|

Interpol’s “Operation Serengeti 2.0” Nets 1,209 Arrests and $97.4M Recovered in a Pan‑African Cybercrime Crackdown

ByInnoVirtuoso

What does it take to cripple a 1,000‑person cybercrime network? In this case, it took a continent-wide sting, months of planning, and unprecedented cooperation between 19 countries, top cybersecurity firms, and nonprofit threat intel groups.

From June to August 2025, Interpol coordinated “Operation Serengeti 2.0,” a large-scale effort targeting cybercriminals operating across Africa. The results are striking: 1,209 arrests, the dismantling of thousands of malicious infrastructure assets, and the recovery of $97.4 million stolen from more than 88,000 victims. The network is believed to have caused nearly half a billion dollars in losses.

Here’s what happened, why it matters, and what you can do to protect yourself and your organization next.

Inside Operation Serengeti 2.0: A Three‑Month, Multi‑Country Cybercrime Takedown

Interpol’s second “Serengeti” operation builds on a prior crackdown in November 2024. This time, the scope expanded. Law enforcement agencies from the UK and 18 African countries partnered with private companies and nonprofit organizations to identify suspects, seize infrastructure, and recover funds.

Key outcomes at a glance: – 1,209 arrests across participating countries – 11,432 malicious infrastructure assets dismantled in Angola alone – $97,418,228 recovered from criminal operations – 87,858 known victims targeted – $484,965,199 in estimated total losses caused by the network

The operation focused on ransomware crews, online investment scams, and business email compromise (BEC) schemes—three of the most damaging cyber threats affecting individuals and businesses worldwide.

For context, BEC alone cost U.S. victims more than any other cyber threat in recent years, according to FBI IC3 alerts. If your company has ever faced a fraudulent invoice or bank change request, you’ve been in the crosshairs of the same ecosystem this operation targeted. See the FBI’s latest guidance on BEC risks and defenses here: FBI IC3 BEC PSA.

Valdecy Urquiza, Interpol’s secretary general, emphasized how these coordinated actions keep producing bigger results by deepening cross-border cooperation and intelligence sharing. You can explore Interpol’s broader cybercrime mission here: INTERPOL Cybercrime and recent operations in the INTERPOL Newsroom.

Why This Operation Matters

Let’s make this tangible.

  • It weakens entire criminal ecosystems, not just single actors. Arresting 1,209 suspects and tearing down thousands of malicious assets breaks the supply chains that fuel scams, ransomware, and fraud.
  • It proves the power of public–private partnerships. Companies like Fortinet, Group‑IB, Kaspersky, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security, alongside nonprofits like Cybercrime Atlas and The Shadowserver Foundation, didn’t just observe—they delivered actionable intelligence. That means faster identifications, cleaner leads, and more precise takedowns.
  • It shifts the cybercrime fight from reactive to proactive. Prevention-focused collaboration through InterCOP (the International Cyber Offender Prevention Network) aims to detect and neutralize threats earlier in the kill chain, before victims get hit.

Here’s why that matters to you: when law enforcement cuts off the infrastructure and money flows that scammers rely on, it lowers your day-to-day risk. Fewer phishing domains. Fewer fake apps. Fewer mule accounts to move stolen money. It doesn’t end cybercrime—but it sets attackers back and buys you time.

The Power of Public–Private Intelligence

Operation Serengeti 2.0 wasn’t just police work. It was an intelligence-driven campaign.

  • Group‑IB, an Interpol Gateway Partner, reported that its intelligence helped investigators arrest 1,006 suspects and identify more than 134,000 malicious infrastructures and networks used for investment scams, government impersonation fraud, phishing, romance “pig butchering,” and online casino scams. Learn more about their work: Group‑IB.
  • Fortinet, Kaspersky, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security are known for deep telemetry and tooling across threat research, internet-scale visibility, and crypto-tracing. Explore their research hubs:
  • Fortinet FortiGuard Labs
  • Kaspersky Securelist
  • Team Cymru
  • Trend Micro Research
  • TRM Labs
  • Uppsala Security
  • The Cybercrime Atlas initiative, supported by the World Economic Forum, helps map criminal networks and infrastructure so defenders can act in concert: Cybercrime Atlas.
  • The Shadowserver Foundation’s community reporting and sinkhole capabilities get malicious infrastructure off the internet at scale: The Shadowserver Foundation.

