INTERPOL has concluded an unprecedented coordinated anti-cybercrime operation in the Middle East and North Africa (MENA) region. Operation Ramz, conducted from October 2025 to February 2026 with the participation of 13 countries, resulted in 201 arrests, the identification of another 382 suspects, the discovery of 3,867 victims and the seizure of 53 servers. In addition to classic phishing and fraud schemes, the investigation uncovered a forced-labor scheme in which human trafficking victims were used as operators of financial fraud.

Scope and geography of the operation

According to INTERPOL’s official statement, the operation was aimed at neutralizing phishing and malware infrastructures, as well as countering cyber fraud that causes significant financial damage to the region. Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia and the UAE took part in the operation.

Key country-level results demonstrate the diversity of the threats uncovered:

• Algeria — a Phishing-as-a-Service (PhaaS) platform was dismantled. A server, a computer, a mobile phone and hard drives containing phishing software and scripts were confiscated. One suspect was arrested.
• Morocco — computers, smartphones and external drives containing banking data and tools for phishing operations were seized.
• Oman — a legitimate server with confidential information was found in a private residence; it had multiple critical vulnerabilities and was infected with malware. The server was taken offline.
• Qatar — compromised devices were identified whose owners were unaware that their systems were being used to distribute malicious threats. The devices were secured and the owners notified.
• Jordan — a computer used to conduct financial fraud schemes via a fake trading platform was discovered.

It is worth noting that INTERPOL did not disclose specific malware families, indicators of compromise, or details of the server vulnerabilities in Oman and Qatar, which limits the possibilities for an independent technical assessment of the scale of the threats.

Human trafficking in the service of cyber fraud

The most disturbing finding of the operation came in Jordan. During a search, 15 people were found who were directly conducting fraudulent operations using a fake investment platform that would cease operations after receiving victims’ funds. However, the investigation established that these 15 operators were themselves victims of human trafficking — they had been recruited under false employment pretenses from Asian countries. Upon arrival in Jordan, their passports were confiscated and they were forced to participate in the fraud scheme. Two alleged organizers were arrested.

This case illustrates the growing convergence between cybercrime and “real world” organized crime. The model of forced cyber fraud, previously documented on a large scale in Southeast Asia (Cambodia, Myanmar, Laos), is now also being observed in the MENA region, indicating the geographic expansion of this practice.

Role of the private sector

Companies from the private sector took part in the operation. Group-IB reported that it had provided intelligence on more than 5,000 compromised accounts, including those linked to government infrastructure, as well as information on active phishing infrastructure in the region. Team Cymru also stated that it supported the operation, emphasizing the need for coordination between law enforcement and the private sector.

The participation of companies specializing in threat analysis in such operations is becoming standard practice: law enforcement agencies gain technical expertise and access to telemetry data they do not possess on their own, while companies gain legitimization of their intelligence capabilities.

Context: a wave of law-enforcement actions

Operation Ramz forms part of a series of major law-enforcement actions in recent weeks. Among the most significant:

• Dream Market — charges have been filed for money laundering against Ove Martin Andresen (Speedstepper), the alleged lead administrator of the darknet marketplace, who was arrested in Germany.
• Crimenetwork — the relaunched version of the marketplace was shut down (the original was taken offline in December 2024), and the alleged administrator — a 35-year-old German citizen — was arrested in Mallorca.
• Kingdom Market — administrator Alan Bill from Bratislava was sentenced to 200 months (more than 16 years) in prison for distributing narcotics, stolen financial data, forged documents and malware.
• Cryptocurrency fraud — Marlon Ferro (GothFerrari), 20, was sentenced to 78 months in prison for his role in a social-engineering scheme that stole more than USD 250 million in cryptocurrency. The scheme combined online fraud with physical thefts of hardware wallets.
• Government data deletion — Sohaib Akhter was convicted of deleting 96 databases containing US government information and stealing a plaintext password from the Equal Employment Opportunity Commission portal.

Taken together, these actions demonstrate a systematic increase in pressure on cybercriminal infrastructure across all fronts — from darknet marketplaces to phishing platforms and social-engineering schemes.

Practical recommendations

The results of Operation Ramz highlight several practical priorities for organizations in the MENA region and beyond:

• Audit of server infrastructure — the case in Oman shows that legitimate servers with critical vulnerabilities in private networks are becoming points of compromise. Conduct an inventory of all servers, including those located outside corporate data centers.
• Monitoring compromised accounts — more than 5,000 compromised accounts, including government ones, point to large-scale credential leakage. Implement breach monitoring and forced password rotation for privileged accounts.
• Endpoint inspection — the situation in Qatar, where device owners were unaware of the compromise, underscores the need for regular scanning for malware and anomalous network activity.
• Employee training — Phishing-as-a-Service platforms lower the barrier to entry for attackers, increasing the volume and sophistication of phishing attacks. Update awareness programs to reflect current regional patterns.

Operation Ramz is the first precedent for a coordinated cyber-policing operation of this scale in the MENA region. Its main value lies less in the number of arrests than in the creation of a working model of interstate cooperation in a region where such coordination had previously been absent. Organizations operating in these jurisdictions are advised to use the results of the operation as a basis for revising their own threat models — in particular, to account for the growth of Phishing-as-a-Service platforms and the expansion of forced cyber fraud schemes beyond Southeast Asia.