Sniper Dz Reuses Single VAPID Key Across Algeria Telecom and Regional Investment Scams After INTERPOL Takedown

Sniper Dz operators impersonate Algérie Télécom on Facebook to push fake data offers, routing clicks through Linkbio and Linktree landing pages before hitting browser-notification traps. The same VAPID public key appears in unrelated investment lures, indicating a shared push-notification backend rather than isolated actor infrastructure. Back-button hijacking with ten injected history states and tab-under redirects keep victims inside the TDS long enough for carrier-based premium billing or crypto redirects to trigger.

Link-aggregation services mask final destinations from platform crawlers, a pattern Group-IB also documented in Southeast Asian TDS clusters taken down in 2024. Reuse of the VAPID key supplies the first concrete post-INTERPOL linkage between the May platform seizure and continued MENA activity, contradicting claims that the service was fully dismantled.

Traffic-distribution logic selects monetization paths by device, carrier, and geolocation, favoring premium-rate calls in Algeria and SMS subscriptions in Morocco and Tunisia. This matches procurement patterns seen in other PhaaS kits sold on Russian-language forums that bundle notification abuse with history manipulation.

Fresh domains registered after the takedown already carry the identical VAPID key, showing rapid re-provisioning. Regulators in Algeria and INTERPOL partners should expect continued volume until the key is blacklisted at the browser-vendor level.