All incidents

INTERPOL Operation Ramz disrupts MENA cybercrime networks

campaignclosedMay 18, 2026 — May 18, 2026

INTERPOL’S Operation Ramz has led to the arrest of 201 individuals across the Middle East and North Africa in a coordinated strike against phishing and malware networks that ran from October 2025 to February 2026. The operation involved law‑enforcement agencies from 13 countries and resulted in the seizure of 53 servers, the identification of 3 867 victims and the naming of a further 382 suspects. Details of the crackdown were outlined in a joint statement released by INTERPOL and Group‑IB here.

The campaign focused on dismantling a phishing‑as‑a‑service platform that had been renting out fraudulent kits to criminals throughout the region. Authorities in Algeria confiscated a server, a computer, a mobile phone and several hard drives loaded with phishing software, while similar raids took place in Qatar, Jordan, Oman and Morocco. In total almost eight thousand pieces of intelligence were shared among participants to support ongoing investigations.

Technical analysis of the seized infrastructure revealed custom malware loaders designed to harvest credentials and financial data, alongside spam distribution tools used in large‑scale email campaigns. The infrastructure was hosted on compromised virtual private servers that were quickly taken offline once law‑enforcement gained access. No specific CVEs were associated with the tools, but the malware families exhibited common obfuscation techniques seen in underground markets.

Although no individual threat actor was publicly named, the operation highlights the growing sophistication of cybercrime syndicates operating out of the MENA region, which have increasingly turned to service‑based models to lower the barrier for entry. INTERPOL described the effort as the first of its kind to combine cross‑border judicial cooperation with direct technical disruption in the area. The action is intended to reduce both immediate financial losses and the longer‑term erosion of trust in digital services.

Defenders should treat the Ramz takedown as a reminder to scrutinise inbound email for signs of credential‑harvesting kits and to block known malicious domains associated with the seized servers. Updating spam filters with the indicators released by INTERPOL can help prevent residual phishing attempts that may still be circulating. Organisations are also advised to enforce multi‑factor authentication on all remote access points and to review authentication logs for unusual login patterns that could signal attempted abuse of the dismantled infrastructure.

Practical steps include conducting regular awareness training that focuses on the latest social‑engineering lures observed in the operation, sharing any suspicious indicators with national CERTs and with peers through trusted information‑sharing platforms, and ensuring that endpoint protection solutions are configured to detect the behavioural signatures of the malware families identified. By maintaining vigilance and leveraging the intelligence released by the operation, security teams can reduce the likelihood of falling victim to similar phishing‑as‑a‑service schemes in the future.

Intelligence briefing updated Jun 10, 2026

Root sourcewww.group-ib.com
Timeline Coverage

Swipe to explore timeline