Executive Summary
In June 2024, Interpol coordinated "Operation Contender 3.0" across 14 African countries, arresting 260 individuals involved in cyber-enabled romance scams and sextortion schemes. The operation disrupted 81 cybercrime networks and resulted in the seizure of devices, forged documents, and other cybercrime infrastructure. Authorities uncovered nearly $2.8 million in losses affecting almost 1,500 victims, with Ghana and Senegal among the countries making substantial arrests and asset recoveries. Criminal networks exploited online platforms to deceive victims, using forged identities, stolen images, and blackmail tactics to extort payments or sensitive information.
This operation highlights the escalating threat of social engineering attacks and cyber-enabled financial fraud in rapidly digitizing regions. As online interactions increase, so do identity-driven scams, making it critical for organizations and individuals alike to strengthen digital vigilance and invest in layered, resilient cybersecurity controls.
Why This Matters Now
The growing scale and sophistication of social engineering and sextortion scams underscore the increasing vulnerability of users to digital fraud. With cybercrime syndicates exploiting new online channels and weak identity controls, timely detection, education, and cross-border law enforcement cooperation have become urgent priorities.
Attack Path Analysis
Attackers initiated the scam by distributing phishing and social engineering messages to lure victims into engagement. Once basic access was gained, they manipulated victims further through spoofed identities and fraudulent resource requests, sometimes escalating access to sensitive user data or communication channels. The adversaries then moved laterally by using multiple online platforms and messaging apps to expand victim reach and maintain communications across services. Infrastructure for command and control included use of SIM cards, USB drives and anonymized accounts to orchestrate ongoing interactions. During exfiltration, attackers tricked victims into transferring money or disclosing sensitive data and images via encrypted communication channels. The ultimate impact was financial loss and psychological harm to the victims, with the attackers employing extortion and blackmail for additional monetary gain.
Kill Chain Progression
Initial Compromise
Description
Adversaries used phishing and social engineering on social media/dating platforms to initiate contact and lure victims.
MITRE ATT&CK® Techniques
Phishing: Spearphishing via Email
Gather Victim Identity Information: Email Addresses
Compromise Accounts: Social Media Accounts
User Execution: Malicious File
Valid Accounts
Forge Web Credentials
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Extortion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Access Management
Control ID: 10.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Multi-factor Authentication and Credential Management
Control ID: Identity Pillar: Authentication and Access
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Romance scams and sextortion targeting financial platforms require enhanced customer verification, east-west traffic monitoring, and anomaly detection to prevent fraudulent transactions and protect customer assets.
Internet
Social media and dating platforms exploited for romance scams need zero trust segmentation, egress security controls, and threat detection capabilities to identify fake profiles and malicious activities.
Telecommunications
SIM card seizures and communication infrastructure exploitation highlight need for encrypted traffic protection, multicloud visibility, and inline IPS to secure telecommunications networks from cybercrime syndicates.
Law Enforcement
International cybercrime investigations require secure hybrid connectivity, centralized policy enforcement, and threat intelligence sharing capabilities to coordinate cross-border operations effectively against criminal networks.
Sources
- Interpol operation disrupts romance scam and sextortion networks in Africahttps://cyberscoop.com/interpol-operation-contender-3-africa/Verified
- 260 suspected scammers arrested in pan-African cybercrime operationhttps://www.interpol.int/en/News-and-Events/News/2025/260-suspected-scammers-arrested-in-pan-African-cybercrime-operationVerified
- African authorities dismantle massive cybercrime and fraud networks, recover millionshttps://www.interpol.int/en/News-and-Events/News/2025/African-authorities-dismantle-massive-cybercrime-and-fraud-networks-recover-millionsVerified
- Serengeti 2.0: Kaspersky supports INTERPOL-led action leading to over 1,200 arrestshttps://www.kaspersky.com/about/press-releases/serengeti-20-kaspersky-supports-interpol-led-action-leading-to-over-1200-arrestsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Effective deployment of identity-based segmentation, internal east-west traffic visibility, egress policy enforcement, and encrypted traffic inspection could have disrupted attacker communications, contained lateral spread, detected anomalous outflows, and limited the success of data exfiltration and extortion activities.
Control: Multicloud Visibility & Control
Mitigation: Prompt detection of suspicious inbound connections and anomalous traffic patterns at network edge.
Control: Threat Detection & Anomaly Response
Mitigation: Detection of remote access tool usage and credential misuse.
Control: East-West Traffic Security
Mitigation: Containment of lateral communication attempts within and across clouds or services.
Control: Encrypted Traffic (HPE)
Mitigation: Inspection and restriction of command and control traffic over encrypted channels.
Control: Egress Security & Policy Enforcement
Mitigation: Prevention of unauthorized outbound traffic and data exfiltration.
Limitation of attack impact by restricting attacker persistence and ability to target multiple internal entities.
Impact at a Glance
Affected Business Functions
- Financial Services
- Social Media Platforms
- Online Dating Services
Estimated downtime: 14 days
Estimated loss: $2,800,000
Personal and financial data of approximately 1,500 victims were compromised, leading to financial losses and potential psychological harm.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy centralized visibility and anomaly detection to discover abnormal communications and social engineering attempts at all ingress points.
- • Implement strict egress controls and URL/FQDN filtering to prevent data and monetary exfiltration to attacker infrastructure.
- • Use east-west segmentation and least-privilege microsegmentation across users and applications to limit the potential for lateral spread.
- • Enforce continuous encrypted traffic inspection and baselining to identify covert C2 and data extraction activity over encrypted channels.
- • Continuously monitor for indicators of remote access tool abuse or credential misuse and automate incident response where possible.
