A sweeping law enforcement operation coordinated by Interpol has resulted in the arrest of 201 individuals and the identification of 382 additional suspects across the Middle East and North Africa (MENA) region. Named Operation Ramz, the 13-country initiative targeted phishing and malware threats that have been plaguing businesses, governments, and citizens in the area. The operation, which ran from October 2025 through February 2026, also led to the seizure of 53 servers and the identification of nearly 3,900 victims.
Scope and Scale of Operation Ramz
Operation Ramz is one of the largest coordinated cybercrime crackdowns ever conducted in the MENA region, involving law enforcement agencies from Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates. The effort was supported by multiple private-sector partners, including Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru, and TrendAI. These organizations provided critical intelligence on malicious infrastructure, phishing campaigns, and malware distribution networks.
The operation's primary focus was on dismantling phishing-as-a-service (PhaaS) platforms and botnet infrastructure that enabled cybercriminals to steal credentials, deploy ransomware, and conduct financial fraud. Interpol noted that the region has seen a sharp increase in such attacks, particularly targeting financial institutions, e-commerce platforms, and government portals. The collaboration between public and private entities allowed authorities to track illegal activities across borders and neutralize threats before they could cause widespread damage.
Notable Cases and Seizures
In Algeria, authorities shut down a PhaaS website and arrested one suspect, seizing a server, a computer, a phone, and hard drives containing malicious software and scripts. The platform had been used to offer phishing kits to other criminals, enabling even low-skilled attackers to launch sophisticated credential-harvesting campaigns. Algerian officials reported that the seized materials contained templates mimicking popular banking and social media login pages.
Jordan's police force located a computer used in financial fraud scams and arrested two individuals who orchestrated a human trafficking scheme. According to Interpol, 15 individuals were forced to carry out the scams under duress. The victims, who came from various Asian countries, were promised legitimate employment in Jordan but had their passports confiscated upon arrival. They were then coerced into participating in phishing and fraud operations. The two arrested suspects are now facing charges related to both cybercrime and human trafficking.
In Morocco, authorities arrested three individuals and seized computers, phones, and hard drives used in phishing operations. The suspects were linked to a network that targeted Moroccan bank customers through fake SMS messages and emails, tricking them into revealing account credentials. The arrests disrupted a ring that had been active for several months.
Oman's cybercrime unit disabled a server containing sensitive information that was infected with malware and had multiple critical vulnerabilities. The server had been exploited by attackers to launch further attacks against government and private networks. Authorities also took steps to patch the vulnerabilities and secure the affected systems.
In Qatar, law enforcement identified compromised devices that had been used to spread malware without the owners' knowledge. The systems were secured, and the owners were notified. The devices were part of a botnet used for distributed denial-of-service (DDoS) attacks and further malware distribution.
Private Sector Contributions
The success of Operation Ramz relied heavily on the expertise and data provided by private security firms. Team Cymru, a threat intelligence company, played a key role in mapping the criminal infrastructure. CEO Joe Sander stated, "Cybercrime is borderless, and the only effective response is one that is equally borderless. Operation Ramz is exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on."
Group-IB provided detailed analysis of phishing kits and malware samples, while Kaspersky shared telemetry on botnet command-and-control servers. The Shadowserver Foundation helped identify vulnerable systems and notified affected organizations. TrendAI contributed machine learning models to detect anomalies in network traffic associated with malware infections.
Human Trafficking and Cybercrime Link
One of the most disturbing discoveries during Operation Ramz was the intersection of cybercrime and human trafficking, particularly in Jordan. The case highlighted how criminal syndicates exploit vulnerable migrants, forcing them into cyber fraud operations. Victims were often promised jobs in customer service or IT support but were instead locked into compounds and compelled to run phishing scams targeting people in their home countries. This pattern has been observed in other parts of the world, including Southeast Asia, but its emergence in the MENA region underscores the global nature of these criminal networks.
Interpol has committed to follow-up investigations to identify and rescue more victims of human trafficking linked to cybercrime. The organization is also working with member countries to strengthen border controls and employment verification processes to prevent such exploitation.
Broader Implications for Cybersecurity in MENA
Operation Ramz comes at a time when the MENA region is experiencing a digital transformation, with increasing reliance on online services. This has made the region an attractive target for cybercriminals. According to recent reports, phishing attacks in the Middle East rose by over 40% in 2025, with financial institutions being the most targeted sector. The COVID-19 pandemic accelerated the adoption of remote work and digital payments, creating new vulnerabilities that criminals have been quick to exploit.
Governments across the region have been investing in cybersecurity capabilities, but a lack of coordination often hinders effective responses. Operation Ramz demonstrates the value of cross-border collaboration and information sharing. The operation also highlights the importance of public-private partnerships in combating sophisticated cyber threats.
Methodology and Tactics Used by Criminals
The phishing campaigns targeted during Operation Ramz employed a variety of tactics. Attackers used social engineering to trick victims into clicking malicious links or downloading infected attachments. Some campaigns used spear-phishing emails tailored to high-level executives in banks and government agencies. Others relied on bulk SMS messages that appeared to come from legitimate sources, such as delivery companies or tax authorities.
Malware infections were often delivered through drive-by downloads from compromised websites or via fake software updates. The malware discovered included keyloggers, remote access trojans (RATs), and banking Trojans. Many of the infected systems were used as proxies for launching further attacks, making attribution difficult for investigators.
The seizure of 53 servers disrupted multiple botnets and phishing infrastructure, but experts warn that cybercriminals are likely to reconstitute these networks. Continuous monitoring and proactive takedowns are essential to maintain pressure on these groups.
Future Directions
Interpol has indicated that Operation Ramz will serve as a model for future regional crackdowns. The organization plans to expand its cybercrime operations in Africa and the Middle East, focusing on ransomware and business email compromise (BEC) fraud. Additionally, the victims identified during the operation will receive support through victim assistance programs run by Interpol and partner organizations.
The success of Operation Ramz also underscores the need for better cybersecurity hygiene among individuals and businesses. Simple measures such as enabling multi-factor authentication, regularly updating software, and being cautious of unsolicited messages can significantly reduce the risk of falling victim to phishing and malware. Law enforcement agencies continue to urge the public to report suspicious activities to local authorities or through Interpol's reporting mechanisms.
Source: SecurityWeek News