INTERPOL cybercrime sweep in Africa recovers USD $4.3m

INTERPOL's Operation Red Card 2.0 led to hundreds of arrests across Africa and the takedown of scam infrastructure linked to losses of more than USD $45 million. Fortinet was among the private-sector contributors, providing threat intelligence through the World Economic Forum's Cybercrime Atlas.

The coordinated effort brought together law enforcement agencies from 16 African countries. It targeted online scams, mobile money fraud and fraudulent loan applications, focusing on both operators and the infrastructure used to run the schemes.

Investigators identified 1,247 victims and linked the activity to losses exceeding USD $45 million. Authorities reported 651 arrests, seized 2,341 devices, took down 1,442 malicious IP addresses, domains and servers, and recovered more than USD $4.3 million.

The operation combined investigative work with infrastructure disruption. Device seizures provided material for digital forensics and follow-on investigations. Network and server takedowns removed systems tied to active fraud campaigns and reduced groups' ability to quickly reconstitute in the same locations.

INTERPOL coordinated the operation and facilitated information sharing between participating countries. It also supported digital forensic work and training.

Private-sector partners contributed intelligence and technical insight. Fortinet participated through the Cybercrime Atlas, a World Economic Forum initiative that aggregates intelligence from law enforcement, security vendors, financial services organisations and research groups.

Fraud playbooks

Cases cited from the operation point to repeatable tactics that scale across borders. Schemes often combine phishing, social engineering and impersonation on social media and messaging platforms, with monetisation routes that rely on mobile payments and resold digital services.

In Nigeria, authorities dismantled a high-yield investment fraud ring that used phishing, identity theft, social engineering and fake digital asset schemes. More than 1,000 fraudulent social media accounts were taken down, and investigators identified a residential property used as a centralised operations hub.

Nigerian investigators also arrested members of a group accused of infiltrating a major telecommunications provider using compromised credentials. Authorities said the group siphoned large volumes of airtime and data, which were then resold illegally.

In Kenya, law enforcement targeted schemes that used messaging platforms and social media to lure victims into fake investments in well-known global companies. Victims were shown fabricated dashboards and account statements, while withdrawal requests were blocked, according to the operation's account.

In Côte d'Ivoire, authorities disrupted mobile loan fraud operations that used deceptive applications and messaging services. The scams promised quick loans, then imposed fees, harvested personal and financial data, and used coercive collection practices. During the operation, law enforcement seized hundreds of devices and SIM cards.

Atlas model

Operational collaboration has become central to cybercrime enforcement as fraud groups spread across jurisdictions and reuse infrastructure. Investigators often face the challenge of identifying shared dependencies behind multiple campaigns, including hosting services, domains, messaging channels and payment routes.

The Cybercrime Atlas aims to build a shared view of criminal infrastructure and networks. Contributors validate intelligence on scam infrastructure and enabling services, map relationships between actors and services, and identify technical dependencies used across campaigns.

Fortinet provided data and technical insight on malicious infrastructure, transaction patterns and emerging techniques, framing this support as complementary to law enforcement authorities and investigative powers.

Outcomes cited for Red Card 2.0 included intelligence packages used to guide investigations and infrastructure takedowns. Reported results included arrests, device seizures, and the removal of IP addresses, domains and servers linked to criminal activity.

The operation's account also highlighted the role of real-time information exchange. This approach can shorten timelines between identification and action, particularly when scam networks pivot between providers and domains in response to disruption.