TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE CYBERSECURITY OPERATIONS CYBERSECURITY CAREERS INDUSTRY TRENDS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa, Asia Pacific, and Latin America. Dark Reading Confidential: This Threat Hunter Helped Cops Bust Up An African Cybercrime Syndicate Dark Reading Confidential Episode 15: Interpol relied on Will Thomas and team to help break up a sprawling cybercrime ring, leading to the arrest of 574 suspects, the recovery of more than $3 million, and the decryption of six malware variants. Here's his story. Dark Reading Staff,Dark Reading March 4, 2026 Becky Bracken Hello everyone, and welcome to Dark Reading Confidential. It's a podcast with the editors of Dark Reading, bringing you real world stories straight from the cyber trenches. I'm Becky Bracken, your host. And today I am thrilled to welcome Will Thomas, who is a senior threat researcher with Team Cymru. He was recently involved in a blockbuster breakup of an African cybercrime syndicate operation in conjunction with Interpol. So we wanted to welcome Will today to give us some insights into how that came about and what that was like. So welcome, Will. Will Thomas Thanks for having me on. It's been a good opportunity to chat, and I'm happy to dive into a little bit more about the types of role that Team Cymru can play in these international law enforcement operations. Becky Bracken Yes, OK, so this was a biggie, and I covered this (Operation Sentinel) just before the end of the year on Dec. 23. And, according to the report from Interpol, involved law enforcement across 19 countries, made 574 arrests, and recovered three million. That's quite a bust, I would say. Related:Qualcomm Zero-Day Exploited in Targeted Android Attacks Will Thomas Yes, they did a lot there. Makes me smile, makes me proud to think that we've been involved in this and, you know, hopefully improved a lot of people's lives as a result. Becky Bracken So, help us get an idea of how this comes about. How do you first learn about Operation Sentinel? How do you first learn about what your role is potentially going to be working with Interpol on this? Will Thomas Yeah, there are a lot of people in Team Cymru, lot of the researchers and experts in Team Cymru, the company is made of many experts and researchers, and we have a lot of people who've been involved in fighting cybercrime and fighting various hostile state campaigns as well. And through that experience, we've kind of built up these relationships over the many, many years that the company's been around. LOADING... Team Cymru goes back 25 years since it was created. And the whole time it's always been about, you know, it has a mission to save and improve human lives. And through that simple slogan, you know, we work with law enforcement, we help with takedowns, using the unique data sets that Team Cymru has, we're able to stop these cybercriminal campaigns, because we are able to watch them do things that they don't think they are being watched doing. Becky Bracken So your boss comes into your office or pings you on Teams, I assume, and says, Hey, I've got this project for you to work on. Is that how the work gets disseminated out? Related:As War Continues, Pro-Iranian Actors Launch Barrage of Cyberattacks Will Thomas Yes, it can start like that. We have only senior experts in Team Cymru and those people have used their relationships to receive sort of ad hoc requests. So Team Cymru is a strategic private sector partner for multiple law enforcement groups and agencies around the world. And we'll just get an ad hoc request from them. So we will receive these email requests and then we will look into what we can do to help them. And it's always been, there's been basically a way that we've supported these campaigns. Becky Bracken So this isn't new work for you or your team over there. Will Thomas No, Cymru has been involved in multiple operations in 2025 alone. Multiple Interpol operations. There was one such as Operation Serengeti, MENA, and Synergia, and then this one, Sentinel, which is the one that recently took place across Africa. It's something that they come to us for because of our expertise, but also the data that we have, which we can talk more about in a minute. Becky Bracken Yes, so I would like to know more about sort of your specific area of expertise and the data and sort of how you went about tracking down these crime syndicates, which I guess it was several operating in unison, is that correct? Will Thomas Related:30 Alleged Members of 'The Com' Arrested in Project Compass Yeah. So the interesting thing about this operation, and my expertise as well, is that it's mainly focused on three types of cybercrime that many of the listeners will probably be familiar with. Ransomware, business email compromise, and then data extortion as well. And those types of threat actors are not the most sophisticated, but they are very persistent. They do cause a lot of damage and disruption to various organizations around the world. And particularly in Africa, where they're not as well defended, right? So as our expertise comes in tracking the infrastructure of these types of threat actors, so that comes in two parts as well. Where are the IP addresses hosting the tools used by these ransomware gangs? And then where are the threat actors who are remoting into them and controlling those IP addresses? And where are and who are the victims? Because we can use our NetFlow data, which I can dive into more as well. We are able to identify not only the victim of a certain C2 server, offensive security tool, hacking tools hosted online, who are the victims of those tools, and then also who's controlling those tools, who's remoting in and taking control of those command and control servers. Becky Bracken I would imagine that also comes in pretty frequently when you're trying to do attribution work as well, trying to tie certain infrastructures to various campaigns and groups. Is that something else you're involved in? Will Thomas Exactly. My expertise often comes in tracking ransomware campaigns. And from tracking the ransomware threat actors, I like to map out what tools they use and also the infrastructure that they launch those capabilities from. So for example, I created this project called the Ransomware Tool Matrix. It takes all of the tools used by various different ransomware gangs, probably about over 100 on tracking and all of the different tools that they use. What Team Cymru does is we'll scan and track across the internet where these tools are hosted. So take Cobalt Strike, for example. That's a very common tool that multiple ransomware gangs like to use. Using our NetFlow data, we can see where those Cobalt Strike IPs are hosted, and we can see who are the victims of those Cobalt Strike IPs. And for this specific operation with Interpol, we could see there's a set number of countries that they wanted to support and build this operation around. And we could see victims coming, communicating, beaconing out from their corporate networks to those Cobalt Strike IPs. And the way Team Cymru can do that is we have these partnerships, hundreds of partnerships around the world where we receive NetFlow data. And then that NetFlow data is enriched with, because we know what the victim IP is. Maybe it's like an enterprise gateway, a WAN IP, and then we also know the other side of it, which is this malicious Cobalt strike IP. And if we see the two communicating, then we found a victim. So all of that intelligence about where the threat actors are hosting their control tools, their hacking tools, and the net flow to the victims, then that goes to Interpol and then they can use that to take down these operations. Becky Bracken So in the case of Operation Sentinel, which came first? Were you seeing nefarious beacons going to these cobalt strikes C2s? Or did Interpol come to you and say, We think there's some weird stuff going on. Can you take a look at the digital footprint of this? Will Thomas As with most law enforcement engagements that we have, law enforcement came to us. But there are other occasions when we'll investigate and identify some malicious activity and we can tip off various agencies. The interesting thing about Team Cymru or the unique thing about Team Cymru, is that as law enforcement, many people may not realize that they can't really act unless there's victims in their jurisdiction. For Interpol to come here and help coordinate this operation, they had to have the cooperation of all the different African countries, police forces, who can respond to these incidents. So that as long as there's a victim in their jurisdiction, then they can respond to it. Unfortunately, because of the nature of the internet, a threat actor who's maybe in Russia could host a C2 server in the Netherlands and then communicate with victims across Africa, for example. So because of the dynamics of international jurisdictions, it takes an international law enforcement agency like Interpol to coordinate those requests, those takedowns, helping police forces work with attorneys and lawyers and things to help prosecute and pass things along and get sign-offs from judges to do those takedowns. Becky Bracken That's so interesting because it does hit home when I see, because Interpol has been launching these large scale multinational takedowns and I hadn't considered that it requires them to find and pinpoint victims in their individual jurisdictions and that must be a pretty hefty digital lift if you don't know what you're doing. Will Thomas Exactly. And for a lot of organizations, you kind of run into a problem where the threat actor m