In a major coordinated international law enforcement action, INTERPOL has dismantled Sniper Dz, one of the world's longest-running Phishing-as-a-Service platforms. The multi-country operation, which led to the arrest of the platform's primary developer, marks a significant shift in the battle against credential theft networks.
On June 12, 2026, cybersecurity agencies and international law enforcement bodies, coordinated by INTERPOL, confirmed the successful disruption of the Phishing-as-a-Service (PhaaS) network known as Sniper Dz. The operation represents the culmination of a months-long investigation targeting the infrastructure that allowed novice cybercriminals to deploy sophisticated credential harvesting websites. By targeting both the technical servers and the administrative figures behind the service, investigators have temporarily disrupted a primary channel for automated online fraud. This international push shows how critical synchronized actions are to dismantle resilient, distributed web operations.
The takedown highlights the growing reliance of cybercriminals on pre-packaged tools that lower the barrier to entry for executing online scams. Sniper Dz provided affiliates with free access to customized phishing templates and hosting environments, sharing the stolen data with the platform's developers. As law enforcement agencies analyze the seized hardware, details have emerged regarding the operational mistakes that allowed threat researchers to trace the network's administrator, known as "Guedz," in Algeria. The case demonstrates that even highly sophisticated developers remain vulnerable to basic forensic tracking once their operational security slips.
Seized servers and network hardware reveal the extensive infrastructure used to coordinate thousands of simultaneous phishing campaigns targeting global financial services.
- Regional Coordination: Codenamed Operation Ramz, the enforcement campaign ran from October 2025 to February 2026, coordinating law enforcement across 13 countries in the MENA region.
- Enforcement Scope: The operation resulted in 201 arrests, the identification of 382 suspects, and the seizure of 53 active hosting servers.
- Decade of Operation: Active since 2015, Sniper Dz hosted more than 20,000 domains and was linked to over 140,000 phishing websites in the year preceding the takedown.
- Double-Theft Scheme: The platform operated on a "double-theft" business model, automatically copying all stolen credentials to the administrator while providing affiliates access.
- Investigative Breakthrough: Digital forensics specialists at Group-IB traced the administrator, "Guedz," after he exposed personal backend email addresses in video tutorials.
Operation Ramz: Decoupling a Decade of Cybercrime in the MENA Region
The successful disruption of the Sniper Dz infrastructure was achieved through an international enforcement campaign codenamed Operation Ramz. Coordinated by INTERPOL's cybercrime directorate, the operation commenced in October 2025 and concluded in February 2026. The initiative involved law enforcement agencies from 13 countries across the Middle East and North Africa (MENA) region, highlighting the necessity of cross-border collaboration in addressing modern distributed cyber threats. Police units worked in close alignment with national telecoms to locate physical servers and cut off active network gateways.
According to official reports released by participating agencies, the operation resulted in 201 arrests across the region. Investigators identified 382 suspects associated with the platform's affiliate network and seized 53 servers used to host malicious landing pages and manage stolen data databases. The primary target of the enforcement action was Guedz, the long-term developer and administrator of Sniper Dz, who was apprehended by the Algerian National Police during a synchronized raid. The arrests of subordinate affiliates have disrupted the distribution pipelines that fed new links into active message channels.
The scale of Operation Ramz reflects the significant threat posed by the platform, which had remained active under various names, including Joker Dz, Storm Dz, and Spam Dz, since 2015. Over its ten years of operation, the network facilitated thousands of credential theft campaigns. In the twelve months preceding the takedown, security researchers estimated that the platform was associated with more than 140,000 active phishing websites, making it one of the most prolific sources of fraud templates on the internet. The sheer volume of traffic generated by these sites highlights how small cybercrime groups can scale their reach using automated frameworks.
The Mechanics of Sniper Dz: Inside the Double-Theft Business Model
Unlike traditional cybercrime networks that charge upfront subscription fees, Sniper Dz operated on a "free" business model designed to attract low-skilled affiliates. The platform hosted approximately 80 ready-made phishing templates that impersonated over 30 globally recognized brands. These templates targeted major social media networks, online gaming portals, and financial services, providing affiliates with highly convincing replica login screens to deceive victims. By removing financial barriers, Guedz created a vast affiliate program that multiplied the platform's reach.
The primary brands targeted by the Sniper Dz template library included the following organizations:
- Financial Institutions: PayPal and other online payment services, targeting transactional credentials.
- Social Media Platforms: Facebook and Instagram, designed to compromise personal accounts for secondary spam campaigns.
- Digital Service Providers: Netflix and Steam, targeting subscription credentials for resale on black markets.
While the service was advertised as free to affiliates, the platform's operators utilized a "double-theft" mechanism to generate revenue. When a victim entered their credentials on a phishing page hosted by the platform, the data was sent to the affiliate who launched the campaign. Simultaneously, the platform's backend script automatically copied the credentials to an administrative database controlled by Guedz. The script intercepted the HTTP POST requests, splitting the payload so that the affiliate received their cut while the central administrator quietly accumulated the master list of stolen credentials.
