INTERPOL Operation Ramz — first MENA-region cybercrime sweep: 201 arrests, 53 servers, first Algerian PhaaS takedown (Oct 2025–Feb 2026)

INTERPOL announced on 2026-05-18 the completion of Operation Ramz — described as the first cyber operation of its scale coordinated by INTERPOL specifically targeting the MENA region — running October 2025 through 2026-02-28 across 13 countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE) (INTERPOL, 2026-05-18; The Hacker News, 2026-05-18; Help Net Security, 2026-05-18). Outcomes: 201 arrests, 382 further suspects identified, 3,867 victims, 53 servers seized, ~8,000 intelligence data points disseminated. Algerian authorities dismantled a phishing-as-a-service operation, seizing a server, computer and hard drives containing phishing software and scripts. Moroccan police seized devices with banking data and phishing tooling; Omani investigators identified a residential server with active malware infection. Jordanian police rescued 15 human-trafficking victims who had been coerced into running cybercrime operations — the same forced-labour-to-cyber-scam pipeline documented in Southeast Asian fraud compounds. Industry partners: Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, TrendAI. The operation is partially funded by the EU and Council of Europe under the CyberSouth+ project.

Why it matters to us: MENA-based PhaaS kits routinely target EU banking customers and EU payment rails (SEPA-Inst flagging, IBAN-based phishing lures); the disruption reduces commodity-kit availability and the Shadowserver / Group-IB intelligence shared via the operation will surface in NCSC / BSI / NCSC-CH advisories over the coming weeks. The trafficking-to-scam pipeline confirmed in Jordan is the same operator model EUROPOL has been mapping for fraud-compound disruption.