More than 500 suspects have been arrested during an Interpol-coordinated operation targeting cybercrime networks involved in business email compromise (BEC), ransomware, and online extortion schemes. The operation, known as ‘Operation Sentinel,’ also resulted in the recovery of approximately $3 million in criminal proceeds.

Running from October 27 to November 27, the month-long campaign involved law enforcement agencies from 19 countries. Authorities dismantled more than 6,000 malicious links and successfully decrypted six ransomware variants during the operation.

Interpol reported that the cases investigated were linked to over $21 million in financial losses worldwide. Authorities prevented a $7.9 million fraudulent wire transfer aimed at a petroleum company in Senegal. In Ghana, multiple suspects were arrested following a ransomware attack on a financial institution that encrypted 100 terabytes of data. Investigators analyzed the malware, created a decryption tool, and recovered 30 terabytes of affected data.

Police in Ghana and Nigeria dismantled a scam impersonating well-known fast-food brands, which had defrauded more than 200 victims of over $400,000. In Benin, authorities carried out over 100 arrests, while also removing dozens of malicious domains and thousands of scam-related social media accounts. Meanwhile, police in Cameroon shut down an online vehicle sales scam and froze compromised bank accounts.

Operation Sentinel follows a series of major cybercrime enforcement efforts led by Interpol across Africa. In August, Operation Serengeti 2.0 resulted in 1,209 arrests and the seizure of $97.4 million in illicit funds. Earlier, ‘Operation Red Card,’ launched in March, led to 306 arrests and disrupted scams affecting more than 5,000 victims. In April 2023, the Africa Cyber Surge II initiative saw 14 suspected cybercriminals arrested across 25 African countries, with authorities identifying more than 20,000 suspicious cyber networks linked to over $40 million in financial losses.

Nigerian police announced last week the arrest of three suspects linked to targeted Microsoft 365 cyber-attacks conducted through the Raccoon0365 phishing kit. One of the suspects, identified as Okitipi Samuel, aka “RaccoonO365” and “Moses Felix,” is believed to be the developer behind Raccoon0365. At present, it’s not clear whether these arrests were made as part of Operation Sentinel.

Former Coinbase customer service agent arrested over the exchange hack

A former Coinbase customer support agent has been arrested in India for helping hackers to steal sensitive customer data from the company earlier this year. The arrest took place in Hyderabad, the capital of Telangana and one of India’s major technology hubs.

In May 2025, Coinbase disclosed that rogue customer service employees had enabled hackers to access internal systems. The attackers allegedly demanded a $20 million ransom in exchange for not releasing data taken from a compromised database. According to the company, the breach, which occurred in December 2024, resulted in the theft of customer names, addresses, phone numbers, email addresses, images of government-issued IDs, account details, masked Social Security numbers, bank account information, and limited corporate data. Coinbase said that the attackers did not obtain two-factor authentication codes, private keys, or access to customer wallets.

Meanwhile, a 29-year-old Lithuanian national has been arrested in South Korea for his alleged role in distributing clipboard-stealing malware disguised as the pirated software activation tool KMSAuto. The malware, which is believed to have infected around 2.8 million computers worldwide, monitored victims’ clipboards for cryptocurrency wallet addresses and replaced them with addresses controlled by the attacker.

The investigation began in August 2020 after South Korean authorities received a report of cryptojacking linked to clipboard manipulation. The Korean National Police Agency traced the infections back to a malicious KMSAuto executable and determined that the campaign targeted users of at least six cryptocurrency exchanges.

In December 2024, police conducted a raid in Lithuania, seizing 22 items, including laptops and mobile phones. The suspect was ultimately arrested in April 2025 while traveling from Lithuania to Georgia and was extradited to South Korea to face charges related to the large-scale malware campaign.

Dozens charged over ATM jackpotting scheme using Ploutus malware

The US Department of Justice has charged 54 individuals for their alleged roles in a large-scale ATM jackpotting operation that used the Ploutus malware family to steal millions of dollars from cash machines.

