INTERPOL's Operation Ramz Dismantles Sniper Dz, the Decade-Old Free Phishing Platform Behind 45,000 Victims

An INTERPOL-led operation has taken down one of the longest-running phishing-as-a-service platforms in the Middle East and North Africa, and the details that emerged this week say a lot about how the modern phishing economy works.

According to Group-IB, the Singapore-headquartered firm that supported the investigation, the effort, codenamed Operation Ramz, ran from October 2025 through February 2026. Authorities across 13 MENA countries made 201 arrests. The headline catch was a threat actor known as Guedz, the primary developer and administrator of Sniper Dz, detained by the Algerian National Police. Over roughly a decade, the platform collected more than 45,000 victim records and cycled through a string of rebrands: Joker Dz, Storm Dz, and Spam Dz.

Investigators seized hardware loaded with phishing software and scripts and took down the website that had been distributing the kits. More than 20,000 unique domains have been tied to the operation since it first surfaced around 2015.

Why a free phishing service is worse than a paid one

Most phishing-as-a-service operations work on a subscription model. You pay a monthly fee, you get templates, hosting, and support. Sniper Dz flipped that. It offered the entire stack, ready-made phishing kits, hosting infrastructure, and operational help, for free.

That sounds like bad business until you look at how it monetized. The operators were not charging the criminals using the platform. They were skimming from the same victim pool. As Group-IB put it, "Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns."

Think of it as a casino that lets anyone deal the cards but takes a cut of every hand. A novice attacker spins up a fake PayPal login page using Sniper Dz, and even when a target does not type in a password, that traffic still gets funneled toward premium SMS scams or notification spam. The platform earns either way. Removing the cost barrier dramatically widened the pool of people willing to run campaigns, which is exactly what made the operation so prolific.

The practical takeaway for defenders: the volume of low-skill phishing you see is not a sign of amateur threats you can ignore. Free tooling means more campaigns, more domains, and more chances for one of them to land in an inbox at your organization.

What the kits actually targeted

Sniper Dz shipped 80 phishing templates in five languages, Arabic, English, French, Spanish, and Hebrew, aimed at about 30 major global brands. The list reads like a tour of consumer internet: PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam all appear among the impersonated services.

The targeting pattern is worth understanding. The operators went after technology, social media, and streaming users because those credentials are easy to reuse and resell. A Netflix or Steam login often shares a password with something more valuable, and social media accounts can be turned around for the next wave of attacks.

That is where the social engineering layer came in. Beyond plain credential theft, the operators "created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access," Group-IB explained. Borrowing the credibility of a recognizable public figure is a familiar trick, but doing it at regional scale, in the right language, against audiences primed to expect free-data promotions, made the lures convincing.

The Telegram playbook

Sniper Dz was not operating in the shadows. Palo Alto Networks Unit 42 published a detailed analysis in October 2024 documenting a Telegram channel with more than 7,300 subscribers where the operators shared tutorial videos and walked users through the service. The platform even offered to host phishing pages on its own infrastructure behind a proxy server, so an attacker did not need to stand up anything of their own.

That openness is a recurring feature of the PhaaS market. Telegram channels function as customer support, marketing, and onboarding all at once. For threat intelligence teams, those same channels are a monitoring opportunity, since the operators essentially advertise their templates, target lists, and tactics in public.

What this changes

A takedown of this size disrupts a lot of active campaigns at once, and seizing the administrator's hardware plus the distribution site closes off the immediate supply. But anyone who has watched this space knows the pattern. Sniper Dz already rebranded three times. The infrastructure model is well documented, and free PhaaS is attractive enough that successors tend to appear.

So treat the takedown as breathing room, not a fix. A few concrete steps make sense regardless of which platform is operating:

• Push phishing-resistant MFA. Credential harvesting is the whole point of these kits. Hardware keys and passkeys blunt stolen passwords in a way that SMS codes do not.
• Watch for brand impersonation domains. With 20,000 domains tied to a single operation, certificate transparency monitoring and typosquat detection earn their keep.
• Train against the regional and seasonal lures. "Free internet access" and promotional offers attached to a familiar name are effective precisely because they feel local and timely.
• Lock down notification and SMS abuse paths. The monetization here did not stop at passwords. Browser notification permissions and premium SMS subscriptions were part of the revenue model, so educating users on those prompts matters too.

Operation Ramz is a reminder that the phishing economy is built less on technical sophistication than on scale and accessibility. Sniper Dz lasted a decade not because it was hard to detect, but because it was free, easy to use, and quietly profitable at every step. Cutting off one supplier helps. Removing the underlying demand, by making stolen credentials less useful, is the longer game.