Global Crackdown on Cybercrime: INTERPOL Operation Nets 574 Arrests Across Africa as Ukrainian Ransomware Affiliate Pleads Guilty

An international law enforcement operation coordinated by INTERPOL has resulted in 574 arrests across 19 African nations and the recovery of approximately $3 million, highlighting both the scale of cybercrime on the continent and the growing success of cross-border policing efforts. The announcement comes as a Ukrainian national pleaded guilty in a U.S. court to operating as an affiliate for the notorious Nefilim ransomware gang, underscoring the global nature of digital extortion threats.

Operation Sentinel, conducted between October 27 and November 27, 2025, represents one of the largest coordinated cybercrime crackdowns in African history. The initiative targeted business email compromise schemes, digital extortion operations, and ransomware attacks that collectively caused an estimated $21 million in financial losses, according to INTERPOL officials. The operation successfully dismantled more than 6,000 malicious infrastructure links and decrypted six distinct ransomware variants, though authorities have not publicly identified the specific malware families involved.

Background and Context

The African continent has increasingly become both a target and base for cybercriminal operations, with financial institutions, government agencies, and critical infrastructure facing sophisticated attacks. INTERPOL's director of cybercrime, Neal Jetton, noted that "the scale and sophistication of cyber attacks across Africa are accelerating, especially against critical sectors like finance and energy." The operation was conducted under the framework of the African Joint Operation against Cybercrime (AFJOC), an initiative designed to enhance cooperation between national law enforcement agencies and improve collective response capabilities against evolving digital threats.

Cybersecurity experts have long warned about the vulnerability of emerging markets to ransomware attacks, where security investments often lag behind rapid digital transformation. The financial impact of these attacks extends beyond immediate losses to include recovery costs, regulatory fines, and reputational damage that can cripple businesses and essential services. Operation Sentinel's results demonstrate how coordinated international action can disrupt criminal networks that often operate across multiple jurisdictions with impunity.

Key Figures and Entities

The law enforcement action involved participation from Benin, Botswana, Burkina Faso, Cameroon, Chad, Congo, Djibouti, Democratic Republic of the Congo, Gabon, Ghana, Kenya, Malawi, Nigeria, Senegal, South Africa, South Sudan, Uganda, Zambia, and Zimbabwe. In Ghana, authorities apprehended multiple suspects connected to a ransomware attack against an unnamed financial institution that encrypted 100 terabytes of data and resulted in approximately $120,000 in thefts.

Meanwhile, in the United States, 35-year-old Ukrainian national Artem Aleksandrovych Stryzhak pleaded guilty to his role as an affiliate in the Nefilim ransomware operation. Stryzhak was arrested in Spain in June 2024 and extradited to the United States in April 2025. According to U.S. Department of Justice filings, Stryzhak gained access to the Nefilim ransomware code in June 2021 in exchange for 20 percent of his illicit proceeds. He faces a maximum sentence of 10 years in prison, with sentencing scheduled for May 6, 2026.

The case against Stryzhak follows charges filed in September 2025 against another Ukrainian, Volodymyr Viktorovich Tymoshchuk, who allegedly administered the LockerGoga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021. Tymoshchuk remains at large, with the U.S. government offering an $11 million reward for information leading to his capture. The FBI and European Union have both placed Tymoshchuk on their most wanted lists.

Legal and Financial Mechanisms

The Nefilim operation employed a "double extortion" model that has become increasingly common among sophisticated ransomware groups. After gaining unauthorized access to corporate networks, attackers would encrypt sensitive data and simultaneously exfiltrate information, threatening to publish stolen files on a dedicated leak site called Corporate Leaks if victims refused to pay ransom demands. According to court documents, Nefilim administrators specifically instructed affiliates like Stryzhak to target companies in the U.S., Canada, and Australia with annual revenues exceeding $200 million, suggesting a calculated approach to victim selection.

In Africa, investigators uncovered particularly sophisticated fraud schemes. Ghanaian authorities dismantled a network operating across Ghana and Nigeria that used fake websites and mobile applications impersonating popular fast-food brands to collect payments for nonexistent orders. The scheme defrauded more than 200 victims of over $400,000 before being shut down. Similarly, law enforcement in Benin took down 43 malicious domains and 4,318 social media accounts used in various extortion operations, leading to 106 arrests.

International Implications and Policy Response

The successful coordination between 19 African nations during Operation Sentinel represents a significant advancement in regional law enforcement cooperation. However, cybercrime remains fundamentally transnational in nature, requiring sustained information sharing and joint operations across continents. The case of Artem Stryzhak demonstrates how ransomware affiliates in one country can attack victims globally while working with administrators elsewhere, complicating prosecution efforts.

International agencies have called for strengthened legislation requiring mandatory breach disclosure, improved regulation of cryptocurrency transactions, and enhanced extradition treaties specifically addressing cybercrime. The AFJOC framework represents an important step toward building institutional capacity in African nations, but significant challenges remain in tracking cryptocurrency flows, attributing attacks to specific actors, and navigating complex jurisdictional issues.

Cybersecurity researchers emphasize that while law enforcement operations like Operation Sentinel are crucial, they represent only one component of an effective response. Experts continue to advocate for increased investment in critical infrastructure protection, international standards for cyber hygiene, and public-private partnerships to share threat intelligence and best practices.

Sources

This report draws on official statements from INTERPOL, court filings from the U.S. Department of Justice, and information published by participating law enforcement agencies between June 2024 and December 2025. Additional details were obtained from Federal Bureau of Investigations wanted notices and public records of international cybercrime operations.