Full Report
An INTERPOL-led operation last month resulted in the disruption of Sniper Dz, a decade-long phishing-as-a-service (PhaaS) platform, Group-IB said Thursday. The effort, codenamed Operation Ramz, took place between October 2025 and February 2026, and saw authorities from 13 countries in the Middle East and North Africa (MENA) region making 201 arrests. Included among them was Guedz, the primary
Analysis Summary
# Incident Report: Take Down of Sniper Dz Phishing-as-a-Service (PhaaS)
## Executive Summary
Interpol, in coordination with Group-IB and 13 countries, executed "Operation Ramz" to dismantle the long-standing "Sniper Dz" phishing-as-a-service platform. The operation resulted in 201 arrests, including the primary developer "Guedz," and the seizure of malicious infrastructure. The platform had facilitated global cybercrime for over a decade, harvesting tens of thousands of victim records through sophisticated impersonation campaigns.
## Incident Details
- **Discovery Date:** PhaaS activity tracked since at least 2015; significant analysis by Palo Alto Networks Unit 42 in October 2024.
- **Incident Date:** Takedown operation occurred October 2025 – February 2026.
- **Affected Organization:** Multiple (30+ major brands including PayPal, Facebook, Netflix, and Steam).
- **Sector:** Technology, Social Media, Streaming, and Financial Services.
- **Geography:** Global victims; primary law enforcement action in the MENA (Middle East and North Africa) region.
## Timeline of Events
### Initial Access
- **Date/Time:** Active since at least 2015.
- **Vector:** Phishing and Social Engineering.
- **Details:** Attackers used the "Sniper Dz" toolkit to create fake login pages for global brands and local government entities.
### Lateral Movement
- **Details:** N/A (The platform was a PhaaS model focusing on external credential harvesting rather than internal network pivoting).
### Data Exfiltration/Impact
- **Details:** Collection of more than 45,000 victim records, including account credentials and personal information. Users who did not provide credentials were often redirected to secondary fraud schemes like premium SMS subscriptions.
### Detection & Response
- **How it was discovered:** Long-term monitoring by Group-IB and Unit 42; joint intelligence sharing with INTERPOL.
- **Response actions taken:** Operation Ramz targeted infrastructure and operators. Law enforcement seized hardware and scripts, arrested 201 individuals, and took down the primary hosting domains.
## Attack Methodology
- **Initial Access:** Sophisticated phishing templates (80+ variations) in five languages.
- **Persistence:** Use of over 20,000 unique domains and proxy servers to host phishing pages.
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of multiple rebrandings (Joker Dz, Storm Dz, Spam Dz) and hosting behind proxy servers to mask origin.
- **Credential Access:** Harvesting credentials via imitation websites that mirrored legitimate login portals.
- **Discovery:** PhaaS users utilized a Telegram channel (7,300+ subscribers) for tutorials and reconnaissance.
- **Lateral Movement:** N/A.
- **Collection:** Automated scripts used to gather and store user-submitted data.
- **Exfiltration:** Data funneled back to "Sniper Dz" infrastructure and shared with affiliates/the primary administrator.
- **Impact:** Financial loss through credential theft and redirection to carrier billing fraud/SMS scam campaigns.
## Impact Assessment
- **Financial:** Significant, through unauthorized account access and affiliate-driven billing fraud.
- **Data Breach:** Over 45,000 individual victim records compromised.
- **Operational:** Disruption of services for victims whose accounts were hijacked.
- **Reputational:** Impersonation of 30+ major global brands and MENA political figures.
## Indicators of Compromise
- **Network indicators:**
- `sniper-dz[.]com` (Primary platform - defanged)
- 20,000+ unique phishing domains (Various)
- **Behavioral indicators:**
- Traffic redirecting to carrier billing scams after login attempts.
- Social media accounts of political figures promoting "free internet" or "promotional offers."
## Response Actions
- **Containment measures:** Takedown of the PhaaS central website and associated hosting infrastructure.
- **Eradication steps:** Arrest of the primary developer and 200 affiliates; seizure of hardware.
- **Recovery actions:** Dissemination of intelligence to affected brands to secure compromised user accounts.
## Lessons Learned
- **Key takeaways:** Free PhaaS models significantly lower the barrier to entry for low-skill cybercriminals, enabling massive scale.
- **Platform Resilience:** The platform survived for a decade by rebranding and using proxy infrastructure, highlighting the need for persistent tracking and international cooperation.
## Recommendations
- **Multi-Factor Authentication (MFA):** Implementation of hardware-based MFA or TOTP to neutralize the value of harvested credentials.
- **Brand Monitoring:** Organizations should utilize threat intelligence services to monitor for domain squatting and imitation kits.
- **Public Awareness:** Educate users on the risks of clicking links from social media accounts, even those belonging to "verified" or public figures.