Authorities Dismantle SniperDZ Phishing-as-a-Service Network
INTERPOL, the Algerian National Police, and Group-IB dismantled SniperDZ, a phishing-as-a-service ecosystem that operated for nearly a decade and enabled large-scale credential theft, personal-data harvesting, and browser-based fraud. Investigators said the operation distributed about 80 free phishing templates through Telegram and Facebook channels, impersonated roughly 30 major online platforms, and relied on more than 20,000 domains to host fake login pages. Group-IB attributed the infrastructure to a threat actor known as Guedz after analyzing tutorial videos that exposed an administrator panel and backend email addresses; Algerian authorities then arrested the suspect and seized hardware containing phishing code and malicious scripts.
Researchers said SniperDZ also functioned as a centralized push-notification abuse platform used heavily across the Middle East and North Africa. Campaigns used fake Facebook and Instagram posts impersonating politicians, public figures, and telecom providers to lure victims with offers such as free mobile data, compensation, and subsidy programs, then redirected them through link shorteners and attacker-controlled chains to phishing pages that requested browser notification permissions. Group-IB linked multiple campaigns to the same ecosystem through a recurring VAPID public key and infrastructure hosted on Horizon IS, and documented cloaking, browser-history manipulation, and tab-under techniques used to evade detection while monetizing victims through unsolicited ads, scams, and malicious content. The takedown formed part of Operation Ramz, which spanned 13 countries and resulted in 201 arrests, 53 malicious servers seized, and 3,867 compromised endpoints and victims identified.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Group-IB traced 2024 MENA attacks to SniperDz
In 2024, Group-IB investigated social engineering attacks targeting the MENA region and traced them to the SniperDz phishing-as-a-service platform. The investigation connected the activity to the broader ecosystem later disrupted under Operation Ramz.
Algerian authorities arrested Guedz and seized SniperDZ infrastructure
Algerian authorities arrested the suspected operator Guedz and seized hardware containing phishing code and malicious scripts. The action was part of the broader dismantling of the SniperDZ phishing network involving Group-IB, INTERPOL, and the Algerian National Police.
Group-IB linked SniperDZ to threat actor Guedz
After analyzing tutorial videos that exposed an administrator panel and backend email addresses, Group-IB attributed the SniperDZ operation to a threat actor known as Guedz. Separate research also tied multiple campaigns to the same ecosystem through a recurring VAPID public key and shared infrastructure hosted on Horizon IS.
Operation Ramz ran across 13 countries
INTERPOL's Operation Ramz was conducted across 13 countries from October 2025 to 2026-02-28. The operation resulted in 201 arrests, the seizure of 53 malicious servers, and the identification of 3,867 compromised endpoints and victims.
SniperDZ operated a phishing-as-a-service network for nearly a decade
SniperDZ ran a long-lived phishing ecosystem that distributed around 80 free phishing templates through Telegram and Facebook channels, targeted about 30 major online platforms, and used more than 20,000 domains to host fake login pages. Group-IB also described the ecosystem as supporting large-scale brand impersonation, credential theft, and browser-notification abuse across the Middle East and North Africa.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Sniper Dz Scams Target MENA Users via Fake Facebook Offers and Browser Alerts
thehackernews.com
Open sourceDismantling SniperDz: Investigation story | Group-IB
group-ib.com
Open sourceINTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
thehackernews.com
Open sourceHackers Abuse SniperDz PhaaS Ecosystem for Brand Impersonation and Browser Hijacking - Cyber Security News
cybersecuritynews.com
Open sourceAuthorities Dismantle Decade-Old SniperDZ Phishing Network
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
INTERPOL Operation Synergia III Disrupts Global Phishing and Fraud Infrastructure
**INTERPOL** said **Operation Synergia III** led to the arrest of **94 suspects**, the seizure of **212 devices and servers**, and the sinkholing or takedown of more than **45,000 malicious IP addresses** tied to cybercrime infrastructure across **72 countries and territories**. The operation ran from July 2025 through January 2026 and targeted infrastructure supporting **phishing, malware, ransomware, romance scams, credit card fraud, and related online fraud**. Authorities said **110 additional individuals remain under investigation**, underscoring that follow-on enforcement activity is still ongoing. Preliminary case details show broad international participation and a focus on both technical infrastructure and fraud operators. In **Macau**, investigators identified more than **33,000 phishing and fraudulent websites**, including fake casino, banking, government, payment, and other critical-service sites used to steal credentials and payment data. In **Bangladesh**, authorities arrested **40 suspects** and seized **134 devices** linked to loan scams, employment scams, identity theft, and credit card fraud, while in **Togo** police arrested **10 suspects** tied to a fraud ring whose members split responsibilities between account compromise and social-engineering schemes such as romance and sextortion scams. The reporting describes a coordinated law-enforcement disruption of active criminal infrastructure rather than a vendor announcement or generic security guidance.
Mar 20, 2026
INTERPOL Operation Ramz Nets 201 Arrests Across MENA Cybercrime Crackdown
INTERPOL said **Operation Ramz** led to 201 arrests across 13 Middle East and North Africa countries after a coordinated campaign against phishing, malware, and online scam networks. The operation, described as the first cybercrime action of its scale in the region, ran from October 2025 through 28 February 2026 and also identified 382 additional suspects, 3,867 victims, and 53 seized servers, with nearly 8,000 intelligence and investigative data points shared among participating authorities. Investigations produced multiple country-level disruptions, including the dismantling of a phishing-as-a-service platform in Algeria, the seizure of phishing infrastructure and banking data in Morocco, the disabling of a vulnerable malware-infected server in Oman, and the exposure of a financial fraud and fraudulent investment scheme in Jordan that also involved human trafficking victims. INTERPOL said the crackdown involved Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates, with support from private-sector partners including Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, and TrendAI.
May 25, 2026
FBI and Indonesian Police Dismantle W3LL Phishing Network
The FBI Atlanta Field Office and the Indonesian National Police dismantled infrastructure tied to the **W3LL** phishing operation, seized associated domains, and detained an alleged developer identified as **G.L.** Authorities said the platform enabled more than **$20 million** in attempted fraud by selling a low-cost phishing kit and operating **W3LLSTORE**, a marketplace that trafficked stolen credentials and unauthorized access. Investigators said the service sold kits for about **$500**, supported roughly **500 threat actors**, and facilitated the sale of more than **25,000** compromised accounts between 2019 and 2023. Researchers and law enforcement described W3LL as a full-service phishing and business email compromise platform used in more than **17,000 attacks worldwide** from 2023 to 2024, with the United States accounting for more than half of identified cases. Group-IB, Hunt.io, and Sekoia linked the operation to **Microsoft 365**-focused adversary-in-the-middle phishing, session cookie theft, **MFA bypass**, and code reuse in other kits such as **Sneaky 2FA**. Authorities said the operation continued on encrypted messaging platforms after W3LLSTORE shut down in 2023, underscoring how commercial phishing services lowered the barrier for attacks against sectors including manufacturing, technology, and professional services.
Apr 14, 2026