Back

SniperDz Phishing-as-a-Service Platform Dismantled by INTERPOL

Severity: High (Score: 73.0)

Sources: Infosecurity-Magazine, Group-Ib, unit42.paloaltonetworks.com

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: group-ib, investigation, interpol, sniperdz, helped, algerian, dismantling

Summary

A coordinated investigation led by INTERPOL and the Algerian National Police resulted in the dismantling of SniperDz, a phishing-as-a-service (PhaaS) platform that operated since at least 2015. Group-IB played a crucial role in this operation, which led to the arrest of the primary developer and 201 additional arrests across 13 countries in the MENA region. SniperDz was responsible for over 140,000 phishing pages and targeted more than 30 global organizations, including PayPal and Netflix. The platform provided ready-made phishing kits and exploited social engineering techniques, impersonating public figures to lure victims. The investigation revealed significant operational security failures by the suspect, including the publication of video tutorials that exposed sensitive information. The operation also seized 53 servers and identified nearly 4,000 victims. This takedown marks a significant victory in combating cybercrime in the region. Key Points: • SniperDz was a major PhaaS platform operating since at least 2015, facilitating phishing attacks. • The INTERPOL-led operation resulted in 201 arrests and the seizure of 53 servers across 13 countries. • Group-IB identified over 140,000 phishing pages linked to SniperDz, targeting major global brands.

Detailed Analysis

**Impact** The SniperDz platform affected over 45,000 victims globally, targeting more than 30 major organizations including PayPal, Instagram, Yahoo, Netflix, and Steam. The operation spanned nearly a decade, primarily impacting users across the Middle East and North Africa (MENA) region. Sectors targeted included financial services, online gaming, telecommunications, email providers, social media, and government entities. The platform facilitated credential theft, personal data compromise, and financial fraud through phishing and social engineering campaigns. **Technical Details** SniperDz operated as a phishing-as-a-service (PhaaS) platform offering 80 ready-made phishing templates in five languages (Arabic, English, French, Spanish, Hebrew). Attack vectors included multi-stage redirection chains abusing trusted web services and social media, fake accounts impersonating public figures, and browser notification abuse. Infrastructure included over 20,000 unique domains and hosting servers seized during Operation Ramz. The platform also monetized through premium SMS, calls, and affiliate marketing. No specific malware or CVEs were reported. **Recommended Response** Defenders should block identified SniperDz-associated domains and monitor for phishing templates mimicking targeted global brands. Enhance detection of multi-stage redirection and abuse of browser notifications. Implement user awareness training focused on social engineering tactics exploiting trusted public figures and promotional offers. Monitor for suspicious social media accounts and links, especially those promising free services or financial incentives. No patching information was provided.

Source articles (5)

  • Group-IB investigation helped INTERPOL and Algerian authorities dismantle SniperDz, a ... — Group-Ib · 2026-06-11
    Group-IB, a leading creator of predictive cybersecurity technologies to investigate, prevent, and fight digital crime, today announced its contribution to a coordinated investigation led by INTERPOL a…
  • Dismantling SniperDz | Group — Group-Ib · 2026-06-11
    Group-IB's investigation into fake political accounts uncovered a decade-long phishing-as-a-service (PhaaS) platform. Intelligence shared with INTERPOL and the Algerian National Police helped to bring…
  • Sniper's Nest: From Brand Impersonation to Browser Hijacking and CPA Fraud - Group — Group-Ib · 2026-06-11
    This blog provides a deep-dive into SniperDz, a centralised PhaaS platform with more than 80 ready-made phishing templates impersonating over 30 global brands, and uncovers the hidden infrastructure b…
  • Interpol Dismantles SniperDz Phishing-as-a — Infosecurity-Magazine · 2026-06-11
    Cybersecurity firm Group-IB has revealed that a recent Interpol-led cybercrime law enforcement operation has led to the takedown of an established phishing-as-a-service (PhaaS) platform and the arrest…
  • Phishing Platform Sniper Dz Unique Tactics — unit42.paloaltonetworks.com · 2026-06-11

Timeline

  • 2015-01-01 — SniperDz platform established: SniperDz began operations as a phishing-as-a-service platform, offering tools for cybercriminals.
  • 2025-10-01 — Operation Ramz launched: INTERPOL initiated Operation Ramz to dismantle SniperDz and related cybercrime activities.
  • 2026-05-31 — Operation results announced: INTERPOL announced the results of Operation Ramz, including 201 arrests and significant data seizures.
  • 2026-06-11 — SniperDz dismantled: Group-IB confirmed the takedown of SniperDz and the arrest of its primary developer in Algeria.

Related entities

  • Phishing (Attack Type)
  • Operation Ramz (Campaign)
  • Instagram (Platform)
  • Steam (Platform)
  • Yahoo (Platform)
  • Algérie Télécom (Platform)
  • Netflix (Company)
  • PayPal (Company)
  • Algeria (Country)
  • fanlnk.to (Domain)
  • horizoniq.com (Domain)
  • offer.raviral.com (Domain)
  • steam.by (Domain)
  • win.anababayala.com (Domain)
  • win.feezossl.xyz (Domain)
  • Financial (Industry)
  • Government (Industry)
  • Technology (Industry)
  • Telecommunications (Industry)
  • 108.178.23.118 (Ipv4)
  • T1566.002 - Spearphishing Link (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Linkbio (Tool)
  • Linktree (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed