Full Report
Law enforcement agencies from 16 African countries have made 651 arrests and recovered more than USD 4.3 million in an international cybercrime operation against online scams. Operation Red Card 2.0 (8 December 2025 to 30 January 2026) targeted the infrastructure and actors behind high-yield investment scams, mobile money fraud and fraudulent mobile loan applications. During…
Analysis Summary
# Incident Report: Operation Red Card 2.0
## Executive Summary
Operation Red Card 2.0 was a major international law enforcement crackdown coordinated by INTERPOL across 16 African nations targeting organized cybercrime syndicates. The operation resulted in 651 arrests and the recovery of $4.3 million USD, effectively disrupting large-scale infrastructure used for investment scams and mobile fraud. Investigations revealed over $45 million in total financial losses linked to these groups, affecting over 1,200 victims globally.
## Incident Details
- **Discovery Date:** Pre-operation intelligence gathering led to the launch in December 2025.
- **Incident Date:** December 8, 2025 – January 30, 2026 (Active Operation Phase)
- **Affected Organization:** No single organization; thousands of individual victims and users of mobile financial services.
- **Sector:** Financial Services (Mobile Money), Professional Services (Investment), Information Technology.
- **Geography:** 16 African countries (including Nigeria).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing through 2025.
- **Vector:** Social Engineering and Malicious Applications.
- **Details:** Attackers utilized high-yield investment scams and fraudulent mobile loan applications to gain initial access to victim funds and personal data.
### Lateral Movement
- **Details:** Not applicable in a traditional corporate network sense; however, syndicates moved funds through complex mobile money networks and used centralized "operational hubs," such as a seized residential property in Nigeria, to coordinate regional attacks.
### Data Exfiltration/Impact
- **Details:** Compromise of victim financial credentials and personal identifying information (PII) to facilitate unauthorized mobile money transfers and fraudulent loan disbursements.
### Detection & Response
- **How it was discovered:** Intelligence sharing between INTERPOL and African law enforcement agencies.
- **Response actions taken:** An eight-week coordinated takedown involving physical raids, digital infrastructure seizures, and international arrests.
## Attack Methodology
- **Initial Access:** Fraudulent mobile applications and social engineering.
- **Persistence:** Implementation of malicious mobile loan apps that remain on victim devices.
- **Defense Evasion:** Use of diverse malicious IPs, domains, and servers to mask the origin of scams.
- **Credential Access:** Credential harvesting via fake investment portals and loan application forms.
- **Impact:** Financial theft and fraud via mobile money platforms and high-yield investment schemes.
## Impact Assessment
- **Financial:** Over $45 million USD in total identified losses; $4.3 million recovered during the operation.
- **Data Breach:** Compromise of 1,247 identified victims; PII and financial data from thousands more suspected.
- **Operational:** Disruption of 1,442 malicious IPs, domains, and servers.
- **Reputational:** Significant erosion of trust in mobile financial and loan applications across the African continent.
## Indicators of Compromise
- **Network indicators:** 1,442 malicious domains and IPs (specific list not provided in article, but identified as deactivated).
- Example format: *hxxp[://]malicious-loan-app[.]com*
- Example format: *192[.]0[.]2[.]1 (Defanged)*
- **File indicators:** 2,341 seized physical devices containing evidence of fraudulent software and scripts.
- **Behavioral indicators:** Rapid movement of funds across mobile money borders; high-pressure tactics for "high-yield" investments.
## Response Actions
- **Containment measures:** Seizure of a primary operational hub/residential property in Nigeria.
- **Eradication steps:** Takedown of 1,442 malicious servers and domains.
- **Recovery actions:** Successful recovery of $4.3 million USD in stolen assets to be returned to victims/legal authorities.
## Lessons Learned
- **Key takeaways:** Cybercrime syndicates in Africa are increasingly professionalized, constructing dedicated physical hubs for digital operations.
- **Collaborative Success:** International cooperation (16 countries) is essential to disrupt threat actors who leverage regional mobile money infrastructure that crosses borders.
## Recommendations
- **Consumer Education:** Implementation of public awareness campaigns regarding the risks of "too good to be true" high-yield investments.
- **Vetting Frameworks:** Strengthening the security vetting process for mobile loan applications in regional app stores.
- **Policy:** Enhancing "Know Your Customer" (KYC) requirements for mobile money operators to identify and freeze fraudulent transactions faster.