Cybersecurity firm Group-IB has made headlines with its revelations regarding a significant operation led by Interpol that has effectively dismantled a well-established phishing-as-a-service (PhaaS) platform. This initiative, known as Operation Ramz, has resulted in not only the takedown of this sophisticated cybercriminal operation but also the arrest of its primary developer.
The operation spanned from October 2025 to February 2026, covering 13 countries within the Middle East and North Africa (MENA) region. Interpol announced the successful outcomes of this extensive crackdown at the end of May. The results were impressive: a total of 201 arrests were made, alongside the seizure of 53 servers. In addition, 382 suspects were identified along with 3,867 victims, highlighting the extensive reach of the cybercrime network. A wealth of data, nearly 8,000 pieces of intelligence, was also shared among the participating nations, laying the groundwork for further investigations into cybercriminal activities.
On June 11, Group-IB, a key partner in this initiative with Interpol, disclosed that the operation had led to the shutdown of a PhaaS platform known as SniperDz. The primary developer of this platform was apprehended in Algeria, showcasing the collaborative efforts of international law enforcement to combat cybercrime.
Understanding SniperDz: A Global Phishing-as-a-Service Platform
Originating around 2015, SniperDz has become a prominent player in the cybercrime landscape, offering an array of services that include ready-made phishing kits, infrastructure hosting, and operational support for cybercriminals worldwide. According to research by Palo Alto Networks’ Unit 42, there were over 140,000 phishing pages linked to SniperDz discovered between 2023 and 2024 alone.
Phishers using the SniperDz platform had the option to either host their phishing pages on the platform’s own infrastructure or download phishing templates to deploy on their own servers. This flexibility is particularly alarming, as it makes it easier for a wide range of cybercriminals to exploit unsuspecting victims, often at no cost to themselves. Reports indicate that SniperDz may even collect stolen credentials as a way to offset its operational costs.
Over the years, Group-IB has identified more than 20,000 unique domains associated with SniperDz, many of which impersonated well-known organizations such as PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam. This scale of impersonation reveals the sophisticated tactics of SniperDz, which designed its phishing pages to convincingly mimic the online presence of beloved global brands, thereby increasing the likelihood of successfully capturing personal information from victims.
Social Engineering Techniques Exploited by SniperDz
The SniperDz operation was not limited to standard phishing tactics; it also employed advanced social engineering techniques. By exploiting the popularity and credibility of public figures in the MENA region, the platform’s operators created fake social media accounts mimicking well-known political personalities. These accounts were subsequently used to disseminate phishing links disguised as enticing promotional offers or free internet access, further broadening their potential victim base.
OpSec Failures Highlighted in the Investigation
An investigation into the workings of SniperDz revealed significant operational security (OpSec) failures on the part of the platform’s operators. Notably, the main suspect published video tutorials aimed at training affiliates, which inadvertently exposed critical administrative information and account credentials. These oversights, coupled with years of social media activity documenting the platform’s evolution and recruitment efforts, facilitated Group-IB’s identification of the suspect.
A Telegram channel utilized for operational coordination, boasting over 7,300 subscribers, along with a Facebook account followed by more than 19,000 users, provided additional evidence that linked the suspect to SniperDz’s activities over nearly a decade. The substantial digital footprint left by the suspect made it easier for investigators to connect the dots.
The Role of Collaboration in Combatting Cybercrime
Following the accumulation of evidence, Group-IB collaborated with Interpol to relay essential data to Algerian authorities. This partnership ultimately resulted in the disruption of the SniperDz infrastructure and the arrest of the individual believed to be at the helm of the operation.
Dmitry Volkov, CEO of Group-IB, emphasized the significance of “adversary-centric intelligence” in these kinds of operations. He stated that “disrupting cybercrime requires more than just disabling phishing pages; it necessitates a deep understanding of the people, infrastructures, and criminal ecosystems that support these activities.” Through the intersection of threat intelligence, accountability, and close collaboration with law enforcement, Group-IB was able to play a crucial role in identifying the individual responsible for nearly a decade’s worth of phishing activity, thus contributing to the dismantling of a major cybercriminal operation.
In sum, Operation Ramz did not just serve as a warning to cybercriminals but also showcased the effectiveness of international cooperation in the realm of cybersecurity. The concerted efforts of law enforcement agencies and cybersecurity firms have proven essential in combating the growing threat of cybercrime, with initiatives like Operation Ramz paving the way for future successes in this critical field.