Interpol and law enforcement agencies from 19 African countries arrested more than a 1,000 and shut down hundreds of thousands of infrastructures and networks used to run cyberattacks from ransomware to business email compromise to distributed denial-of-service (DDoS) around the world.

The cybercriminal operations racked up more than 35,000 victims and were linked to almost $193 million in losses, according to Interpol, which along with Afripol led the law enforcement crackdown that was dubbed “Operation Serengeti.” Almost $44 million was recovered.

In all, 1,006 people were arrested and took apart 134,089 infrastructures and networks, according to Interpol.

Information that drove the operation was provided by investigators in the 19 participating countries – which included Algeria, Côte d’Ivoire, the Democratic Republic of the Congo, Nigeria, Rwanda, and South Africa – and was disseminated through 65 reports. Operation Serengeti spanned September 2 to October 31.

Going Proactive Against Cybercriminals

Officials from both Interpol and Afripol touted the multinational effort, though Interpol Secretary General Valdecy Urquiza said in a statement that the arrests and other actions resulting from Operation Serengeti are “just the tip of the iceberg, which is why we will continue targeting these criminal groups worldwide.”

The crackdown was another example of international efforts against high-profile and sprawling cybercriminal enterprises that have targeted such threat groups as LockBit (with Operation Cronos) and myriad ransomware, phishing, and infostealer infrastructures (Operation Synergia II).

“From multi-level marketing scams to credit card fraud on an industrial scale, the increasing volume and sophistication of cybercrime attacks is of serious concern,” Urquiza said.

Cybersecurity Vendors Join In

Seven cybersecurity vendors also were involved in Operation Serengeti. Kaspersky provided information about threat actors, data about ransomware attacks and malware on the African continent, and indicators of compromise (IoC) for malicious infrastructure, according to company officials. They noted that during the operation, investigators found ransomware strains like LockBit, Rhysida, and Medusa being used, as well as Grandoreiro, a banking trojan from Brazil.

“As Africa is going through a rapid digitization, the threat of cybercrime on the continent is also escalating,” they wrote in a blog post. “In the African region in particular, ransomware has emerged as a prominent attack vector, targeting critical infrastructure, financial institutions, and manufacturing facilities, among others.”

During the first 10 months of the year, more than 165,000 ransomware attacks in Africa were detected, the cybersecurity firm wrote, adding that spyware and password stealers also were targeting victims in the region.

Group-IB, another cybersecurity vendor, received 19 requests from law enforcement agencies for support and provided information about investment-related scams and schemes that involved bad actors impersonating government officials, phishing, pig butchering, and online casinos.

The company said it also identified about 10,000 DDoS attacks that had been launched in 2023 from servers in Africa, more than 3,000 phishing domains hosted in the region, and details about data stealers and threat actors that published data leaks from Africa on dark web forums.

Cases in Point

Interpol outlined some of the criminal operations that were shut down, including a credit card fraud setup that led to $8.6 million in losses. The money was stolen via fraudulent scripts run after the bad actors altered a banking system’s security protocol and quickly redistributed through the SWIFT fund transfer system to companies in the United Arab Emirates, Nigeria, and China. From there the money went to digital asset institutions. Almost two dozen were arrested.

Five Chinese nationals and three others were arrested in Senegal for running a $6 million online Ponzi scheme that scammed 1811 victims. A search of an apartment found more than 900 SIM cards, $11,000 in cash, phones, laptops, and copies of victims’ ID cards.

A group of people were arrested in Cameroon for luring victims who had paid a “membership fee” with promises of employment or training, only to hold them captive and forcing them to participate in other scams. The group appeared to have collected at least $150,000 in fees.

A crime group in Angola running a virtual casino in the capital city of Luanda targeted gamblers in Brazil and Nigeria and defrauded them and offering a percentage of winnings to members who recruited new subscribers. Law enforcement authorities arrested about 150 people and seized 200 computers and more than 100 mobile phones.