les stocks sont pleins. Il faut donc désormais brader les marchandises.
La Digital Crimes Unit (DCU) de Microsoft, en collaboration avec des partenaires internationaux, s’attaque à l’un des principaux outils utilisés pour dérober massivement des données sensibles, qu’elles soient personnelles ou professionnelles, à des fines cybercriminelles. Le mardi 13 mai, la DCU de Microsoft a engagé une action en justice contre Lumma Stealer (« Lumma »), un malware spécialisé dans le vol d’informations, largement utilisé par des centaines d’acteurs de la menace cyber. Lumma vole des mots de passe, des cartes de crédit, des comptes bancaires et des portefeuilles de cryptomonnaies. Cet outil a permis à des criminels de bloquer des établissements scolaires afin de récupérer une rançon, de vider des comptes bancaires et de perturber des services essentiels.
Grâce à une décision de justice rendue par le tribunal fédéral du district nord de la Géorgie, la Digital Crimes Unit (DCU) de Microsoft a procédé à la saisie et à la mise hors ligne d’environ 2 300 domaines malveillants, qui constituaient l’infrastructure centrale de Lumma. Parallèlement, le département de la Justice américain (DOJ) a démantelé la structure de commande principale du malware et perturbé les places de marché où l’outil était vendu à d’autres cybercriminels. Europol, via son Centre européen de lutte contre la cybercriminalité (EC3), ainsi que le Centre de lutte contre la cybercriminalité du Japon (JC3), ont contribué à la suspension de l’infrastructure locale de Lumma.
We dive into one of the most sophisticated and impactful ecosystems within the global cybercrime landscape. Our research looks at tools and techniques, specialized forums, popular services, plus a deeply ingrained culture of secrecy and collaboration.
EncryptHub, a notorious threat actor linked to breaches at 618 organizations, is believed to have reported two Windows zero-day vulnerabilities to Microsoft, revealing a conflicted figure straddling the line between cybercrime and security research.
Google Threat Intelligence Group discusses the current state of cybercrime, and why it must be considered a national security threat.
A key Russian cybercrime syndicate responsible for aiding merciless ransomware attacks around the world has been targeted by new UK sanctions.
La caisse de compensation de Swissmem a subi un piratage, avec vol de 10 % des données. L'origine des attaquants semble provenir de Russie.
In 2024, authorities took aim at ransomware gangs, malware developers, cybercriminal infrastructure and cryptocurrency thieves. Here's a look at the…
Telegram reveals that the communications platform has fulfilled 900 U.S. government requests, sharing the phone number or IP address information of 2,253 users with law enforcement.
U.K. investigators tell the story of how examining a cybercrime group's extortion funds helped to unravel a money-laundering network reaching from the illegal drug trade to Moscow's elite.
Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, are being increasingly abused by cybercriminals for phishing and other malicious activities.
Italian probe reveals “gigantic and alarming market of confidential data,” prosecutors say.
Ukrainian national Mark Sokolovsky has pleaded guilty to his involvement in the Raccoon Stealer malware-as-a-service (MaaS) cybercrime operation.
The United States today unveiled sanctions and indictments against the alleged proprietor of Joker's Stash, a now-defunct cybercrime store that peddled tens of millions of payment cards stolen in some of the largest data breaches of the past decade. The…
Three men have pleaded guilty to running OTP.Agency, an online platform that provided social engineering help to obtain one-time passcodes from customers of various banks and services in the U.K.
The investigation into Telegram boss Pavel Durov that has fired a warning shot to global tech titans was started by a small cybercrime unit within the Paris prosecutor's office, led by 38-year-old Johanna Brousse.
The arrest of Durov, 39, last Saturday marks a significant shift in how some global authorities may seek to deal with tech chiefs reluctant to police illegal content on their platforms.
The arrest signalled the mettle of the J3 cybercrime unit, but the true test of its ambitions will be whether Brousse can secure a conviction based on a largely untested legal argument, lawyers said.
The deployment of ransomware remains the greatest serious and organised cybercrime threat, the largest cybersecurity threat, and also poses a risk to the UK’s national security. Ransomware attacks can have a significant impact on victims due to financial, data, and service losses, which can lead to business closure, inaccessible public services, and compromised customer data. Threat actors are typically based in overseas jurisdictions where limited cooperation makes it challenging for UK law enforcement to disrupt their activities.
The National Crime Agency has infiltrated a significant DDoS-for-hire service which has been responsible for tens of thousands of attacks every week across the globe.
The disruption targeting digitalstress.su, a criminal marketplace offering DDos capabilities, was made in partnership with the Police Service of Northern Ireland.
It comes after the PSNI arrested one of the site’s suspected controllers earlier this month.