When this many players share data, the puzzle pieces come together. Think of it like mapping a city at night: a single flashlight helps, but a network of floodlights shows where the roads, safe houses, and escape routes are. That’s how you dismantle an underground economy.

Raids and Results: Angola, Zambia, and Côte d’Ivoire

The headline numbers are compelling. The on‑the‑ground details tell the real story.

Angola: Illegal Crypto Mining and Power Theft

Angola’s raids uncovered a sprawling illegal crypto mining operation: – 25 illicit mining centers dismantled – 60 Chinese nationals arrested – 45 illegal power stations seized – Mining equipment worth more than $37 million confiscated

Authorities plan to repurpose confiscated power infrastructure to support underserved communities—an unusual and promising outcome. It turns seized criminal assets into public benefit.

Interpol reported that 11,432 malicious infrastructure assets were dismantled in Angola. This number includes command-and-control servers and other technical assets used by cybercriminals to run scams, malware, and fraud at scale.

Why it matters: Crypto mining operations often hide behind industrial power theft. They degrade local grids, strain utilities, and fund broader criminal operations. Shutting them down disrupts both the money and the muscle behind cybercrime.

Zambia: $300M Investment Fraud and a Scam Center Bust

Zambia’s investigations revealed: – A $300 million online investment fraud targeting 65,000 victims via fake crypto ads and fraudulent apps – At least 15 suspects arrested – Seizures of domains, mobile numbers, and bank accounts linked to the scheme

Separately, authorities raided a scam center in Lusaka with immigration officials, seizing 372 forged passports from seven countries. That action disrupted a suspected human trafficking operation—a reminder that cyber and physical crimes often intersect.

Why it matters: Investment scams are increasingly professional operations. Slick ads. Polished apps. Fake customer support. Criminals don’t just steal money—they build branded experiences that feel “safe.” If you’ve ever seen a too-good-to-be-true crypto return, this is the industrial engine behind it.

Côte d’Ivoire: Cross‑Border Inheritance Scam Taken Down

Authorities took down a cross-border inheritance scam originating in Germany: – Victims were tricked into paying fees to claim non‑existent inheritances – $1.6 million in losses – The primary suspect was arrested – Seizures included cash, jewelry, electronics, and vehicles

Why it matters: Fee fraud schemes prey on hope and grief. They also exploit the complexity of international legal systems. The best defense is awareness—and a policy never to pay upfront fees to access supposed “windfalls.”

The Threats Targeted: Ransomware, Online Scams, and BEC

It’s worth pausing on the specific threats targeted. These are the scams most likely to hit your inbox, your CFO, or your parents’ phones.

  • Ransomware: Criminals encrypt your files and demand payment. Today’s crews often steal data first, then threaten to leak it. For practical guidance and free resources, start with CISA’s Stop Ransomware.
  • Online investment scams: Fraudsters push fake crypto platforms, phishing apps, and social media “opportunities.” They lure with high returns, then lock in victims with staged dashboards and false “profit” screenshots.
  • Business email compromise (BEC): Attackers impersonate executives, vendors, or payroll systems to redirect payments. They use lookalike domains and convincing language. The FBI’s BEC guidance is essential reading: FBI IC3 BEC PSA.

Let me explain how these connect. Criminals don’t work in silos. The same infrastructure used to host a fake crypto app may also relay phishing emails or manage botnets. Tearing down that infrastructure helps across multiple crime types.

InterCOP and the Shift to Prevention

Operation Serengeti 2.0 took place under the African Joint Operation against Cybercrime, backed by the UK’s Foreign, Commonwealth & Development Office (FCDO): UK FCDO.

