According to Group-IB, an international operation led by INTERPOL has resulted in the dismantling of Sniper Dz, a phishing-as-a-service (PhaaS) platform that reportedly operated since 2015 and provided cybercriminals with free infrastructure for conducting phishing attacks. The operation, codenamed Operation Ramz and reportedly carried out between October 2025 and February 2026 by law enforcement agencies from 13 Middle Eastern and North African countries, ended with the arrest of 201 individuals and the seizure of equipment containing phishing software. Users of PayPal, Facebook, Instagram, Yahoo, Netflix and Steam whose credentials may have been compromised via this platform are advised to change their passwords and review the activity on their accounts.
Scale and technical infrastructure of the platform
According to a Group-IB press release, Sniper Dz was a mature criminal ecosystem offering turnkey phishing kits, hosting infrastructure and operational support. Over its lifetime the platform repeatedly rebranded, also operating under the names Joker Dz, Storm Dz and Spam Dz.
Key technical characteristics of the platform, according to the researchers:
- More than 20,000 unique domains linked to phishing campaigns
- 80 phishing templates deployed in five languages: Arabic, English, French, Spanish and Hebrew
- Targeted attacks against users of 30 major global organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix and Steam
- More than 45,000 victim records collected through the platform
- The ability to host phishing pages on the platform’s own infrastructure behind a proxy server
The phishing campaigns targeted users of technology services, social networks and streaming platforms across several regions. The perpetrators impersonated popular brands and government agencies using convincing fake websites to harvest credentials and personal data.
Unique business model and monetization methods
The key feature that set Sniper Dz apart from competitors in the PhaaS market was its completely free infrastructure for users. This significantly lowered the barrier to entry for novice cybercriminals, enabling them to run phishing campaigns without any upfront investment.
As described by Group-IB, monetization followed two tracks. The first was direct harvesting of stolen credentials through phishing campaigns. The second was redirecting users who did not enter their credentials into mobile payment fraud schemes, premium SMS subscriptions, abuse of browser notifications and other affiliate fraud campaigns. In effect, the platform profited from every visitor to a phishing page, regardless of whether they submitted their data.
Social engineering in the MENA region
In addition to standard credential-stealing phishing, the operators of Sniper Dz, according to the researchers, actively used social engineering by exploiting the popularity and authority of public figures in the Middle East and North Africa. The attackers created fake social media accounts impersonating well-known political figures and used them to spread phishing links disguised as promotional offers or free internet access. This approach illustrates how phishing tactics were adapted to the regional specifics and cultural context of the target audience.
Impact assessment and context
The takedown of Sniper Dz is significant for several reasons. Its free model for distributing phishing infrastructure meant the platform potentially served thousands of operators with minimal technical skills. The scale of 20,000 domains and 45,000 victim records likely reflects only a fraction of the actual damage, given a decade of activity.
The highest risk was faced by users of major consumer services in the MENA region and French-speaking countries, as these were the primary audiences targeted by the platform’s language templates. However, the English- and Spanish-language templates extended the geographic reach of the attacks far beyond the region.
Important caveat: all data on Operation Ramz, including the number of arrests and the participation of 13 countries, is based solely on Group-IB’s reports. No official statements by INTERPOL or national law enforcement agencies are available in accessible sources, which calls for caution when assessing the completeness and accuracy of the figures provided.
Recommendations
For users of services targeted by Sniper Dz campaigns:
- Change your passwords on PayPal, Facebook, Instagram, Yahoo, Netflix and Steam accounts, especially if you received suspicious links in these languages: Arabic, French, Spanish or Hebrew
- Enable multi-factor authentication on all of the above services — this neutralizes stolen credentials
- Review login history and active sessions in your accounts for signs of unauthorized access
- Check your mobile service subscriptions — if there are unknown premium SMS subscriptions, contact your mobile operator
For organizations and security teams:
- Review logs for any requests to domains previously associated with Sniper Dz (specific indicators of compromise are not disclosed in Group-IB’s public reports)
- Strengthen phishing email filtering with consideration for multilingual templates impersonating major consumer brands
- Educate employees about the tactic of using fake accounts of public figures to distribute phishing links
Despite the takedown of Sniper Dz’s infrastructure, stolen credentials may already have been sold or used. The top-priority action is to enable multi-factor authentication on all accounts that could have been targeted by this platform, and to rotate passwords, especially if the same password was reused across several services from the Sniper Dz target list.