According to authorities, the defendants include leaders and members of Tren de Aragua, a Venezuelan crime syndicate described by US officials as a terrorist organization involved in murder, assault, drug and firearms trafficking, kidnapping, robbery, fraud, and extortion.

A DoJ press release mentions Jimena Romina Araya Navarro, an alleged leader of Tren de Aragua, who has also been sanctioned by the US Treasury Department. Prosecutors allege she played a key role in coordinating the group’s criminal activities, including the ATM attacks.

Authorities say the group installed Ploutus malware on targeted ATMs, allowing operators to bypass security controls and remotely force machines to dispense cash. Charged individuals face potential sentences ranging from 20 to 335 years in prison on counts including bank fraud, burglary, computer fraud, and hacking.

The US seizes a fraud domain, charges the operator of fake ID marketplaces

The US Department of Justice (DoJ) together with the Estonian counterparts, has seized a web domain and database allegedly used in a criminal operation that targeted Americans through bank account takeover fraud. Authorities said the domain, web3adspanels[.]org, operated as a backend control panel where criminals stored and managed stolen bank login credentials.

According to the DoJ, the fraud scheme used fake advertisements placed on major search engines such as Google and Bing. The ads were designed to closely resemble legitimate sponsored advertisements from well-known banking institutions. When users clicked on the ads, they were redirected to fake bank websites that harvested victims’ credentials. The pilfered data was then used to steal money from real bank accounts.

Investigators estimate the scheme has caused approximately $28 million in attempted losses and about $14.6 million in confirmed losses.

In a separate case, the US authorities unsealed a nine-count indictment against Zahid Hasan, 29, of Dhaka, Bangladesh. Hasan is accused of operating illegal online marketplaces that sold digital templates of fraudulent identity documents, including US passports, Social Security cards, and Montana driver’s licenses.

Hasan faces six counts of transferring false identification documents, two counts of false use of a passport, and one count of Social Security fraud. If convicted, he could receive up to 15 years in prison on each of the first eight counts and up to five years for the Social Security fraud charge, along with fines of up to $250,000 per count.

Prosecutors allege that from at least 2021 through 2025, Hasan ran the Bangladesh-based websites TechTreek and EGiftCardStoreBD selling fraudulent document templates to customers worldwide. The documents used to create fake online accounts were sold for as little as $9 to $14. Authorities claim Hasan earned more than $2.9 million from over 1,400 customers during the four-year period. As part of the investigation, the US authorities seized three domains (techtreek[.]com, egiftcardstorebd[.]com, and idtempl[.]com.) linked to the operation.

Get a Demo

ImmuniWeb can help you to prevent data breaches and meet regulatory requirements.

Former Nefilim ransomware hacker pleads guilty

A former ransomware affiliate pleaded guilty in the Eastern District of New York, the US, to a charge related to cyber-attacks on companies across the United States, Canada, and Australia.

Artem Aleksandrovych Stryzhak, a 35-year-old Ukrainian national, was arrested in Barcelona last year and extradited to the US in April. Prosecutors said Stryzhak used the Nefilim ransomware strain after gaining access to it in June 2021, agreeing to give the developers 20% of any ransom payments he collected. Stryzhak pleaded guilty to one count of conspiracy to commit computer fraud. He faces a maximum sentence of 10 years in prison, with sentencing scheduled for May.

According to prosecutors, the Nefilim group targeted companies with more than $100 million in annual revenue and caused millions of dollars in losses through ransom payments and damage to computer systems. US victims included firms in aviation, engineering, chemicals, eyewear, insurance, construction, energy, and pet care.

The US Department of Justice has offered an $11 million reward for information leading to the arrest of Volodymyr Tymoshchuk, another co-conspirator in the scheme. Prosecutors allege Tymoshchuk acted as an administrator for Nefilim and two now-defunct ransomware strains, LockerGoga and MegaCortex, which were used to attack hundreds of organizations across the US and Europe between 2018 and 2021.