This structure meant that affiliates were inadvertently acting as unpaid distribution agents for the central developer. Guedz could sit back and watch as thousands of amateur scammers generated traffic, purchased lookalike domains, and distributed links. The developer then packaged the consolidated credentials and sold them in bulk on dark web forums or utilized them for high-value targeted attacks. This model illustrates the parasitic nature of the PhaaS economy, where even the hackers themselves are exploited by platform developers.
Threat Intelligence Note: The "double-theft" model is a common strategy among free Phishing-as-a-Service platforms. By offering tools at no cost, developers recruit thousands of amateur scammers who distribute the malicious links. The platform developers then silently copy all stolen credentials, generating a massive, secondary database of compromised accounts for resale or direct exploitation.
The Affiliate Trap: How Video Tutorials Exposed Guedz
The investigation that led to the identification of Guedz was aided by digital forensics provided by the threat intelligence firm Group-IB. Because many of the platform's affiliates were unskilled individuals, Guedz produced and distributed detailed video tutorials explaining how to configure the phishing kits and link them to hosting domains. These educational resources were hosted on public video-sharing platforms and distributed within private chat groups. In trying to build a helpful onboarding portal, the developer created the very evidence that led to his arrest.
During a detailed analysis of these tutorial videos, threat researchers identified several operational security failures made by the administrator. In one recording, Guedz shared his browser window while logged into the platform's backend administration panel. This exposure revealed his personal recovery email addresses and active browser sessions, providing investigators with the specific digital identifiers needed to trace the underlying infrastructure. Researchers correlated these emails with active domains and historic registrar databases to establish his real identity.
The key investigative steps taken by the Algerian National Police and Group-IB analysts included the following checkpoints:
- Video Forensic Analysis: Reviewing training materials frame-by-frame to identify exposed server directories and admin panels.
- Email Correlation: Tracking the recovery email addresses revealed in the video to register domains and social media profiles.
- Infrastructure Mapping: Locating the physical hosting servers and coordinating with local internet service providers to identify the administrator's IP address.
By combining these forensic findings, investigators correlated the platform's active domains with Guedz's physical location in Algeria. This digital trail allowed the Algerian National Police to execute a targeted search warrant, recovering hardware containing the platform's source code and malicious scripts, which confirmed his role as the primary administrator. The seized assets included backup drives containing over 45,000 victim records, providing undeniable proof of the platform's central credential harvesting system.
PhaaS Comparison: Evaluating Sniper Dz Against the LabHost Benchmark
To understand the significance of the Sniper Dz takedown, it is useful to compare it to previous law enforcement operations targeting Phishing-as-a-Service networks. The most notable baseline is the disruption of the LabHost platform in April 2024. LabHost was one of the largest PhaaS providers globally, hosting over 10,000 active criminal users and managing more than 40,000 phishing domains before its seizure. Its shutdown was considered a watershed moment in cybercrime enforcement.
While LabHost operated on a premium subscription model—charging affiliates monthly fees to access its templates—Sniper Dz prioritized volume through its free access structure. LabHost's infrastructure was significantly larger, consisting of 207 servers compared to the 53 servers seized during Operation Ramz. However, the coordinated enforcement of Operation Ramz resulted in a higher number of arrests, with 201 individuals apprehended compared to the 37 arrests made during the LabHost disruption. This shows that while Sniper Dz had smaller server requirements, its affiliate network was highly distributed geographically.
Furthermore, the target audience of the two platforms differed. LabHost targeted high-value corporate credentials and specific banking portals, building complex tools to bypass MFA. Sniper Dz focused primarily on consumer services, social media, and gaming credentials. This difference in target metrics explains why LabHost required more complex server infrastructures to manage real-time session proxies, while Sniper Dz could run on basic HTML templates and redirect scripts, lowering its overhead costs.
The comparison between these two major cybercrime operations is outlined in the table below, highlighting the different scales and enforcement outcomes:
| Metric Category | LabHost Platform (Takedown April 2024) | Sniper Dz Platform (Takedown June 2026) | Operational Comparison Badge |
|---|---|---|---|
| Active Lifespan | Active 3 Years (2021–2024) | Active 11 Years (2015–2026) | ▲ Leading Platform Longevity ▲ Leading |
| Server Infrastructure | 207 Seized Servers | 53 Seized Servers | ▲ Leading Infrastructure Scale ▲ Leading |
| Affiliate User Base | 10,000+ Registered Users | 382 Identified Suspects | ▼ Behind Affiliate Volume ▼ Behind |
| Law Enforcement Arrests | 37 Arrests Globally | 201 Arrests (Operation Ramz) | ▲ Leading Enforcement Outcome ▲ Leading |
To visualize the operational and enforcement scale of Operation Ramz (Sniper Dz) compared to the LabHost takedown, the chart below displays the comparative metrics across participating countries, seized servers, and resulting arrests, illustrating the differences in scale:
The AitM Evolution: How Modern Phishing Kit Architectures Bypass MFA
The takedown of Sniper Dz occurs during a broader technical evolution within the phishing ecosystem. Historically, phishing kits relied on static replica pages that harvested usernames and passwords. However, the widespread adoption of multi-factor authentication (MFA) by financial and enterprise platforms has reduced the utility of simple password theft, forcing developers to update their tools. To remain effective, PhaaS platforms have had to transition to real-time session hijacking.
