An INTERPOL-led operation last month resulted in the disruption of Sniper Dz, a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday.
The effort, codenamed Operation Ramz, took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests.
Included among them was Guedz, the primary developer and administrator of Sniper Dz, a PhaaS service that’s said to have collected more than 45,000 victim records. The arrest was made by the Algerian National Police. Over the years, the platform rebranded itself as Joker Dz, Storm Dz, and Spam Dz.
As part of Operation Ramz, the website used to offer PhaaS capabilities to other cybercriminals was taken down. Authorities also seized hardware containing phishing software and scripts.
“Active since at least 2015, Sniper Dz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to cybercriminals,” the Singapore-headquartered cybersecurity company said.
In the years since then, more than 20,000 unique domains associated with the PhaaS service have been identified. The toolkit primarily targeted 30 major global organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam, using 80 phishing templates deployed in five languages, including Arabic, English, French, Spanish, and Hebrew.
Phishing campaigns using Sniper Dz singled out users of technology, social media, and streaming platforms across several geographies by impersonating popular brands and government entities using convincing imitation websites with the goal of harvesting credentials, personal information, and other sensitive data.
“Beyond traditional credential theft, the platform also leveraged social engineering techniques that exploited the popularity and credibility of public figures across the Middle East and North Africa,” Group-IB explained. “Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access.”
Sniper Dz was the subject of a comprehensive analysis by Palo Alto Networks Unit 42 in October 2024, which detailed the threat actor’s use of a Telegram channel with more than 7,300 subscribers to share tutorial videos and the options it provides to host the phishing pages on its own infrastructure behind a proxy server.
What made Sniper Dz stand out from the crowded PhaaS market is that it offered its entire infrastructure for free, making it easier for aspiring cybercriminals to pull off phishing campaigns at scale. The monetization avenues instead relied on credential theft and victim traffic.
“Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns,” Group-IB said.
