A total of 201 individuals were arrested, and 382 additional suspects were identified in a law enforcement crackdown on phishing and malware threats in the Middle East and North Africa (MENA) region. Dubbed Operation Ramz, the 13-country effort also resulted in the seizure of 53 servers and the identification of 3,867 victims across participating jurisdictions, Interpol announced.

The operation ran from October 2025 to February 28, 2026, and involved law enforcement agencies from Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates. Authorities received support from multiple private partners, including Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru, and TrendAI, which helped track illegal activities and identify malicious infrastructure.

Country-Specific Actions

In Algeria, law enforcement shut down a phishing-as-a-service (PhaaS) website, arrested one suspect, and seized a server, a computer, a phone, and hard drives containing malicious software and scripts. The PhaaS platform had enabled criminals to deploy fake login pages targeting banking and email credentials across the region.

In Jordan, police located a computer used in financial fraud scams and arrested two individuals for orchestrating the scheme. As part of the operation, 15 individuals were carrying out the scams, but all were victims of human trafficking. The victims had been promised employment and came to Jordan from various Asian countries. Upon arrival, the two suspects confiscated their passports and forced them to participate in the scheme. Authorities provided the victims with shelter and legal support.

In Morocco, authorities arrested three individuals and seized computers, phones, and hard drives used in phishing operations. The seized devices contained databases of compromised credentials and templates for fake bank websites.

In Oman, authorities disabled a server containing sensitive information that was affected by multiple critical vulnerabilities and infected with malware. The server had been used to host command-and-control infrastructure for a botnet.

In Qatar, law enforcement identified compromised devices that had been used to spread malware without their owners’ knowledge. The systems were secured, and the owners were notified to prevent further exploitation.

International Cooperation and Private Sector Role

Operation Ramz highlights the importance of cross-border collaboration in combating cybercrime, which knows no geographic boundaries. Interpol facilitated information sharing and coordinated simultaneous actions across the 13 countries. Private partners provided threat intelligence, forensic analysis, and technical expertise to identify malicious servers, track financial flows, and attribute attacks to specific groups.

Team Cymru CEO Joe Sander commented, “Cybercrime is borderless, and the only effective response is one that is equally borderless. Operation Ramz is exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on.”

Broader Context of Cybercrime in MENA

The MENA region has seen a sharp rise in cybercrime over the past decade, driven by increased internet penetration, mobile banking adoption, and the proliferation of digital payment systems. Phishing and malware attacks are among the most common threats, often targeting individuals, small businesses, and government agencies. In 2024, cyberattacks in the region increased by 30% compared to the previous year, according to a report by Group-IB.

Phishing-as-a-service platforms have lowered the barrier to entry for cybercriminals, allowing even low-skilled actors to launch sophisticated campaigns. These platforms offer pre-built templates, hosting services, and automated tools for harvesting credentials. Operation Ramz targeted several such platforms, disrupting their operations and preventing future attacks.

Malware threats in the region range from banking trojans to ransomware. In many cases, attackers exploit unpatched vulnerabilities in web servers and network devices to gain initial access. The seized server in Oman, for example, had multiple critical vulnerabilities that had been known for years but were left unpatched.

Impact on Victims and Human Trafficking Nexus

The identification of 3,867 victims across the participating countries underscores the scale of the problem. Victims ranged from individuals whose email accounts were compromised to companies that lost financial data. Interpol said it is working with national authorities to notify victims and provide guidance on mitigating potential harm.

The human trafficking aspect in Jordan is particularly alarming. It illustrates how cybercrime can be intertwined with other organized crime activities. Criminals lured victims with false promises of well-paying jobs, then forced them to commit fraud. This case highlights the need for law enforcement to adopt a holistic approach that addresses both the technical and human dimensions of cybercrime.

Long-Term Strategy and Future Operations

Operation Ramz is part of Interpol’s broader strategy to strengthen cybercrime-fighting capabilities in the MENA region. The organization has established regional cybercrime hubs and provides training to law enforcement officers in digital forensics, threat intelligence, and incident response. Future operations will likely target ransomware groups, business email compromise networks, and illegal cryptocurrency exchanges.

The success of Ramz demonstrates the value of sustained public-private partnerships. Private companies bring real-time threat data and advanced analytical tools that law enforcement often lacks. In return, they gain insights into criminal tactics and the satisfaction of helping dismantle harmful infrastructure. The Shadowserver Foundation, for example, has long provided free scanning services to identify vulnerable servers and notify operators.

As cybercriminals continue to evolve their methods, law enforcement must adapt. The use of artificial intelligence and machine learning by both attackers and defenders is expected to grow. Operation Ramz included analysis of AI-generated phishing emails and deepfake voice calls used to trick victims. Authorities seized servers that hosted AI tools trained to generate convincing fake messages.

The results of Operation Ramz send a strong deterrent message to cybercriminals operating in the MENA region. However, experts caution that such operations are just one part of the solution. Continuous investment in cybersecurity awareness, patching vulnerabilities, and international legal frameworks is essential to reduce the overall threat landscape. With 201 arrests and hundreds more suspects identified, the operation has dealt a significant blow to illegal cyber activities in the region, but the fight is far from over.

Source: SecurityWeek News