Cybersecurity firm Group-IB has revealed that a recent Interpol-led cybercrime law enforcement operation has led to the takedown of an established phishing-as-a-service (PhaaS) platform and the arrest of its main operator developer.
The crackdown, dubbed Operation Ramz, ran from October 2025 to February 2026 across 13 countries in the Middle East and North Africa (MENA) region.
The results, announced by Interpol at the end of May, included 201 arrests, 53 servers seized and 382 suspects and 3867 victims identified.
A further set of almost 8000 pieces of data and intelligence was also disseminated among participating countries to initiate and support future investigations.
On June 11, Group-IB, one Interpol’s main partners for this effort, revealed that the operation led to the takedown of SniperDz and the arrest of its primary developer in Algeria.
SniperDz: A Global Phishing-as-a-Service Platform
SniperDz is a PhaaS platform that has been running since at least 2015. Today, the cybercrime platform has a global reach and has sophisticated offerings, including ready-made phishing kits, infrastructure hosting and operational support to cybercriminals.
In 2024, Palo Alto Networks’ Unit 42 said it had discovered over 140,000 phishing pages associated with SniperDz between 2023 and 2024 alone.
The researchers noted that phishers can either host these phishing pages on SniperDz-owned infrastructure or download SniperDz phishing templates to host on their own servers.
“Surprisingly, SniperDz PhaaS offers these services free of charge to phishers – perhaps because SniperDz also collects victim credentials stolen by phishers who use the platform to compensate for the cost of service,” the Unit 42 report said.
Over the past nine years, Group-IB identified more than 20,000 unique domains associated with SniperDz that impersonated at least 30 major global organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix and Steam.
Group-IB’s investigations team identified 80 phishing templates deployed in five languages including Arabic, English, French, Spanish and Hebrew, targeting users of consumer, technology and payment platforms across multiple geographies.
Typically, victims were lured to convincing imitation websites designed to harvest credentials, personal information and other sensitive data.
Beyond traditional credential theft, the SniperDz platform also leveraged social engineering techniques that exploited the popularity and credibility of public figures across MENA.
“Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access,” Group-IB explained.
SniperDz Showed Significant OpSec Failures
The investigation revealed a significant operational security (OpSec) failure by the suspect, who published video tutorials to recruit and train affiliates. These inadvertently exposed administrative information and account credentials.
These, combined with years of social media activity documenting the platform's evolution, affiliate recruitment efforts and the release of new phishing templates helped Group-IB investigators trace the suspect’s digital footprint and identify him.
“A Telegram channel used to coordinate operations, which had more than 7,300 subscribers when Group-IB shared its findings with Interpol and a Facebook account followed by more than 19,000 users, provided additional evidence linking the suspect to the platform's activities between 2015 and 2025,” Group-IB added.
Once the cybersecurity company handed over the collected information to Interpol, the law enforcement agency coordinated with the Algerian National Police to disrupt the SniperDz infrastructure and arrest the individual suspected to run the operation.
According to Dmitry Volkov, CEO of Group-IB, this case was “a textbook example of why adversary-centric intelligence matters."
"Disrupting cybercrime requires more than taking down phishing pages. It requires understanding the people, infrastructure and criminal ecosystems behind them,” he said.
“By combining threat intelligence, attribution, and close collaboration with law enforcement, we were able to help identify the individual responsible for nearly a decade of phishing activity and contribute to bringing that operation to an end."
Image credits: Dr David Sing / Tang Yan Song / Shutterstock.com