International Cybercrime Operation Leads to 574 Arrests and USD 3 Million in Recovered Funds

Key takeaways

• Cross-border coordination delivers impact: 19 countries worked together to drive 574 arrests, recover ~USD 3M, and dismantle key criminal infrastructure.
• Cybercrime is financial crime: BEC, ransomware, and online fraud operate as transnational money-moving ecosystems, not isolated incidents.
• Disruption matters as much as arrests: Sentinel focused on stopping losses in real time—freezing accounts and taking down infrastructure mid-attack.
• Public-private intel is critical: Sharing technical and blockchain intelligence helps trace funds, identify infrastructure, and enable rapid intervention.

‍

{{horizontal-line}}

Operation Sentinel: Scope and objectives

A coordinated law enforcement operation spanning 19 African countries resulted in 574 arrests and the recovery of approximately USD 3 million in illicit proceeds, marking one of the largest region-wide cybercrime crackdowns to date. Led by INTERPOL under the African Joint Operation against Cybercrime (AFJOC), Operation Sentinel ran from October 27 to November 27, 2025, and targeted cyber-enabled financial crime, including business email compromise (BEC), ransomware, digital extortion, and online fraud. These threats were identified as priority risks in INTERPOL’s 2025 Africa Cyber Threat Assessment, which documented a sharp increase in both the scale and sophistication of attacks across the continent. 

‍

{{operation-sentinel-press-release}}

‍

Operation Sentinel reflects a broader shift in enforcement strategy. Rather than treating cybercrime as a series of isolated national incidents, authorities increasingly view it as a transnational financial ecosystem that requires coordinated disruption across jurisdictions, infrastructure, and payment rails.

Regional and global coordination

Law enforcement agencies across participating African countries worked closely with global partners and private-sector organizations to identify malicious infrastructure, trace financial flows, and act quickly. Supporting organizations included TRM, Team Cymru, The Shadowserver Foundation, Trend Micro, and Uppsala Security.

This collaboration allowed investigators to combine traditional investigative techniques with advanced intelligence including domain and infrastructure analysis, malware identification, blockchain tracing, and account-level intervention. Over the course of the operation, authorities took down more than 6,000 malicious links, decrypted six ransomware variants, and investigated cases associated with estimated losses exceeding USD 21 million. Importantly, the operation prioritized active disruption and victim protection alongside arrests, aiming to stop losses in progress rather than focusing solely on retrospective enforcement.

Case highlights from Operation Sentinel

In Senegal, investigators intervened in a business email compromise scheme targeting a petroleum company. Fraudsters attempted to redirect USD 7.9 million through manipulated invoices and spoofed communications. Authorities identified the fraud in time and froze destination accounts before the funds could be withdrawn, preventing a significant financial loss.

In Ghana, a ransomware attack against a financial institution resulted in the encryption of approximately 100 terabytes of data and the theft of roughly USD 120,000. Local authorities identified the malware strain and, working with partners, developed a decryption tool that enabled the recovery of nearly 30 terabytes of affected data, mitigating long-term operational harm.

In a joint Ghana–Nigeria investigation, authorities dismantled a transnational scam network that used fake food delivery websites and mobile applications to defraud more than 200 victims. Ten suspects were arrested, more than 100 digital devices were seized, and 30 fraudulent servers were taken offline, significantly degrading the group’s operational capacity.

In Benin, investigators shut down 43 malicious domains and more than 4,300 social media accounts linked to extortion, impersonation, and fraud campaigns. These actions resulted in over 100 arrests and disrupted a large volume of scam activity targeting victims across multiple countries.

Financial crime dynamics and blockchain tracing

Cybercrime-related financial activity typically involves the rapid movement of funds across multiple accounts, wallets, and intermediaries. Ransomware and fraud actors commonly commingle proceeds, layer transactions, and attempt to cash out through a mix of traditional financial institutions, mobile money services, and cryptocurrency platforms.

TRM supported Operation Sentinel by providing blockchain intelligence to help trace illicit financial activity, identify wallet infrastructure, and assist authorities with emergency freezes where applicable. This support was integrated into broader investigative efforts, reflecting the reality that modern cybercrime investigations increasingly span both on-chain and off-chain systems. Public-private collaboration proved especially important in time-sensitive cases, where early identification of infrastructure or financial endpoints allowed law enforcement to act before funds could be irreversibly moved or laundered.

Enforcement significance

Operation Sentinel illustrates the growing capacity of African law enforcement agencies to respond to cyber-enabled financial crime at scale when supported by international coordination and technical expertise. It also underscores the importance of proactive intervention — freezing accounts, disabling infrastructure, and disrupting networks while activity is ongoing — rather than relying solely on post-incident investigations.

As INTERPOL’s Director of Cybercrime Neal Jetton noted, the operation reflects a strong commitment by African law enforcement agencies, working in close coordination with international partners, to protect livelihoods, secure sensitive personal data, and preserve critical infrastructure.

Looking ahead

Cyber-enabled financial crime continues to evolve rapidly, with attackers leveraging automation, social engineering, and cross-border infrastructure to scale operations. Operation Sentinel demonstrates that coordinated enforcement, supported by real-time intelligence and public-private collaboration, can meaningfully disrupt these networks and reduce harm.

TRM Labs will continue to support law enforcement agencies globally by providing blockchain intelligence and investigative support in complex financial crime cases. Operations like Sentinel underscore the growing importance of sustained international cooperation as cyber threats increasingly transcend national boundaries.

‍

{{horizontal-line}}

Frequently asked questions (FAQs)

1. What was Operation Sentinel?

Operation Sentinel was a month-long, INTERPOL-led operation under AFJOC aimed at disrupting cyber-enabled financial crime across 19 African countries.

2. What types of crimes were targeted by Operation Sentinel?

Operation Sentinel focused on business email compromise (BEC), ransomware, digital extortion, online fraud, and related financial crimes.

3. How many arrests and seizures resulted from Operation Sentinel?

Authorities made 574 arrests and recovered approximately USD 3 million in illicit proceeds.

4. What role did private-sector partners play in Operation Sentinel?

Private-sector organizations provided technical intelligence, infrastructure analysis, and blockchain tracing that supported investigations and enabled rapid intervention.

5. Why is Operation Sentinel significant?

Operation Sentinel demonstrates the effectiveness of coordinated, cross-border enforcement and public-private collaboration in disrupting cybercrime networks at scale.