"Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to cybercriminals," Group-IB said Thursday.
Operation Ramz: regional cooperation, 201 arrests
Between October 2025 and February 2026, an INTERPOL-led effort codenamed Operation Ramz brought together authorities from 13 countries across the Middle East and North Africa (MENA) region and resulted in 201 arrests, Group-IB reported. The sweep targeted a long-running phishing-as-a-service operation known primarily as Sniper Dz and led to takedowns of the platform’s outward-facing website and seizure of hardware containing phishing software and scripts.
Arrest of the administrator known as "Guedz" and infrastructure seizures
The primary developer and administrator of Sniper Dz, identified in Group-IB’s briefing as Guedz, was arrested by the Algerian National Police as part of the operation. Authorities removed the web property that had been offering PhaaS (phishing-as-a-service) capabilities to other cybercriminals, and seized hardware the platform used to host phishing pages and related tooling.
Scope of abuse: domains, victims, and targets
Group-IB said Sniper Dz collected more than 45,000 victim records and that security researchers have identified in excess of 20,000 unique domains associated with the service. The toolkit primarily targeted 30 major global organizations, with specific brand names cited by Group-IB: PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam. Operators deployed roughly 80 phishing templates across five languages — Arabic, English, French, Spanish, and Hebrew — enabling campaigns aimed at users of technology, social media, and streaming platforms across several geographies.
Techniques, channels, and monetization
Beyond imitation login pages, Group-IB described Sniper Dz’s use of social engineering that "exploited the popularity and credibility of public figures across the Middle East and North Africa." Threat actors created fake social media accounts impersonating well-known political personalities to promote phishing links disguised as promotional offers or free internet access, the company said.
Sniper Dz stood out in the PhaaS market because it reportedly offered its entire infrastructure for free; monetization did not come from subscription fees but from abusing harvested traffic and credentials. As Group-IB explained, "Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns."
Palo Alto Networks Unit 42 previously analyzed Sniper Dz in October 2024, noting the actor’s use of a Telegram channel with more than 7,300 subscribers to share tutorial videos and options for hosting phishing pages on the platform’s infrastructure behind a proxy server.
How technology teams, affected platforms, and MENA law enforcement are responding
- Technology and security teams at targeted platforms — specifically those named in Group-IB’s report such as PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam — will be watching domain registrations and phishing templates closely, given the identification of more than 20,000 related domains and 80 multilingual templates.
- Affected platforms and enterprises that rely on credential-based authentication may need to accelerate detection of credential-stuffing and notification-abuse flows tied to affiliate and carrier-billing fraud, which Group-IB cited as secondary monetization avenues.
- MENA law enforcement and international partners, demonstrated by the 13-country effort and the Algerian National Police’s arrest of the platform administrator, have shown coordinated capacity to seize infrastructure and make arrests — actions that underpin future cross-border investigations into PhaaS providers and their affiliates.
The facts presented by Group-IB and the prior Unit 42 analysis paint a clear picture: Sniper Dz operated at scale for years by offering free infrastructure, leveraging social engineering tied to public figures, and converting traffic into financial gain through a range of scams. The takedown and the arrest of Guedz remove a visible center of gravity for this network, but the evidence recorded — tens of thousands of domains, more than 45,000 victim records, and multilingual tooling — makes plain that investigators face a large residue of artifacts and victims to remediate.
Will the seized hardware and arrests break the operational chains that turned phishing into a regional, multilingual commercial service? The answer will rest on follow-on prosecutions, cross-border evidence-sharing, and continued monitoring of the thousands of domains and affiliate channels that Group-IB and Unit 42 have identified.
