A sweeping, month-long international law enforcement operation has resulted in the arrest of 574 cybercrime suspects across Africa.
Coordinated by INTERPOL and spanning 19 countries, Operation Sentinel targeted business email compromise (BEC), digital extortion, and ransomware.
“The scale and sophistication of cyberattacks across Africa are accelerating, especially against critical sectors like finance and energy,” said Neal Jetton, INTERPOL’s Director of Cybercrime.
Inside Operation Sentinel
Operation Sentinel ran from October 27 to November 27, 2025, under the African Joint Operation against Cybercrime (AFJOC) framework.
Law enforcement agencies from countries including Ghana, Nigeria, Senegal, South Africa, Kenya, and Benin worked together to dismantle cybercriminal infrastructure and pursue suspects.
According to INTERPOL, authorities recovered approximately $3 million in illicit funds, disabled more than 6,000 malicious links, and decrypted six ransomware variants.
The investigated cases were linked to estimated financial losses exceeding $21 million.
The operation focused on three high-impact crime types: BEC schemes that exploit trusted communications, ransomware attacks that disrupt critical services, and digital extortion campaigns that increasingly target both organizations and individuals.
From Email Compromise to Ransomware
Many of the disrupted campaigns relied on familiar — but highly effective — techniques.
In BEC cases, attackers compromised internal email systems and impersonated executives or trusted partners to authorize fraudulent wire transfers.
These schemes often combine social engineering with prior reconnaissance, making them difficult to detect without strong internal controls.
Ransomware incidents observed during the operation followed a similar pattern seen globally: initial compromise, data encryption, and selective data theft to pressure victims into paying.
In Ghana, for example, a ransomware attack against a financial institution encrypted approximately 100 terabytes of data and exfiltrated $120,000 before authorities intervened.
Investigators were able to analyze the malware, develop a decryption tool, and recover nearly 30 terabytes of data while arresting multiple suspects.
Other cases involved large-scale online fraud. In Ghana and Nigeria, cybercriminals used professionally designed websites and mobile applications impersonating popular fast-food brands to collect payments for fake orders.
These campaigns exploited consumer trust and digital convenience, defrauding more than 200 victims of over $400,000.
Defending Against BEC and Ransomware
Effective risk reduction requires coordinated prevention, detection, and response across email, identity, endpoints, and financial workflows.
The following measures outline practical steps organizations can take to strengthen controls, limit potential impact, and improve overall preparedness.
- Enforce MFA, DMARC, and out-of-band verification to reduce business email compromise risk.
- Maintain tested offline backups, patch internet-facing systems, and monitor for early ransomware activity.
- Apply least-privilege access, network segmentation, and strong controls on administrative and payment workflows.
- Monitor for anomalous logins, email impersonation, and unauthorized changes to vendor payment details.
- Restrict script execution, deploy behavioral endpoint detection, and monitor outbound data exfiltration.
- Run regular BEC and ransomware response exercises and test incident response plans.
Together, these measures help organizations reduce exposure to business email compromise and ransomware while improving operational resilience.
Fighting Cybercrime Across Borders
Operation Sentinel reflects a broader shift in how cybercrime is addressed: as threats become increasingly transnational, effective response requires coordinated action beyond national boundaries.
Law enforcement agencies are strengthening partnerships with international organizations and private-sector threat intelligence providers to track malicious infrastructure, analyze criminal activity, and disrupt the financial networks that sustain cybercrime operations.
As ransomware and business email compromise attacks grow more pervasive, many organizations are adopting zero-trust solutions to reduce credential risk and limit lateral movement beyond traditional perimeter defenses.