INTERPOL's Operation Serengeti 2.0 has resulted in 1,209 arrests across Africa and the recovery of $97.4 million from cybercriminal networks that targeted nearly 88,000 victims through ransomware, business email compromise, and sophisticated fraud schemes.
Operation Serengeti 2.0 ran from June to August 2025, bringing together investigators from 18 African countries and the United Kingdom to combat high-impact cybercrimes including ransomware, online scams, and business email compromise (BEC). The coordinated effort represents the second phase of INTERPOL's ongoing initiative to address cybercrime across Africa, where such crimes now account for more than 30% of all reported criminal activity in West and East Africa.
The operation was strengthened by private sector collaboration, with partners including Kaspersky, Group-IB, Fortinet, and TRM Labs providing intelligence on suspicious IP addresses, domains, and command-and-control servers. Prior to the operation, investigators participated in hands-on workshops covering cryptocurrency investigations, ransomware analysis, and open-source intelligence tools.
The operation uncovered unexpected connections between cybercrime and physical infrastructure exploitation. In Angola, authorities dismantled 25 cryptocurrency mining centers operated by 60 Chinese nationals who had established 45 illicit power stations to siphon electricity from the national grid. The seized mining and IT equipment, valued at over $37 million, will now be redistributed by the government to support power distribution in vulnerable areas.
There was also a discovery of links between cybercrime operations and human trafficking in Zambia. Authorities disrupted a scam center in Lusaka and confiscated 372 forged passports from seven countries, revealing how cybercriminal networks are expanding into other forms of organized crime that could potentially infiltrate any sector, including healthcare.
While Operation Serengeti 2.0 didn't specifically target healthcare-related cybercrime, the tactics and infrastructure uncovered mirror those used against medical facilities. The operation revealed that cybercriminals are using ransomware, BEC schemes, and sophisticated social engineering, the same methods that have crippled hospitals worldwide and compromised patient data.
The investment fraud scheme in Zambia, which defrauded 65,000 victims of $300 million through fake cryptocurrency advertisements and malicious apps, demonstrates how easily large populations can be targeted. Healthcare organizations handling similar numbers of patient records face comparable risks from cybercriminals using identical techniques to steal protected health information (PHI) or disrupt medical services.
Valdecy Urquiza, Secretary General of INTERPOL, emphasized the growing nature of the threat, "Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries. With more contributions and shared expertise, the results keep growing in scale and impact."
Dmitry Volkov, Group-IB CEO, warned about the borderless nature of cybercrime, "Cybercrime recognizes no borders, and its impact is truly global. The success of Operation Serengeti 2.0 demonstrates what can be achieved when nations stand together against this threat."
INTERPOL's Africa Cyberthreat Assessment Report 2025 warns that AI-driven crimes and turnkey attack infrastructure are accelerating cybercrime across the continent. With nearly 90% of African agencies reporting limited cross-border cooperation capacities, healthcare organizations cannot rely solely on law enforcement and must strengthen their own defenses against these evolving threats.
BEC is a sophisticated scam where criminals compromise legitimate business email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.
While not healthcare-specific, the operation revealed cybercrime tactics identical to those used against hospitals, ransomware, business email compromise, and social engineering. The scale and sophistication of these operations show how healthcare organizations could be similarly targeted.
The operation shows cybercriminals are well-organized, internationally connected, and using legitimate-appearing infrastructure. Healthcare facilities should assume similar groups are targeting medical data and should implement security measures that address both external threats and potential insider risks.