Back

Dismantling of SniperDz Phishing-as-a-Service Platform

Severity: High (Score: 68.0)

Sources: Group-Ib

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: group-ib, investigation, interpol, sniperdz, helped, algerian, dismantling

Summary

Group-IB's investigation led to the dismantling of SniperDz, a phishing-as-a-service (PhaaS) platform that operated for nearly a decade. The coordinated effort with INTERPOL and Algerian authorities resulted in the arrest of the primary developer. SniperDz targeted over 30 major global organizations, including PayPal and Netflix, and had collected more than 45,000 victim records since its inception around 2015. The platform provided phishing kits and operational support to cybercriminals, utilizing social engineering techniques and impersonating public figures to lure victims. Group-IB identified over 20,000 unique domains associated with SniperDz and 80 phishing templates in multiple languages. The investigation involved a multi-month analysis combining infrastructure analysis and open-source intelligence to trace the threat actor's online presence. Key Points: • SniperDz operated for nearly a decade, targeting over 30 major organizations. • The platform collected more than 45,000 victim records through sophisticated phishing techniques. • Group-IB's investigation led to the arrest of the primary developer and administrator.

Detailed Analysis

**Impact** SniperDz affected over 45,000 victims worldwide since 2015, targeting more than 30 major global organizations including PayPal, Instagram, Yahoo, Netflix, and Steam. The platform compromised credentials and sensitive data across sectors such as financial services, online gaming, telecommunications, email providers, social media, and government entities. Attacks spanned multiple geographies, with phishing templates in Arabic, English, French, Spanish, and Hebrew. The operation enabled large-scale credential theft and social engineering campaigns exploiting political figures in the Middle East and North Africa. **Technical Details** SniperDz operated as a phishing-as-a-service (PhaaS) platform offering ready-made phishing kits, hosting infrastructure, and operational support. It deployed 80 phishing templates across five languages, using fake social media accounts impersonating political personalities to distribute phishing links disguised as promotional offers or free internet access. Group-IB identified over 20,000 unique domains linked to the platform. The investigation combined infrastructure analysis, OSINT, and digital footprint correlation to attribute the platform to a single developer and administrator. No specific malware, CVEs, or detailed IOCs were provided. **Recommended Response** Organizations should monitor for phishing attempts using known SniperDz templates and block domains associated with the platform’s infrastructure. Enhance email filtering and user awareness training focused on social engineering tactics involving impersonation of public figures. Maintain vigilance for credential harvesting campaigns targeting financial, gaming, telecommunications, and government sectors. No specific patches or CVEs were mentioned; defenders should prioritize detection and blocking of phishing domains and related infrastructure.

Source articles (2)

  • Group-IB investigation helped INTERPOL and Algerian authorities dismantle SniperDz, a ... — Group-Ib · 2026-06-11
    Group-IB, a leading creator of predictive cybersecurity technologies to investigate, prevent, and fight digital crime, today announced its contribution to a coordinated investigation led by INTERPOL a…
  • Dismantling SniperDz | Group — Group-Ib · 2026-06-11
    Group-IB's investigation into fake political accounts uncovered a decade-long phishing-as-a-service (PhaaS) platform. Intelligence shared with INTERPOL and the Algerian National Police helped to bring…

Timeline

  • 2015-01-01 — SniperDz platform launched: The phishing-as-a-service platform began operations, targeting various global organizations.
  • 2016-01-01 — 45,000 victim records reported: Statistics from SniperDz indicated that campaigns had collected over 45,000 victim records.
  • 2026-06-11 — SniperDz dismantled: A coordinated investigation led to the arrest of the primary developer and administrator of SniperDz.

Related entities

  • Phishing (Attack Type)
  • Operation Ramz (Campaign)
  • Instagram (Platform)
  • Steam (Platform)
  • Yahoo (Platform)
  • Netflix (Company)
  • PayPal (Company)
  • Financial (Industry)
  • Government (Industry)
  • Technology (Industry)
  • Telecommunications (Industry)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed