Based on reporting by The Hacker News →
Introduction
For a decade, one platform quietly powered credential theft across the Middle East and North Africa — until a coordinated global police action finally pulled the plug. The takedown of Sniper Dz and the arrest of its primary operator sends a clear signal that even long-running cybercrime-as-a-service enterprises are not beyond reach, but the infrastructure they leave behind demands constant vigilance.
The problem
According to a report by The Hacker News, an Interpol-led operation codenamed “Operation Ramz” concluded in February 2026 after disrupting the Sniper Dz phishing-as-a-service (PhaaS) platform. The investigation, which spanned from October 2025 to February 2026, involved authorities from 13 countries in the Middle East and North Africa (MENA) region and resulted in 201 arrests. Among those detained was the platform’s primary administrator, known as Guedz, security firm Group-IB revealed on Thursday. Sniper Dz had been operational for over ten years, providing ready-made phishing kits and infrastructure to a network of cybercriminals.
Consequences
The immediate consequence of a decade-long PhaaS operation like Sniper Dz is the massive volume of stolen credentials, session tokens, and personal data harvested from unwitting victims across multiple sectors — banking, e-commerce, government portals, and social media. For every kit sold, hundreds or thousands of end users faced account takeovers, financial fraud, or identity theft. On the enterprise side, compromised employee credentials often serve as the initial foothold for ransomware gangs and data extortion groups. The 201 arrests illustrate the scale of the criminal supply chain that Sniper Dz enabled, but many of the stolen credentials are likely already circulating on dark web markets or being used in follow-on attacks.