Emerging Threats

Interpol Disrupts SniperDz Phishing-as-a-Service Platform

Analyst 207||Source: InfoSecMag
Law enforcement officers gather around seized computer equipment in a server room.

“Disrupting cybercrime requires more than taking down phishing pages. It requires understanding the people, infrastructure and criminal ecosystems behind them,” said Dmitry Volkov, CEO of Group-IB.

Operation Ramz: scale, timeline and results

Interpol’s Operation Ramz, a coordinated law-enforcement effort across 13 countries in the Middle East and North Africa (MENA) region, ran from October 2025 to February 2026 and was announced at the end of May. The operation produced concrete, measurable outcomes: 201 arrests, 53 servers seized, and the identification of 382 suspects and 3,867 victims. Interpol also disseminated almost 8,000 pieces of data and intelligence among participating countries to support follow-up investigations.

SniperDz: a long-running, global phishing-as-a-service platform

Group-IB says the platform known as SniperDz has operated since at least 2015 and developed into a global phishing-as-a-service (PhaaS) offering. SniperDz supplied ready-made phishing kits, hosted infrastructure for phishers and provided operational support. Palo Alto Networks’ Unit 42 reported discovering more than 140,000 phishing pages linked to SniperDz between 2023 and 2024, and noted that operators could either host pages on SniperDz infrastructure or download templates to host themselves.

Group-IB found more than 20,000 unique domains connected to SniperDz that impersonated at least 30 major organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix and Steam. Investigators catalogued 80 phishing templates in five languages—Arabic, English, French, Spanish and Hebrew—targeting users of consumer, technology and payment platforms across multiple geographies.

Techniques: credential harvesting, imitation sites and political social engineering

The core of SniperDz’s criminal product was convincing imitation websites designed to harvest credentials, personal information and other sensitive data. Beyond straightforward credential theft, Group-IB documented social-engineering campaigns that leveraged the popularity and credibility of public figures across the MENA region. “Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access,” Group-IB said.

Unit 42 added a striking operational detail: SniperDz reportedly offered its PhaaS services free of charge to phishers, a model Unit 42 suggested may have been offset by SniperDz collecting credentials stolen by affiliate users of the platform.

Operational security failures that exposed the operator

Investigators credit a series of OpSec mistakes with enabling attribution. The suspect published video tutorials used to recruit and train affiliates; those materials inadvertently exposed administrative information and account credentials. Years of social media activity that documented the platform’s evolution, recruitment and template releases provided additional threads.

Group-IB highlighted two coordination channels that proved especially useful: a Telegram channel used to coordinate operations that had more than 7,300 subscribers when Group-IB shared its findings with Interpol, and a Facebook account followed by more than 19,000 users. Those accounts, along with the other artifacts, helped trace the suspect’s digital footprint and link him to platform activity spanning 2015–2025.

Interpol, Group-IB and Algerian National Police: disrupting the infrastructure

After compiling its intelligence, Group-IB passed the collected information to Interpol. Interpol then coordinated with the Algerian National Police to disrupt SniperDz infrastructure and arrest the individual suspected of running the operation. On June 11, Group-IB made public that the takedown targeted SniperDz and resulted in the arrest of the platform’s primary developer in Algeria.

Dmitry Volkov framed the work as an illustration of an “adversary‑centric” approach: “By combining threat intelligence, attribution, and close collaboration with law enforcement, we were able to help identify the individual responsible for nearly a decade of phishing activity and contribute to bringing that operation to an end,” he said.

What this means for technologists, policymakers and end users

  • Technologists and security teams: investigators catalogued more than 20,000 domains and 80 phishing templates in five languages—precise artefacts that defenders can incorporate into blocks, takedown requests and detection rules.
  • Policymakers and law enforcement: Operation Ramz demonstrates a multipartner, multi‑country model—Interpol coordinated action across 13 MENA countries and shared nearly 8,000 pieces of intelligence to seed further investigations.
  • End users: Group-IB’s findings show phishers used imitation websites and fake social media accounts impersonating public figures to push phishing links disguised as promotional offers or free internet access—signals to be treated with caution when encountered online.

The arrest of SniperDz’s suspected developer and the disruption of its infrastructure mark a significant operational blow to a platform that Group-IB says operated for nearly a decade. Yet the scale of the catalogued material—tens of thousands of domains, hundreds of thousands of phishing pages uncovered by Unit 42, and thousands of identified victims—underscores why investigators emphasize combining technical takedowns with people‑focused intelligence and international cooperation. Interpol’s dissemination of intelligence to participating countries will be a concrete test of how those follow-on investigations reduce harm and close the loop on stolen credentials and impersonation campaigns.

https://www.infosecurity-magazine.com/news/interpol-dismantles-sniperdz/

CybercrimeEmerging ThreatsInterpolLaw EnforcementPhishing-as-a-ServiceMENA RegionOperation RamzMiddle East And North AfricaSniperdz
Related Intelligence

Continue Reading

South Korea's Personal Information Protection Commission headquarters interior with formal documents and a blurred seal in…

Coupang Fines $409 Million for Massive Data Breach

Coupang has been slapped with a whopping $409 million fine for a massive data breach that exposed the personal info of 37.55 million people, due to a lax safety management system and negligence in key security measures. The hefty penalty is part of a landmark enforcement action by South Korea's Personal Information Protection Commission.

Analyst 207
Busy office in Vietnam with cityscape view and people working at desks.

OceanLotus Targets Vietnam Investors with SPECTRALVIPER Backdoor

The notorious 15-year-old APT group, OceanLotus, is now setting its sights on Vietnam's investors with a cunning new backdoor attack called SPECTRALVIPER, showcasing their relentless adaptability and aggressive tactics. This latest move has left experts wondering if it's a temporary shift or a long-term strategy.

Analyst 207
Modern office space with scattered papers and an open file cabinet, hinting at disruption.

Ransomware Attacks Shift to Data Theft Tactics

Ransomware attacks have taken a sinister turn, with a growing number of hackers ditching decryption keys and instead using stolen data to extort their victims. In fact, a recent report found that a whopping 87% of ransomware claims now involve data theft, with encryption becoming a thing of the past.

Analyst 207
Formal government briefing room with podium, American flags, and seals, daylight streaming through tall windows.

FBI Disrupts Chinese Spy Websites Targeting US Security Clearance Holders

The FBI and Justice Department have shut down 13 fake websites pretending to be legitimate consulting firms, targeting US security clearance holders with lucrative job offers that aimed to extract sensitive information for the Chinese government. These seized domains were part of a sophisticated intelligence collection campaign that began in November 2023.

Analyst 207