A major international law enforcement operation led by INTERPOL has successfully dismantled Sniper Dz, one of the longest-running phishing-as-a-service (PhaaS) platforms operating in the Middle East and North Africa (MENA) region.
The operation, known as Operation Ramz, was conducted between October 2025 and February 2026 and involved authorities from 13 countries. According to cybersecurity firm Group-IB, the coordinated effort resulted in 201 arrests, including the platform’s alleged creator and administrator.
Sniper Dz Founder Arrested in Algeria
Among those arrested was Guedz, the suspected mastermind behind Sniper Dz. Authorities from the Algerian National Police reportedly apprehended the individual during the operation.
Over its decade-long existence, the platform underwent several rebranding efforts, operating under names such as:
- Joker Dz
- Storm Dz
- Spam Dz
Investigators believe the service was responsible for collecting more than 45,000 victim records through large-scale phishing campaigns.
Law enforcement agencies also seized servers, hardware, phishing software, and scripts used to support the criminal operation. The website that provided phishing services to cybercriminals has since been taken offline.
A Decade of Phishing Operations
According to Group-IB, Sniper Dz had been active since at least 2015 and evolved into a highly organized cybercrime platform.
The service provided cybercriminals with:
- Ready-made phishing kits
- Hosting infrastructure
- Technical support
- Campaign management resources
Over the years, researchers identified more than 20,000 unique domains linked to the platform.
The phishing toolkit targeted approximately 30 major global organizations, including:
- PayPal
- Yahoo
- Netflix
- Steam
To maximize its reach, the platform offered over 80 phishing templates in multiple languages, including Arabic, English, French, Spanish, and Hebrew.
How Sniper Dz Targeted Victims
The platform primarily focused on users of social media, technology, and streaming services.
Attackers created convincing fake websites that mimicked trusted brands and government agencies in an effort to steal:
- Login credentials
- Personal information
- Financial data
- Other sensitive records
Researchers noted that the platform went beyond traditional phishing methods by incorporating advanced social engineering tactics.
Exploiting Public Figures for Trust
One of the more sophisticated techniques involved impersonating well-known political and public figures across the MENA region.
Cybercriminals created fake social media profiles pretending to be influential personalities and used those accounts to promote phishing links disguised as:
- Promotional offers
- Free internet access programs
- Special giveaways
- Exclusive online services
These tactics helped increase victim trust and improved the success rate of phishing campaigns.
Free Infrastructure Made Sniper Dz Unique
Unlike many phishing-as-a-service operations that charge subscription fees, Sniper Dz reportedly offered its phishing infrastructure entirely free of charge.
This significantly lowered the barrier to entry for aspiring cybercriminals, allowing inexperienced threat actors to launch phishing campaigns without investing in their own infrastructure.
The platform instead generated revenue through alternative methods tied directly to victim activity.
How the Platform Monetized Victims
Group-IB revealed that Sniper Dz relied on several monetization strategies beyond simple credential theft.
When attackers successfully captured login credentials, those records could be used for account takeover attacks or sold on underground marketplaces.
In cases where victims did not provide credentials, the platform redirected users to various fraudulent schemes, including:
- Carrier billing fraud
- Premium SMS subscription scams
- Browser notification abuse campaigns
- Affiliate marketing fraud
This approach enabled operators to profit from virtually every visitor directed to their phishing pages.
Previous Security Research Highlighted the Threat
Sniper Dz previously attracted attention from cybersecurity researchers. In October 2024, analysts detailed how the operation maintained a Telegram community with more than 7,300 subscribers.
The platform reportedly shared tutorial videos, phishing resources, and guidance for cybercriminals looking to launch their own campaigns. It also provided built-in hosting options that allowed phishing pages to operate behind proxy servers, making detection and takedown efforts more challenging.
A Major Victory Against Cybercrime
The dismantling of Sniper Dz marks a significant achievement in the global fight against phishing and cyber-enabled fraud.
The operation demonstrates the growing effectiveness of international cooperation between law enforcement agencies and cybersecurity firms in identifying, disrupting, and dismantling large-scale cybercriminal infrastructures.
While the takedown removes one of the most active phishing-as-a-service platforms in the region, security experts warn that similar services continue to emerge, highlighting the need for ongoing vigilance, user awareness, and cross-border collaboration to combat cybercrime.
