Key Takeaways
- INTERPOL’s Operation Ramz (Oct 2025‑Feb 2026) coordinated 13 MENA countries, resulting in 201 arrests and 382 additional suspects identified.
- The crackdown neutralized phishing, malware, and cyber‑scam infrastructures, seizing 53 servers and identifying 3,867 victims.
- Notable disruptions included a phishing‑as‑a‑service platform in Algeria, compromised devices in Qatar, and a vulnerable server in Oman.
- In Jordan, a financial‑fraud scheme uncovered victims of human trafficking who were coerced into running scams.
- Private‑sector partners such as Group‑IB and Team Cymru supplied actionable intelligence on thousands of compromised accounts and active phishing sites.
- The operation underscores the necessity of cross‑border cooperation between law enforcement and trusted industry allies to combat borderless cybercrime.
- Parallel law‑enforcement actions in Germany and the United States targeted swatting rings, darknet marketplaces, data‑theft conspiracies, cryptocurrency fraud, and ATM jackpotting.
- Sentences ranged from months to over 16 years, reflecting the seriousness of offenses ranging from malware distribution to large‑scale cryptocurrency theft.
- Collectively, these actions illustrate a growing international resolve to dismantle cybercriminal ecosystems and protect both public and private digital assets.
Overview of Operation Ramz
INTERPOL launched Operation Ramz as a first‑of‑its‑kind, region‑wide cybercrime crackdown spanning the Middle East and North Africa. Conducted between October 2025 and February 2026, the initiative brought together law‑enforcement agencies from 13 countries with the shared goal of investigating malicious cyber infrastructure, arresting perpetrators, and preventing further financial harm to the region. The operation’s public statement emphasized a focus on phishing, malware threats, and cyber scams that impose steep costs on MENA economies. By the conclusion of the campaign, authorities reported 201 arrests, the identification of an additional 382 suspects, the seizure of 53 servers, and the identification of 3,867 victims whose data had been compromised or exploited.
Arrests and Suspects Identified
The 201 individuals apprehended during Operation Ramz were linked to a variety of cybercriminal activities, ranging from low‑level phishing operators to organizers of large‑scale fraud schemes. In addition to those detained, investigators flagged 382 further suspects who remain under investigation or are subject to surveillance. This dual approach—immediate apprehension coupled with ongoing suspect tracking—aimed to dismantle both the visible operatives and the broader networks that support them. The breadth of arrests underscores the operation’s success in reaching across different tiers of the cybercrime supply chain, from technical developers to money‑launderers and fraud facilitators.
Phishing‑as‑a‑Service Disruption in Algeria
Algerian authorities achieved a significant milestone by confiscating the server that hosted a phishing‑as‑a‑service (PhaaS) platform, a model that enables criminals to lease ready‑made phishing kits and infrastructure. Alongside the server, police seized a computer, a mobile phone, and multiple hard drives containing phishing software, scripts, and victim data. One suspect directly associated with the PhaaS operation was arrested. The takedown not only halted the service’s ability to generate new phishing campaigns but also provided investigators with valuable forensic material that could be used to trace downstream victims and affiliates.
Moroccan Seizures and Banking Data
In Morocco, law‑enforcement teams raided locations linked to cyber‑fraud rings and seized a collection of digital assets, including computers, smartphones, and external hard drives. These devices were found to store banking credentials, transaction logs, and custom phishing tools designed to mimic legitimate financial institutions. The confiscation of such equipment disrupted ongoing credential‑harvesting efforts and prevented the exfiltration of further funds from unsuspecting customers. Moroccan officials indicated that the seized data would be analyzed to identify additional victims and to build cases against higher‑level organizers of the fraud network.
Oman Compromised Server
Authorities in Oman uncovered a legitimate‑appearing server hosted within a private residence that, despite its innocuous outward appearance, harbored multiple critical security vulnerabilities and was actively infected with malware. The server had been repurposed as a command‑and‑control node for distributing malicious payloads and harvesting sensitive information from connected devices. INTERPOL reported that remedial actions were taken to disable the server, patch the identified vulnerabilities, and remove the malware. The case highlighted how even seemingly benign personal infrastructure can be exploited by cybercriminals when basic security hygiene is neglected.