Beyond arrests, the operation leaned into prevention via the International Cyber Offender Prevention Network (InterCOP), a 36‑nation alliance led by the Netherlands. InterCOP’s goal is to neutralize threats before a blast radius forms—by sharing patterns, flagging suspicious infrastructure, and warning potential victims in time.

Think of InterCOP as air traffic control for cyber risk. When one country sees a dangerous approach vector—a surge in phishing domains, a cluster of mule accounts, an actor group trying to cash out—others get the heads‑up. That’s how you get left of boom.

What This Means for Businesses and Everyday Users

The arrests are welcome. But criminals pivot fast. Here’s what to expect—and what to do.

What to expect next: – Short-term disruption in scam volume, then regrouping under new brands and domains – More targeted BEC attempts as criminals lean on quality over quantity – Increased use of AI-generated content in phishing and investment scams – Greater focus on mobile-first scams and fake apps

What this means for you: – If you run finance or AP: Assume attackers will test your controls with “urgent” vendor bank changes or last-minute invoice edits. Stop, verify on a trusted phone number, and log the check. – If you manage IT or security: Expect domain churn. Make domain monitoring, brand protection, and DMARC enforcement priorities. Enable MFA everywhere it’s available. – If you’re a consumer: Be skeptical of any investment promising predictable, high returns. Don’t install apps from links in messages. Use official app stores and verify publishers.

How to Protect Your Organization Now

You don’t need a massive budget to blunt these threats. Start with the highest-impact moves.

1) Lock down email and payments – Turn on MFA for email and finance tools. – Enforce DMARC, SPF, and DKIM to reduce spoofing. – Require out-of-band verification for payment or bank detail changes. – Use a “known-good” contact directory for callbacks. Never rely on numbers in a new email.

2) Harden access and endpoints – Enforce least privilege. Remove standing admin rights. – Patch internet-facing systems first. Subscribe to vendor advisories. – Deploy EDR/XDR across laptops and servers. Enable behavioral detections. – Keep tested, offline backups. Practice restoring them.

3) Protect identities and data – Monitor for impossible travel, risky logins, and token theft. – Enable conditional access. Challenge logins from new geos or devices. – Encrypt sensitive data at rest and in transit. Track exfiltration paths.

4) Monitor your brand and attack surface – Watch for lookalike domains and “support” websites using your logo. – Monitor app stores for fake versions of your products. – Use a takedown service or coordinate with providers and nonprofits like The Shadowserver Foundation.

5) Train people to pause and verify – Teach your team to spot emotional triggers: urgency, secrecy, authority. – Run short simulations. Reward reporting. Don’t shame mistakes. – Share real-world stories. People remember narratives more than policies.

6) Prepare for ransomware – Segment critical systems. Disable RDP when not needed. – Pre‑negotiate incident response and legal support. – Review the free playbooks at CISA’s Stop Ransomware.

Pro tip: Assign an owner to each control. Progress happens when a person—not a committee—owns the outcome.

How the Money Moves—and Gets Recovered

One of the successes of Operation Serengeti 2.0 is the recovery of $97.4 million. Recoveries happen when investigators: – Freeze funds in transit through flagged bank accounts – Work with exchanges to block crypto wallets tied to scams – Seize cash and assets during raids

That’s why financial intelligence partners matter. Firms like TRM Labs trace blockchain transactions, linking wallets, mixers, and cash‑out points used by scammers. When law enforcement moves fast, they can intercept funds before they disappear.

The Bigger Picture: Africa’s Cybercrime Landscape Is Changing

Africa’s digital economy is growing fast. That creates opportunity—and attack surface. The participating countries—Angola, Benin, Cameroon, Chad, Côte d’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, Zambia, Zimbabwe, and the UK—demonstrated how regional alignment can scale impact.

Expect more: – Joint task forces and intelligence exchanges – Shared training, tooling, and rapid response playbooks – Focused crackdowns on high-harm crime types like BEC and investment fraud

Criminals exploit gaps. Alignment closes them.

