Operation Sentinel, coordinated by INTERPOL between October and November 2025, targeted cybercrime networks across 19 African countries, focusing on business email compromise (BEC), digital extortion, and ransomware attacks. The operation led to 574 arrests and the recovery of $3 million, with over 6,000 malicious links taken down and six ransomware variants decrypted, though their names were undisclosed. Notably, a ransomware attack on a Ghanaian financial institution encrypted 100 terabytes of data and resulted in a theft of approximately $120,000. Additionally, cyber fraud networks impersonating fast-food brands were dismantled, involving seizures of devices and fraudulent servers. The operation is part of the African Joint Operation against Cybercrime (AFJOC), aiming to enhance law enforcement capabilities in Africa. Concurrently, a Ukrainian national pleaded guilty in the U.S. for deploying Nefilim ransomware, which operated under a double extortion model, threatening to publish stolen data on a public leak site. Nefilim targeted companies in the U.S., Canada, Australia, and European countries including Germany, the Netherlands, Norway, and Switzerland. The affiliate had access to ransomware code and targeted companies with over $200 million in annual revenue. Another Ukrainian ransomware operator linked to LockerGoga, MegaCortex, and Nefilim remains at large, with a substantial reward for capture. These developments underscore the persistent threat posed by ransomware affiliates operating from Eastern Europe and the increasing sophistication of cybercrime in Africa targeting critical sectors such as finance and energy.

For European organizations, the primary impact stems from the activities of ransomware affiliates like those deploying Nefilim ransomware, which have targeted companies in Germany, the Netherlands, Norway, and Switzerland. The double extortion tactics threaten confidentiality by risking data leaks, integrity by encrypting data, and availability by disrupting operations. The financial impact can be significant, especially for large enterprises with high annual revenues. The arrest of suspects in Africa disrupts regional cybercrime networks, potentially reducing the volume of BEC and extortion attacks originating from that continent, which may indirectly benefit European entities by reducing global cybercrime activity. However, the presence of sophisticated ransomware groups operating from Eastern Europe, with known links to attacks on European companies, maintains a high threat level. Critical sectors such as finance and energy in Europe remain at risk due to their strategic importance and attractiveness to ransomware actors. The ongoing law enforcement efforts highlight the need for vigilance and preparedness against ransomware and fraud campaigns that could impact European businesses and infrastructure.

European organizations should implement advanced detection and response capabilities specifically tuned to identify ransomware behaviors, including double extortion tactics and data exfiltration attempts. Proactive threat intelligence sharing with law enforcement and international partners is essential to stay ahead of emerging ransomware variants and affiliates. Organizations should conduct thorough audits of their email security to mitigate BEC risks, including enforcing multi-factor authentication, strict email filtering, and user training focused on phishing awareness. Network segmentation and least privilege access controls can limit ransomware spread and data exposure. Incident response plans must include procedures for handling extortion demands and data leak threats. Collaboration with African and Eastern European law enforcement agencies can enhance understanding of threat actor tactics and infrastructure. Finally, organizations should regularly back up critical data offline and verify backup integrity to ensure recovery capability without paying ransoms.