Skip to main content
Emerging ThreatsMalware & Ransomware

INTERPOL Disrupts Cybercrime Networks with 'Operation Ramz' Arrests

Law enforcement officers in uniform gather around a table and map of the Middle East and North Africa, discussing and…
“The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region,” reads the INTERPOL announcement.

Operation Ramz: scope and headline figures

INTERPOL's Operation Ramz produced a concentrated law-enforcement sweep across the Middle East and North Africa that resulted in more than 200 arrests for cybercrime activities and identified another 382 suspects across 13 countries. Authorities seized 53 servers used for phishing, malware, and online fraud. Investigators recovered nearly 8,000 intelligence packages from that equipment, which INTERPOL says tied the operation to at least 3,867 confirmed victims.

Countries targeted and local outcomes

The operation covered Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE. Local highlights published by INTERPOL included securing compromised devices in Qatar that were being used unknowingly to spread malware and seizing devices and banking data in Morocco linked to phishing operations, with multiple suspects under judicial investigation.

Notable dismantlings on the ground

Investigators report several concrete disruptions: in Jordan, authorities dismantled an investment scam operation in which 15 trafficked workers from Asia were forced to run fraud schemes; two organizers were arrested. In Oman, officials disabled a vulnerable, malware-infected server that contained sensitive data. In Algeria, investigators shut down a phishing-as-a-service platform and arrested one suspect. Those case-level details illustrate that the operation combined both infrastructure seizures and arrests tied to human exploitation.

Private-sector collaboration and technical tracing

INTERPOL carried out Operation Ramz with technical support from several private cybersecurity firms: Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI. Those partners were credited with helping to track the malicious infrastructure that was ultimately seized. Nearly 8,000 intelligence packages were extracted from the equipment recovered during the operation, a dataset INTERPOL used to enumerate the confirmed victims and to link servers and devices to criminal campaigns.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: the seizure of 53 servers and recovery of thousands of intelligence packages underlines the value of cross-organizational telemetry for mapping criminal infrastructure. Teams should note the operational emphasis on phishing-as-a-service and malware-infected servers as persistent vectors identified by law enforcement.
  • Policymakers and regulators: INTERPOL framed the operation as neutralizing phishing, malware, and cyber scams that "inflict severe cost to the region," signaling continued demand for cross-border cooperation and for legal processes that can translate arrests and seizures into prosecutions and asset forfeiture across jurisdictions.
  • Affected enterprises and consumers: the operation links tens of compromised servers and thousands of victims to criminal campaigns; organizations with regional exposure should expect law enforcement to increasingly target both the infrastructure and the human networks running scams, including schemes that exploit trafficked labor.

Context inside a year of major INTERPOL crackdowns

Operation Ramz is the third major cybercrime crackdown INTERPOL has announced this year. In March, the agency reported that Operation Synergia III had sinkholed 45,000 malicious IP addresses, seized 212 devices and servers, and arrested 94 individuals across 72 countries for activities including phishing, hacking, fraud, and malware distribution. In February, INTERPOL announced the arrest of 651 suspects across 16 African countries as part of Operation Red Card 2.0, a campaign focused on investment fraud, mobile money scams, and fake loan apps linked to more than $45 million in losses.

Taken together, these operations show a pattern of coordinated international enforcement that combines infrastructure disruption, intelligence recovery, and targeted arrests. The immediate measure of success for Operation Ramz is the number of seized servers and the nearly 8,000 intelligence packages retrieved; the longer-term measure will be how those leads are prosecuted and whether the disruptions reduce phishing and malware activity across the affected countries.

Source: INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers — BleepingComputer