Qatar Compromised Devices
Qatar’s cyber‑security response focused on a batch of compromised consumer devices—personal computers and smartphones—whose owners were unaware that their systems had been hijacked to propagate “malicious threats.” Although the precise nature of the threats was not disclosed in the public summary, officials confirmed that the affected machines were isolated, cleaned, and returned to their owners with guidance on securing their devices. The incident served as a reminder of the pervasive risk posed by botnets and the importance of endpoint protection, regular patching, and user awareness campaigns.
Jordan Human Trafficking and Financial Fraud
Jordanian police uncovered a sophisticated financial‑fraud scheme in which unsuspecting users were lured into investing funds on a counterfeit trading platform that appeared legitimate but collapsed once deposits were made. A raid resulted in the apprehension of 15 individuals operating the scam. Subsequent investigation revealed that these individuals were not willing participants but victims of human trafficking: they had been recruited in their Asian home countries under false promises of legitimate employment, had their passports confiscated upon arrival in Jordan, and were coerced into facilitating the fraud. Two suspected organizers of the operation were arrested. This case illustrated the intersection of cybercrime with transnational human‑trafficking networks, underscoring the need for multidisciplinary investigative approaches.
Private Sector Contributions (Group‑IB, Team Cymru)
The success of Operation Ramz was bolstered by active participation from private‑sector cybersecurity firms. Group‑IB supplied “actionable intelligence” on more than 5,000 compromised accounts, including those tied to government entities, and shared detailed maps of active phishing infrastructure across the MENA region. Joe Sander, CEO of Team Cymru, emphasized that cybercrime’s borderless nature demands an equally borderless response, praising the operation as a model of law‑enforcement and industry collaboration. By combining governmental authority with specialized technical expertise, the partnership accelerated threat detection, attribution, and takedown timelines.
Participating Countries List
The thirteen nations that contributed resources, personnel, and intelligence to Operation Ramz were Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates. Their collective involvement demonstrated a regional commitment to confronting cyber threats that transcend national borders, fostering information sharing, joint operational planning, and harmonized legal frameworks to prosecute cybercriminals effectively.
Related Global Law‑Enforcement Actions
Parallel to Operation Ramz, a series of high‑profile cyber‑crime actions unfolded in Germany and the United States, illustrating a worldwide crackdown. In Romania, Thomasz Szabo (aka Plank, Jonah, Cypher) received a 48‑month prison sentence for masterminding an online swatting ring that targeted public officials, religious institutions, and journalists. German authorities indicted Owe Martin Andresen (aka Speedstepper), the alleged chief administrator of the darknet marketplace Dream Market, on money‑laundering charges following his arrest. A relaunched version of the Crimenetwork marketplace was shut down on Mallorca, leading to the arrest of a 35‑year‑old German suspect.
In the United States, a federal jury convicted Sohaib Akhter of deleting 96 databases containing U.S. government information and stealing a plaintext password from an EEOC complaint portal. Alan Bill, the Slovakian administrator of Kingdom Market, was sentenced to 200 months (over 16 years) for conspiring to distribute controlled substances, stolen financial data, counterfeit documents, and malware. David Jose Gomez Cegarra of Venezuela received time‑served and was ordered to pay $294,820 in restitution for a string of ATM jackpotting incidents across New York, Massachusetts, and Illinois. Finally, Marlon Ferro (aka GothFerrari) was sentenced to 78 months for a social‑engineering conspiracy that stole more than $250 million in cryptocurrency from U.S. victims between late 2023 and early 2025, a scheme that combined sophisticated online fraud with physical burglary to access hardware wallets.
These cases collectively demonstrate that law‑enforcement agencies are increasingly targeting not only traditional cyber‑crime vectors such as malware and phishing but also complex fraud schemes that blend digital tactics with real‑world intimidation, money‑laundering, and the exploitation of emerging technologies like cryptocurrency. The coordinated nature of these actions—spanning continents, sectors, and threat landscapes—highlights a growing international consensus that effective cyber‑security requires sustained, cooperative efforts between governments, private industry, and global partners.