ctipilot.ch

INTERPOL Operation Ramz

campaign · campaign:interpol-operation-ramz-mena-cybercrime-13-country-201-arre

INTERPOL Operation Ramz — first MENA-region cybercrime sweep: 201 arrests, 53 servers, first Algerian PhaaS takedown (Oct 2025–Feb 2026)

Coverage timeline
2
first 2026-05-18 → last 2026-05-19
Entries
2
2 distinct days
Sources cited
6
6 hosts
Sections touched
2
active-threats, weekly-policy
Co-occurring entities
2
see Related entities below
2026-05-182 appearances2026-05-19

Story timeline

  1. 2026-05-19INTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown
    active-threatsINTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown
  2. 2026-05-18Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz
    weekly-policyLaw-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz

Where this entity is cited

  • weekly-policy1
  • active-threats1

Source distribution

  • eurojust.europa.eu1 (17%)
  • fiod.nl1 (17%)
  • helpnetsecurity.com1 (17%)
  • interpol.int1 (17%)
  • justice.gov1 (17%)
  • thehackernews.com1 (17%)

Related entities

Entries about INTERPOL Operation Ramz (2)

2026-05-19 · view entry permalink →

INTERPOL Operation Ramz — 13-country MENA cybercrime sweep: 201 arrests, 53 servers seized, Algerian PhaaS server takedown

notable threat discovered 2026-05-19 05:00 UTC

INTERPOL announced on 2026-05-18 the completion of Operation Ramz — described as the first cyber operation of its scale coordinated by INTERPOL specifically targeting the MENA region — running October 2025 through 2026-02-28 across 13 countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE) (INTERPOL, 2026-05-18; The Hacker News, 2026-05-18; Help Net Security, 2026-05-18). Outcomes: 201 arrests, 382 further suspects identified, 3,867 victims, 53 servers seized, ~8,000 intelligence data points disseminated. Algerian authorities dismantled a phishing-as-a-service operation, seizing a server, computer and hard drives containing phishing software and scripts. Moroccan police seized devices with banking data and phishing tooling; Omani investigators identified a residential server with active malware infection. Jordanian police rescued 15 human-trafficking victims who had been coerced into running cybercrime operations — the same forced-labour-to-cyber-scam pipeline documented in Southeast Asian fraud compounds. Industry partners: Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, TrendAI. The operation is partially funded by the EU and Council of Europe under the CyberSouth+ project.

Why it matters to us: MENA-based PhaaS kits routinely target EU banking customers and EU payment rails (SEPA-Inst flagging, IBAN-based phishing lures); the disruption reduces commodity-kit availability and the Shadowserver / Group-IB intelligence shared via the operation will surface in NCSC / BSI / NCSC-CH advisories over the coming weeks. The trafficking-to-scam pipeline confirmed in Jordan is the same operator model EUROPOL has been mapping for fraud-compound disruption.

“A first-of-its-kind cybercrime operation in the MENA region has led to the arrest of 201 individuals, with a further 382 suspects identified” — INTERPOL

“In Algeria, a website offering phishing as a service was identified and dismantled as part of Operation Ramz” — INTERPOL

law-enforcement organized-crime phishing eu-nexus middle-east africa europe

2026-05-18 · view entry permalink →

Law-enforcement infrastructure takedowns — Operation Saffron (Switzerland JIT), FIOD/Stark Industries, Kimwolf, INTERPOL Ramz

notable policy discovered 2026-05-18 05:00 UTC

Four coordinated actions in the window degraded threat-actor infrastructure relevant to this audience. Operation Saffron dismantled First VPN — a Russian-language criminal anonymisation service marketed to ransomware operators — seizing 33+ servers with the user database captured; Switzerland was a named Joint Investigation Team participant, and the infrastructure is linked to Phobos RaaS (Eurojust; daily 2026-05-22). The Netherlands FIOD arrested two suspects for EU-sanctions evasion tied to the Stark Industries bulletproof-hosting front and seized ~800 servers, dismantling NoName057(16) DDoS plumbing (FIOD; daily 2026-05-23). The alleged operator of the Kimwolf 30+ Tbps IoT DDoS-for-hire botnet (AISURU variant) was arrested (US DoJ; daily 2026-05-23), and INTERPOL Operation Ramz logged 201 arrests across a 13-country MENA sweep including a PhaaS-server takedown (INTERPOL; daily 2026-05-19). The defender-relevant pattern: the takedowns hit anonymisation/hosting/DDoS plumbing rather than end actors, so expect short-term infrastructure churn (new VPN/hosting fronts, rebuilt botnet C2) rather than a durable drop in activity.

law-enforcement organized-crime ransomware ddos europe switzerland global