Modern PhaaS platforms increasingly deploy Adversary-in-the-Middle (AitM) architectures to bypass security controls. In an AitM attack, the phishing server acts as a proxy between the victim and the legitimate service. When the victim enters their credentials, the phishing server forwards the request to the actual platform, prompting the user for their MFA code. Once the code is entered, the phishing server captures the session cookie, allowing the attacker to hijack the active session without needing the password again. This renders traditional MFA methods based on one-time codes ineffective.
The shift toward AitM tools is visible in successor platforms like SheByte and Tycoon 2FA, which emerged following the LabHost and Sniper Dz disruptions. These newer systems are designed to automate cookie theft at scale, targeting enterprise cloud environments. To defend against these advanced kits, organizations must implement robust security practices that reduce reliance on standard passwords and session tokens. Moving to phishing-resistant authentication methods is the only way to neutralize these proxy-based attacks.
The advanced mitigation steps recommended for enterprises to defend against AitM phishing kits include:
- FIDO2 Security Keys: Implementing hardware-based, origin-bound authentication credentials that cannot be proxied by intermediary servers.
- Session Lifetime Binding: Restricting the duration of active session cookies and requiring re-authentication for sensitive actions.
- Identity Threat Detection: Monitoring login requests for anomalies, such as impossible travel indicators or unrecognized device fingerprints.
Cross-Border Enforcement: Shifting Cybersecurity Strategies
The successful execution of Operation Ramz highlights a growing commitment by international law enforcement bodies to collaborate on cybersecurity enforcement. Because cybercriminals operate across jurisdictions to avoid local prosecution, addressing PhaaS networks requires coordinated actions across multiple countries. The Doha coordination meeting in Qatar served as the foundational planning event for the Operation Ramz campaign, establishing lines of communication that bypassed traditional diplomatic delays.
Neal Jetton, INTERPOL's Director of Cybercrime, emphasized the importance of this collaborative approach during a press briefing following the takedown:
“In a world where cybercriminals exploit the digital landscape without borders, Operation Ramz demonstrates the effectiveness of global collaboration. INTERPOL is dedicated to working with its member countries and private sector partners to take down malicious infrastructure, disrupt criminal groups and bring perpetrators to justice.”
— Neal Jetton, INTERPOL Cybercrime Director, June 2026 Statement
Jetton also noted the significance of the regional participation during the planning stages, stating that the coordination meeting in Doha, Qatar, was critical for aligning the resources of the 13 participating nations. This regional alignment allowed local police forces, such as the Algerian National Police, to execute search warrants and secure physical evidence that was vital for the overall success of the operation. The involvement of private firms like Group-IB provided the technical forensics needed to link digital servers to physical locations.
“When we support a cybercrime operation in a specific region for the first time, it's an opportunity to gauge interest from the member countries taking part. We were very happy that 13 countries participated in our coordination meeting held in Doha, Qatar, last year, and subsequently took part in Operation Ramz.”
— Neal Jetton, INTERPOL Director, Coordination Address
This coordinated model of enforcement represents the primary strategy for addressing distributed cybercrime networks. As PhaaS platforms continue to evolve, law enforcement agencies must maintain active communication channels and collaborate on digital forensics to successfully dismantle malicious infrastructure globally. By hitting criminal infrastructure simultaneously in multiple countries, law enforcement prevents groups from migrating their databases to backup servers, delivering a more permanent blow to their operations.
Conclusion: The Future of PhaaS Infrastructure and Enforcement
The dismantling of Sniper Dz and the arrest of Guedz represent a significant success for international law enforcement. By taking down one of the longest-running Phishing-as-a-Service platforms, Operation Ramz has disrupted a key source of automated credential theft templates. However, the fluid nature of the cybercrime ecosystem means that new platforms will likely emerge to fill the void, requiring ongoing vigilance from security professionals. Takedowns must be paired with public education to be truly effective in the long run.
For businesses and consumers, the takedown highlights the importance of implementing multi-layered security controls. While law enforcement efforts help reduce the volume of active threats, protecting accounts requires adopting robust authentication methods like FIDO2 keys and monitoring for session anomalies. As PhaaS platforms continue to adopt more advanced techniques, maintaining international cooperation and sharing threat intelligence will remain essential for securing the digital landscape.
Sources and References
- INTERPOL - Official press release and coordination details for Operation Ramz: interpol.int
- The Hacker News - Technical analysis of the Sniper Dz PhaaS platform and Guedz arrest: thehackernews.com
- Group-IB - Threat intelligence report and digital forensics analysis of PhaaS networks: group-ib.com
- Eurojust - International cybercrime cooperation and LabHost enforcement benchmarks: europa.eu
Post a Comment