INTERPOL’s Landmark Crackdown: 574 Cybercrime Arrests across Africa in Operation Sentinel
Executive Summary
In November 2025, INTERPOL coordinated Operation Sentinel across 19 African nations, resulting in the arrest of 574 suspected cybercriminals and recovery of $3 million. The operation targeted major cybercrime networks involved in business email compromise (BEC), digital extortion, and related ransomware campaigns. Notably, a Ukrainian national associated with ransomware operations pled guilty, highlighting the global breadth of these criminal networks. The operation uncovered sophisticated use of encrypted communication and lateral movement tactics to evade detection, impacting financial institutions and businesses across the continent.
The crackdown underscores the evolving nature of cybercrime, with attackers leveraging advanced techniques and international collaboration among law enforcement agencies rising in response. Increased BEC and ransomware threats have pressed organizations in Africa and globally to evaluate existing cybersecurity and compliance controls.
Why This Matters Now
This incident demonstrates an urgent need for organizations to bolster defenses against cross-border cybercrime syndicates, as Africa continues to be a growing target for BEC and ransomware operations. The close cooperation between law enforcement reveals that cybercrime is borderless and rapidly adapting, emphasizing the importance of real-time threat detection, encrypted traffic protection, and compliance with security frameworks.
Attack Path Analysis
Attackers began with phishing and BEC tactics to compromise employee credentials and access cloud assets. Once inside, they escalated privileges through exploiting IAM misconfigurations or credential reuse. Using east-west traffic, the adversaries moved laterally within hybrid cloud environments to identify high-value systems and data stores. They established covert command and control over internal and outbound channels, leveraging encrypted or clandestine traffic. Sensitive business data and financial records were exfiltrated through encrypted and policy-evading egress paths. The final impact included financial fraud, service disruption, and business extortion via ransomware and digital extortion schemes.
Kill Chain Progression
Initial Compromise
Description
Threat actors used phishing and business email compromise (BEC) attacks to obtain valid credentials, allowing unauthorized access to enterprise cloud and SaaS resources.
Related CVEs
CVE-2020-1472
CVSS 10An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, allowing them to run a specially crafted application on a device on the network.
Affected Products:
Microsoft Windows Server – 2008 R2, 2012, 2016, 2019
Exploit Status:
exploited in the wildCVE-2019-19781
CVSS 9.8A directory traversal vulnerability in Citrix Application Delivery Controller and Gateway allows an unauthenticated attacker to perform arbitrary code execution.
Affected Products:
Citrix Application Delivery Controller – 10.5, 11.1, 12.0, 12.1, 13.0
Citrix Gateway – 10.5, 11.1, 12.0, 12.1, 13.0
Exploit Status:
exploited in the wildCVE-2021-34527
CVSS 8.8A remote code execution vulnerability exists in the Windows Print Spooler service when it improperly performs privileged file operations.
Affected Products:
Microsoft Windows – 7, 8.1, 10, Server 2008, Server 2012, Server 2016, Server 2019
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques mapped to the incident context for initial filtering and prioritization; further STIX/TAXII enrichment can be performed as required.
Spearphishing Attachment
Spearphishing Link
Brute Force
Valid Accounts
Data Encrypted for Impact
Account Discovery
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control Measures
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Art. 9
CISA ZTMM 2.0 – Strong, Adaptive Authentication
Control ID: Identity Pillar - Authentication
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Financial institutions face critical exposure to business email compromise and digital extortion targeting encrypted transactions, requiring enhanced east-west traffic security and zero trust segmentation.
Financial Services
Cybercrime networks exploit financial services through BEC attacks and ransomware, necessitating robust egress security controls and threat detection capabilities for regulatory compliance protection.
Law Enforcement
INTERPOL's coordinated operation highlights law enforcement's dual role as both cybercrime target and responder, requiring secure hybrid connectivity and multicloud visibility for international cooperation.
Government Administration
Government agencies remain prime targets for sophisticated cybercrime networks employing lateral movement techniques, demanding comprehensive zero trust architecture and anomaly detection systems.
Sources
- INTERPOL Arrests 574 in Africa; Ukrainian Ransomware Affiliate Pleads Guiltyhttps://thehackernews.com/2025/12/interpol-arrests-574-in-africa.htmlVerified
- 574 arrests and USD 3 million recovered in coordinated cybercrime operation across Africahttps://www.interpol.int/en/News-and-Events/News/2025/574-arrests-and-USD-3-million-recovered-in-coordinated-cybercrime-operation-across-AfricaVerified
- Ukrainian National Pleads Guilty to Conspiracy to Use Nefilim Ransomware to Attack Companies in the United States and Other Countrieshttps://www.justice.gov/opa/pr/ukrainian-national-pleads-guilty-conspiracy-use-nefilim-ransomware-attack-companies-unitedVerified
- Interpol-led cybercrime crackdown results in 574 arrests in 19 African nations, decrypts six ransomware variantshttps://www.tomshardware.com/tech-industry/cyber-security/interpol-led-cybercrime-crackdown-results-in-574-arrests-in-19-african-nations-decrypts-six-ransomware-variants-operation-sentinel-disrupts-rings-that-caused-usd21-million-in-losses-recovers-usd3-millionVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, encrypted traffic controls, and anomaly-driven egress enforcement offer robust protection against credential-based cloud breaches and lateral attacker movement. These controls detect, contain, and prevent unauthorized access, data exfiltration, and extortion activities typical in BEC and ransomware operations.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline controls and policy automation could have detected suspicious login attempts and unauthorized access early.
Control: Zero Trust Segmentation
Mitigation: Least privilege access boundaries would limit unauthorized privilege escalation within the environment.
Control: East-West Traffic Security
Mitigation: Workload-to-workload flow restrictions would block unauthorized internal traversal.
Control: Threat Detection & Anomaly Response
Mitigation: Detection of anomalous beaconing or remote access activity triggers containment.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts to unauthorized destinations would be blocked or logged.
Malicious activity, ransomware traffic, and unauthorized destructive actions are detected and stopped at the perimeter.
Impact at a Glance
Affected Business Functions
- Financial Transactions
- Data Management
- Customer Service
Estimated downtime: 7 days
Estimated loss: $21,000,000
Sensitive customer and corporate data, including financial records and personal information, were potentially exposed due to ransomware attacks and business email compromise schemes.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation using identity-based microsegmentation across cloud and hybrid workloads for least privilege enforcement.
- • Deploy east-west traffic security controls to visualize and restrict lateral movement paths within and between cloud regions.
- • Enforce strict egress policies and encrypted traffic inspection to detect and block unauthorized data exfiltration attempts.
- • Integrate threat detection and anomaly response capabilities to provide real-time visibility and rapid containment of covert attacker activities.
- • Regularly review and audit IAM roles and policies to eliminate unnecessary privileges and reduce the risk of privilege escalation.
