Operation Ramz: Dismantling the Cybercrime Infrastructure of the MENA Region

In a massive blow to organized digital crime, a multi-national enforcement initiative led by INTERPOL has successfully disrupted a sprawling network of malicious infrastructure across the Middle East and North Africa (MENA).

The coordinated effort, known as Operation Ramz, resulted in the arrest of 201 individuals and the physical seizure of 53 malicious servers utilized for large-scale phishing, malware distribution, and sophisticated financial fraud.

Spanning from October 2025 to February 2026, the operation mobilized law enforcement agencies from 13 different nations. Beyond the immediate arrests, investigators identified 382 additional suspects and documented the impact on 3,867 victims, highlighting the pervasive reach of these cyber-enabled criminal ecosystems.

Disrupting Malicious Infrastructure and Phishing-as-a-Service

Operation Ramz stands as a landmark enforcement action for the MENA region, moving beyond simple individual arrests to focus on the technical backbone of cybercrime: the infrastructure. By targeting Phishing-as-a-Service (PhaaS) platforms and command-and-control (C2) nodes, authorities aimed to sever the operational capabilities of organized threat actors.

The success of this mission was fueled by high-velocity intelligence sharing, with nearly 8,000 technical data points and intelligence reports exchanged between participating countries to map out adversary footprints and identify compromised assets.

INTERPOL’s Director of Cybercrime, Neal Jetton, underscored that because cyber threats are inherently borderless, the only effective defense is a unified, globalized response that dismantles criminal ecosystems at their source.

The operation yielded critical technical and social findings across various jurisdictions:

  • Qatar: Forensic investigations identified a range of compromised consumer devices being weaponized as bots to distribute malware. Authorities successfully notified victims and facilitated system remediation.
  • Jordan: Beyond financial fraud via fraudulent investment platforms, investigators uncovered a dark intersection between cybercrime and human trafficking. Fifteen individuals were found to be victims of coercion, forced into operating scam schemes after being lured by deceptive job offers.
  • Oman: Technical teams located a rogue server running malware within a private residence, effectively neutralizing a local node used for exploitation.
  • Algeria: Law enforcement successfully took down a dedicated Phishing-as-a-Service (PhaaS) web portal, seizing the underlying servers, specialized phishing toolkits, and hardware.
  • Morocco: Authorities confiscated hardware containing high-value assets, including stolen banking credentials and specialized phishing software.

The seizure of the 53 servers is particularly significant. These assets functioned as the central nervous system for various campaigns, hosting malicious scripts, managing botnet communications, and facilitating the automated theft of financial data.

The mission’s technical depth was bolstered by a robust public-private partnership. Industry leaders including Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, and Trend Micro provided critical telemetry and actionable threat intelligence to help track and de-anonymize the malicious infrastructure.

Participating Nations and Strategic Framework

The operation saw unprecedented cooperation from a broad coalition of nations, including:

  • Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon
  • Libya, Morocco, Oman, Palestine, Qatar
  • Tunisia, and the United Arab Emirates

Operation Ramz was supported by the Qatar Ministry of Interior and received strategic funding from the European Union and the Council of Europe through the CyberSouth+ initiative.

Ultimately, Operation Ramz serves as a blueprint for modern cyber defense. It proves that when intelligence sharing is synchronized with technical forensic capabilities, law enforcement can effectively move from a reactive posture to a proactive disruption of the global cybercriminal lifecycle.

Related Articles

Back to top button