Ravie LakshmananJun 12, 2026Cybercrime / Phishing
An INTERPOL-led operation final month resulted within the disruption of Sniper Dz, a decade-long phishing-as-a-service (PhaaS) platform, Team-IB stated Thursday.
The trouble, codenamed Operation Ramz, came about between October 2025 and February 2026, and noticed government from 13 nations within the Heart East and North Africa (MENA) area making 201 arrests.
Integrated amongst them was once Guedz, the main developer and administrator of Sniper Dz, a PhaaS provider that is stated to have accrued greater than 45,000 sufferer data. The arrest was once made by means of the Algerian Nationwide Police. Through the years, the platform rebranded itself as Joker Dz, Typhoon Dz, and Unsolicited mail Dz.
As a part of Operation Ramz, the web site used to provide PhaaS features to different cybercriminals was once taken down. Government additionally seized {hardware} containing phishing device and scripts.
“Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to cybercriminals,” the Singapore-headquartered cybersecurity corporate stated.
Within the years since then, greater than 20,000 distinctive domain names related to the PhaaS provider had been recognized. The toolkit essentially centered 30 primary world organizations, together with PayPal, Fb, Instagram, Yahoo, Netflix, and Steam, the use of 80 phishing templates deployed in 5 languages, together with Arabic, English, French, Spanish, and Hebrew.
Phishing campaigns the use of Sniper Dz singled out customers of era, social media, and streaming platforms throughout a number of geographies by means of impersonating in style manufacturers and govt entities the use of convincing imitation internet sites with the function of harvesting credentials, non-public knowledge, and different delicate knowledge.
“Beyond traditional credential theft, the platform also leveraged social engineering techniques that exploited the popularity and credibility of public figures across the Middle East and North Africa,” Team-IB defined. “Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access.”
Sniper Dz was once the topic of a complete research by means of Palo Alto Networks Unit 42 in October 2024, which detailed the danger actor’s use of a Telegram channel with greater than 7,300 subscribers to percentage educational movies and the choices it supplies to host the phishing pages by itself infrastructure in the back of a proxy server.
What made Sniper Dz stand proud of the crowded PhaaS marketplace is that it presented its complete infrastructure free of charge, making it more straightforward for aspiring cybercriminals to drag off phishing campaigns at scale. The monetization avenues as an alternative depended on credential robbery and sufferer site visitors.
“Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns,” Team-IB stated.


