A joint INTERPOL effort across 13 MENA nations dismantled phishing‑as‑a‑service platforms, seized servers, and arrested 201 suspects, highlighting the power of cross‑border collaboration between law enforcement and private‑sector threat intel firms.
![Featured image]
INTERPOL’s Operation Ramz has delivered a rare, region‑wide strike against cybercrime in the Middle East and North Africa. Over a five‑month window (Oct 2025 – Feb 2026) investigators from Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia and the United Arab Emirates coordinated raids, server takedowns and forensic sweeps that resulted in 201 arrests and the identification of 382 additional suspects. The operation focused on phishing‑as‑a‑service (PhaaS) platforms, banking‑trojan distribution, and large‑scale financial‑fraud scams that have cost victims millions of dollars.
How the crackdown unfolded
| Phase | Key actions | Impact |
|---|---|---|
| Intelligence gathering | Private‑sector partners such as Group‑IB supplied actionable intel on 5,000+ compromised accounts and mapped active phishing infrastructure. | Enabled rapid targeting of high‑value servers before they could be relocated. |
| Server seizures | 53 servers seized across the region, including a PhaaS host in Algeria, a compromised private‑residence server in Oman, and a banking‑data node in Morocco. | Disrupted command‑and‑control channels and removed malware binaries from the wild. |
| Physical raids | Law‑enforcement teams seized computers, smartphones, external hard drives and even a mobile phone found on an Algerian server site. | Provided forensic evidence linking suspects to specific phishing campaigns. |
| Arrests & victim outreach | 201 individuals detained; 3,867 victims identified and notified. | Immediate victim remediation and a deterrent signal to criminal networks. |
Notable takedowns
- Algerian PhaaS hub – Confiscated a server running a turnkey phishing kit that sold ready‑made clone sites for banking credential theft. The raid also recovered a laptop and a hard‑drive full of custom scripts used to automate credential harvesting.
- Moroccan banking‑data cache – Authorities seized devices loaded with stolen account numbers, IBANs and one‑time passwords. Forensic analysis showed the data had been harvested from compromised point‑of‑sale terminals in several North‑African cities.
- Omani private‑residence server – The machine hosted a misconfigured web service riddled with critical CVEs (including an unauthenticated RCE in an outdated PHP version). Malware found on the host was a variant of the Emotet loader, suggesting the server was being used as a staging point for broader campaigns.
- Qatari compromised devices – Hundreds of home PCs were discovered to be part of a botnet that silently relayed spam and malicious payloads. Owners were unaware; the devices were cleaned and patched during the operation.
- Jordanian financial‑fraud cell – A laptop used to run a fake trading platform was recovered. The platform lured victims with promises of high‑yield returns, then vanished once funds were deposited. The investigation uncovered that the operators were themselves victims of human‑trafficking networks, recruited from Asia under false employment promises.
Expert perspective
"Cybercrime is borderless, and the only effective response is one that is equally borderless," says Joe Sander, CEO of Team Cymru. "Operation Ramz shows what happens when law‑enforcement agencies and trusted private‑sector partners pool intelligence, move in concert, and dismantle the infrastructure criminals rely on."
Group‑IB’s chief analyst, Lara Ben‑Mansour, added that the operation highlighted a growing trend: phishing‑as‑a‑service platforms are becoming the backbone of financially motivated attacks in the region, allowing low‑skill actors to launch sophisticated credential‑theft campaigns with minimal effort.
Practical takeaways for security teams
- Audit external‑facing services – The Omani server was compromised because of an outdated, publicly exposed web service. Regularly scan for vulnerable versions of PHP, Apache, Nginx, and related components.
- Implement multi‑factor authentication (MFA) on all privileged accounts – Even if credentials are harvested, MFA can block the majority of automated login attempts.
- Deploy DNS‑based phishing detection – Solutions that monitor DNS queries for newly registered domains resembling banks can block phishing sites before users click.
- Educate users about recruitment scams – The Jordanian case shows how trafficked workers can be coerced into cybercrime. Awareness programs that cover both employment scams and cyber‑fraud can reduce the supply chain of forced actors.
- Leverage threat‑intel sharing platforms – Group‑IB’s contribution of compromised‑account lists proved critical. Join ISACs or regional sharing groups to receive timely indicators of compromise (IOCs).
What’s next?
INTERPOL has announced that the intelligence gathered during Operation Ramz will feed into a MENA Cybercrime Threat Intelligence Hub slated for launch later this year. The hub will provide participating nations with real‑time alerts on emerging phishing kits, malware droppers, and compromised infrastructure.
Meanwhile, law‑enforcement agencies are expected to continue pursuing the 382 identified suspects who remain at large, many of whom are believed to operate from overseas safe havens.
For more details on the technical indicators uncovered during the raids, see the full forensic report released by Group‑IB here.
Comments
Please log in or register to join the discussion