The developer and administrator behind SniperDz, one of the world's longest-running phishing-as-a-service (PhaaS) platforms, has been arrested. This significant victory for international cyber crime enforcement follows a coordinated operation involving INTERPOL, the Algerian National Police, and threat intelligence firm Group-IB. Group-IB announced the arrest and its role in the takedown in a press release on June 11, 2026.
The operation, codenamed Operation Ramz, marked the end of a cyber criminal enterprise that had enabled phishing campaigns across the globe for nearly a decade. Operation Ramz, apparently, ran from October 2025 to February 2026 across 13 countries in the Middle East and North Africa (MENA) region. According to figures released by INTERPOL in late May, the crackdown resulted in 201 arrests and the seizure of 53 servers. The investigation successfully uncovered 382 suspects and documented 3,867 victims.
More importantly, the case offers valuable lessons for organisations seeking to defend themselves against modern phishing threats. It also highlights the growing effectiveness of international cooperation in combating cyber crime.
Launched in 2015, SniperDz operated as a phishing-as-a-service platform. It provided cyber criminals with ready-made tools to launch credential theft campaigns. Low-skilled affiliates with no advanced technical capabilities could also use these tools to run fraud campaigns at scale.
Much like legitimate software-as-a-service businesses, PhaaS platforms provide subscribers with everything they need to conduct attacks. They give them phishing templates, hosting infrastructure, campaign management tools, and stolen credential collection mechanisms.
According to Group-IB's investigation, SniperDz offered more than 80 phishing templates impersonating over 30 globally recognised brands. These included major online platforms such as PayPal, Facebook, Instagram, Netflix, and Steam. The service supported five languages, allowing affiliates to target victims across multiple regions and significantly expand the platform's reach.
In 2024, Palo Alto Networks’ Unit 42 had reported, “Surprisingly, SniperDz PhaaS offers these services free of charge to phishers – perhaps because SniperDz also collects victim credentials stolen by phishers who use the platform to compensate for the cost of service.”
The scale of the operation was remarkable. Investigators identified more than 20,000 unique domains linked to the SniperDz ecosystem. By as early as 2016, the platform had already documented over 45,000 victim records. This suggests that the actual number of compromised accounts over its decade-long lifespan could be substantially higher.
The success of platforms like SniperDz reflects a broader evolution in the cybercrime ecosystem. Traditionally, conducting phishing campaigns required attackers to possess technical skills such as website cloning, domain registration, hosting management, and credential harvesting. PhaaS platforms have dramatically lowered these barriers to entry.
Today, aspiring cybercriminals can simply subscribe to a service, select a phishing template, launch a campaign, and begin collecting credentials within hours. This business model has transformed phishing from a technically demanding activity into a scalable criminal service.
As a result, phishing remains one of the most common initial access vectors used in ransomware attacks, business email compromise (BEC) attacks, financial fraud and account takeover incidents.
The SniperDz case demonstrates how cybercriminal platforms increasingly mirror legitimate online businesses. They even offer customer support, affiliate programmes, training materials and active communities.
Despite operating successfully for nearly ten years, the downfall of SniperDz came from a surprisingly common source: poor operational security (OPSEC).
According to investigators, the platform's administrator created video tutorials designed to recruit and train affiliates. However, these videos inadvertently exposed sensitive information, including administrator credentials and account details. This operational mistake provided investigators with a critical lead that helped bridge the gap between online activity and real-world attribution.
The exposure was compounded by the operator's extensive public presence. Investigators discovered a Telegram affiliate channel with more than 7,300 subscribers as well as a Facebook page boasting over 19,000 followers. Years of publicly available activity allowed analysts to build a detailed intelligence picture of the individual behind the platform.
By combining technical evidence, social media intelligence, and attribution research, Group-IB was able to generate actionable intelligence that was ultimately shared with INTERPOL and law enforcement authorities. The result was the successful identification and arrest of the alleged operator.
Commenting on the takedown of SniperDZ, Dmitry Volkov, CEO of Group-IB said,“SniperDz is a textbook example of why adversary-centric intelligence matters. Disrupting cybercrime requires more than taking down phishing pages. It requires understanding the people, infrastructure, and criminal ecosystems behind them. By combining threat intelligence, attribution, and close collaboration with law enforcement, we were able to help identify the individual responsible for nearly a decade of phishing activity and contribute to bringing that operation to an end”
The takedown of SniperDz sends an important message to cybercriminals - anonymity is becoming increasingly difficult to maintain. While cybercriminals often rely on encryption, pseudonyms, and international borders to evade detection, today's investigations increasingly combine technical forensics, open-source intelligence (OSINT), social media analysis, and international law enforcement collaboration. Operation Ramz demonstrates how long-term intelligence gathering can eventually expose even well-established criminal operations.
The arrest also highlights the growing role of private-sector threat intelligence organisations in disrupting cybercrime. Threat researchers frequently possess visibility into criminal infrastructure and attack techniques that can significantly accelerate law enforcement investigations.
Although the arrest represents a success for law enforcement, organisations should not assume that phishing threats are diminishing. In reality, phishing-as-a-service platforms continue to proliferate. Many modern services now incorporate AI-generated content, advanced evasion techniques and sophisticated credential harvesting methods.
All businesses should, therefore, focus on strengthening their resilience against phishing attacks through a combination of technology, processes and user awareness.
Key measures include:
The ability to detect, contain, and recover from phishing-related incidents has become a critical component of modern cyber resilience.
The dismantling of SniperDz represents a significant achievement in the fight against cybercrime, but it is unlikely to be the last phishing platform of its kind. Cybercriminal ecosystems are highly adaptive. New services will inevitably emerge to replace disrupted operations. However, Operation Ramz demonstrates that persistence and international collaboration can produce meaningful results.
For defenders, the case serves as a reminder that phishing remains one of the most effective attack methods available to cybercriminals. As phishing-as-a-service platforms continue to lower the barriers to entry for threat actors, organisations must ensure that they are prepared to withstand these increasingly sophisticated social engineering campaigns.
Ultimately, the arrest of the SniperDz operator may have closed one chapter in the evolution of phishing-as-a-service. But the broader battle against credential theft and cyber-enabled fraud is far from over.