Interpol has completed Operation Sentinel, a large-scale, coordinated cybercrime crackdown across Africa that resulted in 574 arrests, the recovery of around USD 3 million, and the disruption of extensive networks behind Business Email Compromise (BEC), online fraud and ransomware attacks.
Key results of Operation Sentinel against cybercrime in Africa
Conducted between 27 October and 27 November 2025, Operation Sentinel brought together law enforcement agencies from 19 countries. Investigators identified and took down more than 6,000 malicious links used for phishing, malware distribution and credential theft, significantly degrading multiple criminal infrastructures operating in the region.
A standout achievement was the technical work against ransomware. Specialists from law enforcement and private-sector partners managed to break the encryption used by six ransomware families. This enabled the creation of custom decryptors and allowed victims to restore substantial volumes of data without paying ransom, directly undermining the business model of ransomware operators.
Financial disruption: blocking fraudulent transfers and freezing assets
The USD 3 million recovered during Operation Sentinel represents only a fraction of the amounts criminals attempted to move through BEC schemes, fake online platforms and cryptocurrency transactions. Rapid intelligence sharing about suspicious transfers and wallets allowed banks and payment providers to freeze accounts before funds were fully laundered or cashed out.
This approach reflects a broader global trend: financial loss prevention increasingly depends on real-time collaboration between financial institutions, law enforcement and threat intelligence providers. According to the FBI’s IC3 reports, BEC alone has caused several billion dollars in reported losses worldwide in recent years, underscoring why this vector is a priority in international operations.
High-impact cases: BEC attacks, ransomware and phishing campaigns
Blocked BEC fraud against a Senegalese oil company
One of the most notable incidents during Sentinel was a BEC attack targeting an oil company in Senegal. Criminals attempted to redirect a legitimate payment of USD 7.9 million to accounts they controlled by sending forged payment instructions that imitated trusted business correspondence.
Thanks to prompt verification of the email instructions and rapid intervention by the company’s bank and investigators, the fraudulent transfer was blocked before the funds left the financial system. The case illustrates how BEC combines email compromise and social engineering and why strict verification procedures for high-value payments are essential.
Ransomware incident at a financial institution in Ghana
In Ghana, law enforcement focused on a ransomware attack against a financial institution, where attackers encrypted around 100 TB of data and simultaneously stole approximately USD 120,000. Analysis of the malware enabled experts to build a working decryptor and restore an estimated 30 TB of critical data without paying the ransom. Suspects tied to this case have been arrested.
This incident reinforces core security principles: backup strategies, network segmentation and continuous monitoring for anomalous activity remain crucial. Even when a decryptor can be developed, the time and complexity of recovery mean that resilience planning and incident response readiness are indispensable for financial and other critical organizations.
Fake fast-food websites used for phishing and payment fraud
Another investigative cluster targeted fraudulent websites impersonating major international fast-food chains. Operators based in Ghana and Nigeria created fake ordering and loyalty program pages to harvest payment data and credentials, stealing more than USD 400,000 from over 200 victims.
During Sentinel, law enforcement arrested 10 suspects, seized more than 100 devices, and took offline about 30 servers supporting the criminal infrastructure. The case highlights how easily consumers can be deceived by brand impersonation and why users should verify URLs, look for HTTPS, and rely on official apps and websites when making payments.
National operations in Benin and Cameroon reveal regional cybercrime patterns
In Benin, one of the most extensive national phases of Sentinel led to the arrest of 106 individuals, the dismantling of 43 malicious domains, and the closure of 4,318 fraudulent social media accounts used for advance-fee fraud, identity theft and distribution of phishing links.
In Cameroon, investigators disrupted a widespread online car sales fraud. Attackers used compromised servers and fake listings to collect deposits for vehicles that did not exist. Once the underlying infrastructure and banking channels were identified, authorities moved quickly to freeze related bank accounts and prevent further losses.
According to Interpol’s assessment, cyberattacks in Africa are growing in scale and sophistication, particularly against finance, energy and other critical sectors. Rapid digitalization and expanding online services, when not paired with proportional investment in cybersecurity, create attractive conditions for organized cybercriminal groups.
Private-sector intelligence and international cooperation as force multipliers
A decisive factor in Operation Sentinel’s success was close collaboration with the private sector. Organizations including Team Cymru, The Shadowserver Foundation, Trend Micro, TRM Labs and Uppsala Security provided intelligence on IP addresses, domains, cryptocurrency wallets and infrastructure linked to ransomware, phishing and financial fraud campaigns.
This public–private model combines the legal powers of law enforcement with the scalable telemetry, analytics and threat intelligence capabilities of commercial and non-profit entities. Such cooperation is increasingly recognized as essential for tracking cross-border cybercriminal operations and mapping their infrastructure across clear and dark web ecosystems.
Sentinel and Serengeti 2.0: building a sustained strategy
Operation Sentinel builds on Interpol’s earlier regional effort, Serengeti 2.0, concluded in August 2025. That operation resulted in 1,209 arrests, the recovery of approximately USD 97.4 million for victims, and the takedown of 11,432 malicious infrastructure elements linked to attacks against 87,858 victims.
Together, Serengeti 2.0 and Sentinel show that coordinated international cybercrime operations can significantly disrupt criminal ecosystems. However, maintaining these gains depends on how consistently businesses and public-sector organizations implement both basic and advanced security controls.
Organizations operating in Africa and globally should strengthen payment controls—especially for email-based instructions—enforce multi-factor authentication, and conduct regular employee training on phishing and BEC. Maintaining tested backups, segmenting networks, and engaging with national CERTs and law enforcement before incidents occur all increase cyber resilience. As the region’s digital economy expands, such measures make it harder for attackers to monetize intrusions and ensure that international operations like Sentinel deliver lasting impact.
