INTERPOL Dismantles Sniper Dz Phishing Platform, Arrests 201

An INTERPOL-coordinated operation codenamed "Operation Ramz" has successfully disrupted Sniper Dz, a decade-old phishing-as-a-service (PhaaS) platform responsible for harvesting over 45,000 victim credentials. Running from October 2025 to February 2026, the effort brought together law enforcement from 13 countries across the Middle East and North Africa (MENA) region, resulting in 201 arrests and the seizure of hardware containing phishing scripts. Among those apprehended was Guedz, the platform's primary developer and administrator, who was taken into custody by the Algerian National Police. Sniper Dz, which rebranded multiple times as Joker Dz, Storm Dz, and Spam Dz since its launch around 2015, offered ready-made phishing kits, hosting infrastructure, and operational support to aspiring cybercriminals completely free of charge.

According to Group-IB's analysis, the platform leveraged more than 20,000 unique domains and 80 phishing templates in five languages (Arabic, English, French, Spanish, and Hebrew) to impersonate 30 major global brands, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam. Beyond conventional credential harvesting, threat actors exploited social engineering tactics by creating fake social media accounts impersonating well-known political figures in the MENA region, using them to promote phishing links disguised as promotional offers or free internet access. Sniper Dz was previously profiled by Palo Alto Networks Unit 42 in October 2024, which documented its 7,300-subscriber Telegram channel used to distribute tutorial videos and phishing infrastructure. Monetization relied entirely on credential theft and traffic redirection into carrier billing fraud and premium SMS subscription schemes, rather than subscription fees.

The takedown highlights the growing international cooperation required to combat PhaaS ecosystems, which lower the technical barrier for phishing at scale. Users concerned about credential exposure can verify whether their information has surfaced in known breaches using an email breach checker and strengthen accounts with a reliable password checker. Security researchers investigating suspicious domains linked to similar campaigns can also leverage a WHOIS lookup to trace registration details and infrastructure ownership. With Sniper Dz's infrastructure now offline, security teams should continue monitoring for clones or rebranded successors exploiting the same social engineering playbooks.