Interpol has successfully dismantled Sniper Dz, a phishing-as-a-service (PhaaS) platform that has been operational for over a decade. This action was part of Operation Ramz, conducted between October 2025 and February 2026, involving law enforcement agencies from 13 countries in the Middle East and North Africa (MENA) region. The operation led to 201 arrests, including that of Guedz, the primary developer and administrator of Sniper Dz, by the Algerian National Police. Authorities also seized hardware containing phishing software and scripts.
Sniper Dz, active since at least 2015, evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to cybercriminals. Over the years, the platform rebranded itself as Joker Dz, Storm Dz, and Spam Dz. It is estimated that Sniper Dz collected more than 45,000 victim records and was associated with over 20,000 unique domains. The toolkit primarily targeted 30 major global organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam, using 80 phishing templates deployed in five languages: Arabic, English, French, Spanish, and Hebrew.
Phishing campaigns utilizing Sniper Dz impersonated popular brands and government entities to harvest credentials, personal information, and other sensitive data. The platform also exploited social engineering techniques by creating fake social media accounts impersonating well-known political figures in the MENA region to promote phishing links disguised as promotional offers or free internet access.
In October 2024, Palo Alto Networks Unit 42 conducted a comprehensive analysis of Sniper Dz, detailing the threat actor’s use of a Telegram channel with over 7,300 subscribers to share tutorial videos and the options it provided to host phishing pages on its own infrastructure behind a proxy server. Notably, Sniper Dz offered its entire infrastructure for free, making it easier for aspiring cybercriminals to conduct phishing campaigns at scale. The platform monetized through credential theft and victim traffic, redirecting users into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns.
The takedown of Sniper Dz underscores the persistent threat posed by PhaaS platforms, which lower the barrier to entry for cybercriminals and facilitate widespread phishing attacks. This operation highlights the importance of international cooperation in combating cybercrime and the need for continuous vigilance against evolving phishing tactics.
