[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fc_xMV3tBuNfkK9_lsSGBAs0sGOlR8OQiFV8xdDxC1Xs":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"c48b3bb1-a805-40b7-bc6c-b6ea3b1712b8","INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator","interpol-operation-takes-down-sniper-dz-phishing-platform-arrests-administrator-0cc97d","An INTERPOL-led operation last month resulted in the disruption of Sniper Dz, a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday. The effort, codenamed Operation Ramz, took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests. Included among them was Guedz, the primary","An INTERPOL-led operation, codenamed Operation Ramz, has successfully dismantled Sniper Dz, a decade-old phishing-as-a-service (PhaaS) platform. The operation involved authorities from 13 MENA countries and resulted in 201 arrests, including the platform's primary developer and administrator, known as Guedz. Sniper Dz, which also operated under names like Joker Dz and Storm Dz, offered free phishing kits and infrastructure, targeting major global organizations and collecting over 45,000 victim records.","INTERPOL operation disrupts Sniper Dz phishing platform, leading to 201 arrests.","INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator Ravie LakshmananJun 12, 2026Cybercrime \u002F Phishing An INTERPOL-led operation last month resulted in the disruption of Sniper Dz, a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday. The effort, codenamed Operation Ramz, took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests. Included among them was Guedz, the primary developer and administrator of Sniper Dz, a PhaaS service that's said to have collected more than 45,000 victim records. The arrest was made by the Algerian National Police. Over the years, the platform rebranded itself as Joker Dz, Storm Dz, and Spam Dz. As part of Operation Ramz, the website used to offer PhaaS capabilities to other cybercriminals was taken down. Authorities also seized hardware containing phishing software and scripts. \"Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to cybercriminals,\" the Singapore-headquartered cybersecurity company said. In the years since then, more than 20,000 unique domains associated with the PhaaS service have been identified. The toolkit primarily targeted 30 major global organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam, using 80 phishing templates deployed in five languages, including Arabic, English, French, Spanish, and Hebrew. Phishing campaigns using Sniper Dz singled out users of technology, social media, and streaming platforms across several geographies by impersonating popular brands and government entities using convincing imitation websites with the goal of harvesting credentials, personal information, and other sensitive data. \"Beyond traditional credential theft, the platform also leveraged social engineering techniques that exploited the popularity and credibility of public figures across the Middle East and North Africa,\" Group-IB explained. \"Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access.\" Sniper Dz was the subject of a comprehensive analysis by Palo Alto Networks Unit 42 in October 2024, which detailed the threat actor's use of a Telegram channel with more than 7,300 subscribers to share tutorial videos and the options it provides to host the phishing pages on its own infrastructure behind a proxy server. What made Sniper Dz stand out from the crowded PhaaS market is that it offered its entire infrastructure for free, making it easier for aspiring cybercriminals to pull off phishing campaigns at scale. The monetization avenues instead relied on credential theft and victim traffic. \"Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns,\" Group-IB said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Credential Theft, Cybercrime, cybersecurity, Group-IB, Interpol, PhaaS, Phishing, Sniper Dz, Social Engineering ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP\u002F2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Finterpol-takes-down-sniper-dz-phishing.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjqcWT1xHrfFw79S9Oy4jvo4Uw-tcziRPU4yzf1sySQQHWcn2S1Q-ke0f75hujKSNOkS375t93N6FrNzo0JXtXBm4lmsk4DQxVQyb8WVWOrQ2QSVBTMKjOexXV5394bYytXtS6putjNb8A0hqLqu7uvuKhGarI8TmwaxtxJebZJJDu6sEP17k6ic0tPSFiB\u002Fs1600\u002Fphish.jpg","2026-06-12T08:52:55+00:00","2026-06-12T10:00:14.563838+00:00",8,[18,21,24,27,29,31],{"name":19,"type":20},"Guedz","threat_actor",{"name":22,"type":23},"Operation Ramz","campaign",{"name":25,"type":26},"Sniper Dz","product",{"name":28,"type":26},"Joker Dz",{"name":30,"type":26},"Storm Dz",{"name":32,"type":33},"Group-IB","vendor","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":34,"icon":36,"name":37,"slug":38},null,"Threat Intelligence","threat-intelligence",[40,45],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":46},{"id":34,"icon":36,"name":37,"slug":38},[]]