Operation Ramz Seizes Sniper Dz Infrastructure After 10 Years, 201 Arrests Across 13 MENA States
Interpol-led Operation Ramz dismantled Sniper Dz, a free-to-use PhaaS service active since 2015. The takedown yielded 201 arrests but left affiliate fraud channels untouched. Historical patterns indicate rapid platform migration within three months.
Group-IB reporting and seized hardware confirm the platform operated continuously since 2015 under four successive brands while offering fully hosted phishing pages at no cost. Revenue derived instead from harvested credentials sold onward and from affiliate redirects into carrier billing and premium SMS fraud. Unit 42's October 2024 telemetry showed Telegram distribution to 7,300 subscribers and proxy-hosted pages that evaded takedown for years.
The free infrastructure model lowered entry barriers far below typical PhaaS pricing, enabling rapid operator churn rather than single-point disruption. Rebranding cycles and politician-impersonation lures in Arabic and French indicate deliberate adaptation to local trust signals that commercial vendors rarely match. Official statements emphasize 201 arrests yet omit independent confirmation that the seized domains match the 20,000 previously tracked.
Residual infrastructure and affiliate networks remain intact. Similar low-friction kits have historically resurfaced within 60-90 days on new bulletproof hosts. Future operations will need to target the downstream monetization layer rather than the hosting layer alone if they are to produce measurable reduction in credential theft volume.
Group-IB: measurable Sniper Dz successor activity will exceed 40 percent of prior volume on new domains within 90 days
Sources (2)
- [1]Group-IB Sniper Dz Disruption Report(https://www.group-ib.com/blog/operation-ramz-sniper-dz)
- [2]Palo Alto Networks Unit 42 Sniper Dz Analysis(https://unit42.paloaltonetworks.com/sniper-dz-telegram-2024)