Interpol Shuts Down SniperDz Phishing-as-a-Service Platform

▼ Summary
– Operation Ramz, a 13-country Interpol-led crackdown from October 2025 to February 2026, resulted in 201 arrests and the seizure of 53 servers.
– The operation led to the takedown of the SniperDz phishing-as-a-service platform and the arrest of its primary developer in Algeria.
– SniperDz, active since at least 2015, offered free phishing kits and infrastructure, collecting stolen victim credentials to offset costs.
– Group-IB identified over 20,000 domains linked to SniperDz, which impersonated 30 major organizations and used social engineering with fake social media accounts of public figures.
– The developer’s OpSec failures, including video tutorials and social media activity, allowed investigators to trace his digital footprint and identify him.
A major international law enforcement operation has dismantled a long-running phishing-as-a-service (PhaaS) platform and resulted in the arrest of its primary developer, according to new findings from cybersecurity firm Group-IB.
The coordinated crackdown, known as Operation Ramz, spanned from October 2025 to February 2026 and involved authorities across 13 countries in the Middle East and North Africa (MENA) region. Interpol announced the operation’s results at the end of May, which included 201 arrests, the seizure of 53 servers, and the identification of 382 suspects and 3,867 victims. Nearly 8,000 additional pieces of data and intelligence were shared among participating nations to fuel further investigations.
On June 11, Group-IB, a key partner in the effort, disclosed that the operation specifically targeted SniperDz, a PhaaS platform active since at least 2015. The platform offered a global clientele ready-made phishing kits, infrastructure hosting, and operational support. In 2024, Palo Alto Networks’ Unit 42 reported discovering over 140,000 phishing pages linked to SniperDz between 2023 and 2024 alone. Researchers noted that phishers could either host these pages on SniperDz-owned servers or download templates for their own use. Surprisingly, the service was offered free of charge, likely because SniperDz collected stolen victim credentials to offset costs.
Over nine years, Group-IB identified more than 20,000 unique domains associated with SniperDz, impersonating at least 30 major global organizations including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam. The platform deployed 80 phishing templates in five languages (Arabic, English, French, Spanish, and Hebrew), targeting users of consumer, technology, and payment platforms. Victims were lured to convincing fake websites designed to harvest credentials and personal data.
Beyond standard credential theft, SniperDz used social engineering tactics that exploited the credibility of public figures across the MENA region. Threat actors created fake social media accounts impersonating well-known political personalities, promoting phishing links disguised as promotional offers or free internet access.
The investigation uncovered significant operational security (OpSec) failures by the suspect, who published video tutorials to recruit and train affiliates. These videos inadvertently exposed administrative information and account credentials. Years of social media activity documenting the platform’s evolution, affiliate recruitment, and new template releases helped Group-IB trace the suspect’s digital footprint. A Telegram channel with over 7,300 subscribers and a Facebook account followed by more than 19,000 users provided additional evidence linking the suspect to the platform from 2015 to 2025.
Once Group-IB shared its findings with Interpol, the agency coordinated with the Algerian National Police to disrupt the SniperDz infrastructure and arrest the individual believed to be running the operation.
Dmitry Volkov, CEO of Group-IB, called the case “a textbook example of why adversary-centric intelligence matters.” He added, “Disrupting cybercrime requires more than taking down phishing pages. It requires understanding the people, infrastructure and criminal ecosystems behind them. By combining threat intelligence, attribution, and close collaboration with law enforcement, we were able to help identify the individual responsible for nearly a decade of phishing activity and contribute to bringing that operation to an end.”
(Source: Infosecurity Magazine)