Operation Ramz, a coordinated international law enforcement initiative, successfully dismantled SniperDz, a prolific Phishing-as-a-Service (PhaaS) platform that maintained operational longevity for approximately one decade. Conducted between October 2025 and February 2026, the operation targeted the platform's core infrastructure and its extensive affiliate network across the Middle East and North Africa (MENA) region. The campaign resulted in the arrest of the primary developer and administrator, "Guedz," along with 201 affiliates. This takedown neutralizes a significant source of scalable phishing payloads and credential harvesting capabilities that have historically facilitated widespread identity theft and financial fraud.
-
Incident Overview: Operation Ramz
- Coordinated international law enforcement initiative led by INTERPOL and threat intelligence firm Group-IB.
- Execution window spanned from October 2025 through February 2026.
- Collaborative effort involving law enforcement agencies from 13 MENA (Middle East and North Africa) countries.
-
Threat Actor Profile: The SniperDz Ecosystem
- Functioned as a highly resilient Phishing-as-a-Service (PhaaS) platform.
- Operated under the administration of a primary developer known as "Guedz."
- Provided specialized infrastructure for affiliates to execute large-scale credential harvesting and social engineering attacks.
-
Operational Mechanics: Long-Term Phishing Capability
- Maintained continuous operational availability for approximately 10 years.
- Facilitated scalable phishing campaigns through a subscription-based service model.
- Leveraged specialized toolsets to automate the deployment of malicious landing pages and data exfiltration.
-
Law Enforcement & Impact: Massive Disruption
- Resulted in the arrest of 201 individuals, including the platform's primary administrator.
- Effectively dismantled the centralized SniperDz PhaaS infrastructure.
- Involved critical intelligence support from the Algerian National Police and regional partners.
-
Conclusion: Strategic Defensive Implications
- Neutralization of a decade-old supply chain for phishing-related cybercrime.
- Highlights the necessity of cross-sector cooperation between INTERPOL and private intelligence firms.
- Temporary reduction in the availability of professionalized PhaaS tooling within the MENA region.
Related posts
- cm-alliance.com — The Fall of SniperDz: Takedown of a Decade-Long Phishing Empire
- feeds.feedburner.com — INTERPOL Operation Takes Down Sniper Dz Phishing Platform, Arrests Administrator
- Exchange
- Mallory
- Safestate
- Therecord
- Pcgamer
- helpnetsecurity.com — Law enforcement hits SocGholish: 106 servers down, 15,000 sites cleaned
- SC Media — Law enforcement disrupts SocGholish botnet and Evil Corp servers
- Mallory
- Cyberscoop
- techjacksolutions.com — Operation Endgame Dismantles SocGholish at Scale: 14,971 WordPress Sites Cleaned, Evil Corp Infrastructure Cut
- techjacksolutions.com — WordPress (Automattic) — Vulnerability Rollup (2026-06-18)
- gbhackers.com — Authorities Seize 106 Servers and 101 Domains in Major SocGholish Malware Takedown
- News4Hackers — SocGholish Botnet Takedown: 15,000 WordPress Sites Secured
- thecyberexpress.com — Operation Endgame Hits SocGholish Malware Network, 14,971 Websites Cleaned
- Thehackernews
- Cisoseries
- Malwarebytes
- Ctvnews
- Shadowserver
- Spamhaus
- bulwarkblack.com — SocGholish Takedown Shows Website Trust Is Malware Infrastructure
- Securityboulevard
- Safestate
- Vancouver
- cybersecurity.pk — Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites
- Cyberdaily
- Malware News — Operation Endgame Targets SocGholish: What It Means for Defenders
- cyberinsider.com — Amadey, StealC, and SocGholist malware disrupted by ‘Operation Endgame’
- techjacksolutions.com — Amadey / StealC (MaaS Ecosystem) — Vulnerability Rollup (2026-06-24)
- TechNadu — Operation Endgame Disrupts SocGholish, Amadey, and StealC Malware, Recovers 27 Million Stolen Login Credentials
- SecurityWeek — 15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown
- Securityaffairs
- cyberscoop.com — In a first, a court takedown goes after two cybercrime tools at once
- Microsoft Security Blog — StealC and Amadey: Breaking down infostealers and the cybercrime services that deliver them
- bleepingcomputer.com — Amadey, StealC malware operations disrupted in Operation Endgame action
- cybersecuritydive.com — Microsoft, Europol lead international takedown against infostealer malware
- feeds.feedburner.com — Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
- Security Affairs — Europol Disrupts StealC and Amadey Malware Infrastructure in Operation Endgame
- The Record by Recorded Future — Three ‘cybercrime as a service’ operations undercut by Microsoft, law enforcement
- Infosecurity-magazine
- Europol
- Redmondmag
- Mbsd
- Techechelon
- Bitsight
- Hackread
- SecurityWeek — Microsoft and Allies Smash Shared Infrastructure of Amadey and StealC Malware