INTERPOL has announced the results of Operation Ramz, a first-of-its-kind cybercrime crackdown across the Middle East and North Africa that has led to 201 arrests, the identification of 382 additional suspects, and the disruption of phishing, malware and online fraud infrastructure spanning 13 countries. Running from October 2025 through 28 February 2026, the coordinated sweep targeted criminal networks exploiting the region’s rapid digitalization, according to an INTERPOL statement on the operation’s outcomes.[1]
Authorities across Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia and the United Arab Emirates worked with INTERPOL to investigate malicious infrastructure, identify operators and seize evidence. Investigators identified 3,867 victims, dismantled or seized 53 servers supporting phishing and malware campaigns, and exchanged nearly 8,000 pieces of operational data and intelligence to kick-start and advance national cases.[1] Singapore-based Group-IB, which contributed threat intelligence and technical support, said the joint work focused on infrastructure used to harvest credentials, distribute malware and automate large-scale social engineering attacks.[2]
The sweep exposed a range of criminal services underpinning regional cybercrime. In Algeria, investigators took down a phishing-as-a-service website that provided ready-made tools for less-skilled actors to launch credential-harvesting campaigns, leading to at least one arrest.[1] Moroccan authorities seized computers, smartphones and external hard drives containing banking data and phishing software, with three individuals now facing judicial proceedings and further suspects under investigation. While specific malware families were not publicly named, INTERPOL described the takedowns as targeting infrastructure used for banking fraud and other financially motivated schemes.
Operation Ramz relied heavily on public–private collaboration to map and dismantle the networks. Alongside Group-IB, INTERPOL worked with Kaspersky, Shadowserver, Team Cymru and TrendAI to trace malicious servers, correlate indicators and support local law enforcement actions.[3] The operation received support from Qatar’s Ministry of Interior and partial funding from the European Union and Council of Europe under the CyberSouth+ project, part of ongoing efforts to bolster cybercrime units and digital evidence capabilities across the region.[1]
The crackdown underscores how regional and global policing bodies are increasingly treating cybercrime infrastructure as a transnational threat, following earlier INTERPOL efforts such as 2025’s Operation Secure, which dismantled more than 20,000 malicious IP addresses or domains tied to 69 information-stealing malware variants and led to 32 arrests worldwide.[4] For defenders, the Ramz results highlight both the scale of phishing and malware operations targeting MENA users and the value of sharing indicators of compromise and forensic data with law enforcement and trusted threat-intelligence providers to accelerate takedowns.
While Operation Ramz has disrupted key nodes in several criminal ecosystems, INTERPOL officials emphasized that the arrests and seizures are a starting point rather than a conclusion. Organizations in the region remain urged to harden email and web gateways, tighten identity and access controls, and maintain user-awareness programs against credential theft and payment fraud, while monitoring advisories and threat bulletins derived from such operations to update detection rules and response playbooks.
