An INTERPOL-led operation last month successfully disrupted **Sniper Dz**, a sophisticated phishing-as-a-service (PhaaS) platform that had been operational for nearly a decade, according to cybersecurity firm **Group-IB**. ### Operation Ramz: A Coordinated Takedown The coordinated effort, dubbed **Operation Ramz**, spanned from October 2025 to February 2026. It involved law enforcement agencies from 13 countries in the Middle East and North Africa (MENA) region, leading to a significant 201 arrests. Among those apprehended was **Guedz**, identified as the primary developer and administrator of **Sniper Dz**. His arrest was carried out by the Algerian National Police. The platform, which also operated under aliases such as **Joker Dz**, **Storm Dz**, and **Spam Dz**, is believed to have facilitated the collection of over 45,000 victim records. As part of Operation Ramz, the website used by cybercriminals to access the PhaaS capabilities was taken down, and authorities seized hardware containing critical phishing software and scripts. ### Evolution of a PhaaS Giant **Group-IB**, a Singapore-headquartered cybersecurity company, noted that **Sniper Dz** had been active since at least 2015. Over the years, it evolved into a comprehensive criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to aspiring cybercriminals. Investigators have identified more than 20,000 unique domains associated with the PhaaS service. The toolkit primarily targeted users of 30 major global organizations, including **PayPal**, **Facebook**, **Instagram**, **Yahoo**, **Netflix**, and **Steam**. It utilized 80 phishing templates deployed in five languages, including Arabic, English, French, Spanish, and Hebrew. ### Beyond Credential Theft Phishing campaigns leveraging **Sniper Dz** impersonated popular brands and government entities, employing convincing imitation websites to harvest credentials, personal information, and other sensitive data from users of technology, social media, and streaming platforms across various geographies. **Group-IB** highlighted that the platform also employed advanced social engineering techniques. "Beyond traditional credential theft, the platform also leveraged social engineering techniques that exploited the popularity and credibility of public figures across the Middle East and North Africa," the company explained. "Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access." ### The Free Model and Monetization **Palo Alto Networks Unit 42** conducted a comprehensive analysis of **Sniper Dz** in October 2024. Their report detailed the threat actor's use of a Telegram channel with over 7,300 subscribers to share tutorial videos and highlighted the platform's unique offering of hosting phishing pages on its own infrastructure behind a proxy server. What set **Sniper Dz** apart in the crowded PhaaS market was its decision to offer its entire infrastructure for free. This significantly lowered the barrier to entry for cybercriminals, enabling them to launch large-scale phishing campaigns with ease. The platform's monetization strategy relied on credential theft and victim traffic. "Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns," **Group-IB** elaborated.