Full Report
An international cybercrime operation against online scams has led to 651 arrests and recovered more than $4.3 million as part of an effort led by law enforcement agencies from 16 African countries. The initiative, codenamed Operation Red Card 2.0, took place between December 8, 2025 and January 30, 2026, according to INTERPOL. It targeted infrastructure and actors behind high-yield investment
Analysis Summary
# Incident Report: Operation Red Card 2.0 (INTERPOL African Cybercrime Takedown)
## Executive Summary
Operation Red Card 2.0 was a massive international law enforcement initiative targeting cyber-enabled financial crime across 16 African nations. The operation successfully disrupted multiple organized crime syndicates, resulting in 651 arrests and the recovery of $4.3 million in stolen funds. The crackdown addressed a diverse range of threats, including high-yield investment scams, mobile money fraud, and telecommunications infrastructure breaches.
## Incident Details
- **Discovery Date:** Ongoing investigations culminated in targeted action in late 2025.
- **Incident Date:** December 8, 2025 – January 30, 2026 (Operational phase).
- **Affected Organization:** Multiple (including a major telecommunications provider and 1,247 individual victims).
- **Sector:** Finance, Telecommunications, and Private Citizens.
- **Geography:** 16 African countries (including Nigeria, Kenya, Côte d’Ivoire, and South Africa).
## Timeline of Events
### Initial Access
- **Date/Time:** Various dates leading up to December 2025.
- **Vector:** Phishing, Social Engineering, and Compromised Staff Credentials.
- **Details:** Attackers used fraudulent social media accounts and "predatory" mobile applications to lure victims. In a corporate breach, attackers used compromised login credentials to access a telecommunications provider's internal platform.
### Lateral Movement
- **Details:** In the case of the telecommunications provider breach, attackers moved within internal platforms to access airtime and data management systems for illegal extraction.
### Data Exfiltration/Impact
- **Details:** Stealing of sensitive personal and financial data via fake loan apps; theft of "significant volumes" of airtime and data; extraction of funds through fraudulent investment dashboards.
### Detection & Response
- **How it was discovered:** African Joint Operation against Cybercrime (AFJOC) intelligence sharing and INTERPOL coordination.
- **Response actions taken:** Coordinated raids across 16 countries, seizure of digital evidence, and freezing of illicit assets.
## Attack Methodology
- **Initial Access:** Phishing, social engineering, fake mobile apps, and identity theft.
- **Persistence:** Use of over 1,000 fraudulent social media accounts and 1,442 malicious domains/servers.
- **Privilege Escalation:** Compromise of staff login credentials (telecom incident).
- **Defense Evasion:** Use of messaging apps and fictitious testimonials to maintain a "ruse" of legitimacy.
- **Credential Access:** Theft of sensitive personal/financial data and staff passwords.
- **Discovery:** Mapping internal telecommunications platforms.
- **Lateral Movement:** Internal platform exploitation.
- **Collection:** Gathering victim data through "unsecured loan" applications.
- **Exfiltration:** Transfer of stolen airtime and data for illegal resale; conversion of victim deposits into criminal assets.
- **Impact:** Financial loss totaling over $45 million; abusive debt-collection practices.
## Impact Assessment
- **Financial:** Over $45 million in total losses identified; $4.3 million recovered.
- **Data Breach:** Compromise of sensitive personal and financial data of 1,247 identified victims.
- **Operational:** Disruption of services at a major telecommunications provider.
- **Reputational:** Severe psychological and financial harm to vulnerable populations and local businesses.
## Indicators of Compromise
- **Network indicators:** 1,442 malicious IPs, domains, and servers (Infrastructure taken down by authorities – specifics not listed in public report).
- **File indicators:** Predatory mobile loan applications (APK files).
- **Behavioral indicators:** Use of fake account dashboards showing "bogus" returns; blocking of withdrawal requests; automated phishing via social media.
## Response Actions
- **Containment:** Takedown of 1,000+ social media accounts and 1,442 malicious infrastructure components.
- **Eradication:** Arrest of 651 suspects; seizure of 2,341 devices and 300+ SIM cards.
- **Recovery:** Restoration of $4.3 million to victims/authorities.
## Lessons Learned
- **Key takeaways:** Transnational cooperation is essential for tackling decentralized cybercrime syndicates. Staff credentials remain a high-value target for lateral movement into corporate environments.
- **What could have been done better:** Earlier public awareness regarding "predatory loan apps" might have reduced the number of victims among vulnerable populations.
## Recommendations
- **Corporate:** Implement Multi-Factor Authentication (MFA) for all internal staff portals to prevent credential-based breaches.
- **Individual:** Exercise extreme caution with "unsecured loan" apps and high-yield investment opportunities promoted on social media.
- **Government:** Scale regional intelligence sharing through bodies like AFJOC to identify infrastructure patterns early.