What Comes Next

Cybercrime won’t vanish after a single operation. But Interpol’s message is clear: cross-border coordination works. As more partners contribute telemetry and expertise, takedowns get faster and more disruptive.

If you’re a business leader or security practitioner, your next step is to ride this momentum. Tighten your controls while criminals are off-balance. If you’re an individual, simplify your playbook: slow down, verify, and never move money under pressure.

And if you’re a policymaker or nonprofit leader, take note: this is a model worth funding. The UK’s support through the FCDO and the contributions of private partners show what’s possible when incentives align.

Frequently Asked Questions

Q: What is Operation Serengeti 2.0? A: It’s an Interpol-coordinated cybercrime crackdown that ran from June to August 2025 across the UK and 18 African countries. It focused on ransomware crews, online scams, and BEC operations. See Interpol’s mission here: INTERPOL Cybercrime.

Q: How many arrests and how much money was recovered? A: Authorities arrested 1,209 suspects and recovered $97,418,228. The criminal network is believed to have caused nearly $485 million in total losses to around 87,858 victims.

Q: Which countries took part? A: Participating countries included Angola, Benin, Cameroon, Chad, Côte d’Ivoire, Democratic Republic of Congo, Gabon, Ghana, Kenya, Mauritius, Nigeria, Rwanda, Senegal, South Africa, Seychelles, Tanzania, Zambia, and Zimbabwe, alongside the UK.

Q: What types of crimes were targeted? A: Ransomware operations, online investment scams (including fake crypto platforms and apps), and business email compromise (BEC). For BEC prevention tips, see the FBI IC3 PSA.

Q: What happened in Angola, Zambia, and Côte d’Ivoire? A: Angola dismantled 25 illegal crypto mining centers and seized 45 illicit power stations. Zambia busted a $300M investment fraud and raided a separate scam center, seizing 372 forged passports. Côte d’Ivoire took down a cross-border inheritance scam causing $1.6M in losses.

Q: How were “malicious infrastructure assets” dismantled? A: Law enforcement and partners identified and took down technical assets used by criminals—think command-and-control servers, domains, and hosting nodes. Interpol reported 11,432 such assets dismantled in Angola.

Q: Who are the private and nonprofit partners, and what did they do? A: Partners included Fortinet, Group‑IB, Kaspersky, Team Cymru, Trend Micro, TRM Labs, Uppsala Security, Cybercrime Atlas, and The Shadowserver Foundation. They provided threat intelligence, training, and guidance, helping pinpoint offenders and infrastructure. Explore their work: Group‑IB, Fortinet FortiGuard Labs, Kaspersky Securelist, Team Cymru, Trend Micro Research, TRM Labs, Uppsala Security, Cybercrime Atlas, Shadowserver.

Q: What is InterCOP, and why is it important? A: The International Cyber Offender Prevention Network (InterCOP) is a 36‑nation alliance led by the Netherlands. It focuses on early warning and prevention—sharing intelligence to disrupt threats before they hit victims.

Q: Does this mean ransomware and scams are over? A: No. But it raises costs for criminals and disrupts their infrastructure. That helps defenders—and it’s a reminder to strengthen basics like MFA, payment verification, and backups. See CISA’s Stop Ransomware for practical playbooks.

Q: How can I report a scam or cybercrime? A: Report to your national cybercrime unit or police. If you’re in the U.S., report to the FBI IC3. If you’re elsewhere, start with your national CERT or police service and provide as much detail as possible.

The Takeaway

Operation Serengeti 2.0 is a blueprint for how to fight cybercrime at scale: real-time intelligence sharing, coordinated enforcement, and a prevention-first mindset. The arrests and recoveries are significant. But the deeper win is the network—law enforcement, private sector, and nonprofits—working as one.

Your move now is to lock in the basics: verify payments, turn on MFA, patch exposed systems, and practice your response plan. These steps blunt the most common attacks, including the ones this operation just disrupted.

If you found this breakdown useful, stay tuned for more clear, actionable analysis of the threats that matter—and the defenses that work.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!