INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests

INTERPOL coordinated a first-ever cybercrime operation in the Middle East and North Africa (MENA) which resulted in the arrest of 201 people and the identification of 382 other suspects.

This program involves the efforts of 13 countries from the region between October 2025 and February 2026, which aims to investigate and eliminate malicious infrastructure, arrest the perpetrators of these activities, and prevent future losses.

“The mission focused on reducing phishing and malware threats, as well as tackling cyber-fraud that is causing huge costs in the region,” INTERPOL said in a statement. Apart from those arrested, 3,867 victims were identified, and 53 servers were confiscated.

The work, named in code Ramzwhich led to a phishing-as-a-service (PhaaS) disruption by Algerian authorities after its server was seized, along with computer, mobile, and hard drives containing phishing software and documents. One suspect was arrested in connection with this scheme.

Elsewhere, Moroccan authorities seized computers, smartphones, and external hard drives containing bank data and software used in phishing activities.

Authorities also identified an official server located at a private residence in Oman that contained sensitive information. The server suffered from several critical security vulnerabilities and was infected with malware. INTERPOL said steps were taken to disable the server.

In the same situation, damaged devices were found in Qatar, the owners themselves did not know that their systems were used to spread “malicious threats.” Although the nature of these threats has not been disclosed, the affected devices are said to be secure, and device owners are being warned to take appropriate precautions.

Finally, Jordanian police identified a computer used to run financial fraud scams, where unsuspecting users were tricked into investing in a seemingly legitimate trading platform, only to have it shut down once funds were deposited.

“15 people were identified as the perpetrators of this scam, but investigators found that they were victims of human trafficking who had been recruited on the false promise of employment in their home countries in Asia,” said INTERPOL.

“When they arrived in Jordan, their passports were taken away, they were forced or coerced to participate in this program. Two people were arrested who are suspected to be the ones who organized this program.”

Group-IB, which was one of the private companies involved in the effort, said it provided “actionable intelligence” on more than 5,000 compromised accounts, including those associated with government infrastructure, and shared information about phishing infrastructure across the region.

“Cyber ​​crime​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​a​​​​​​​​​​​​​​​​a​​​​​​​​​​​​​​​​​​​​​​​​a. “Operation Ramz is exactly the answer, with law enforcement and trusted private sector partners combining intelligence, moving in concert, and dismantling the infrastructure that criminals rely on.”

Countries participating in Operation Ramz include Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE.

Series of Law Enforcement Actions

The arrest comes after a number of legal actions announced by Germany and the US Department of Justice (DoJ) in recent weeks –

• The sentencing of Thomasz Szabo (aka Plank, Jona, and Cypher), 27, from Romania, to 48 months in prison for his role as the mastermind of an Internet chain that targeted more than 75 government officials, four religious institutions, and numerous journalists.
• The trial of Owe Martin Andresen (also known as Speedstepper), the alleged executive director of the illegal marketplace, Dream Market, on charges of money laundering, follows his arrest in Germany last week.
• The closure of the relaunched version of the Crimenetwork market (which was first dissolved in December 2024) and the arrest of the alleged manager, a 35-year-old German citizen, on the Spanish island of Mallorca.
• The conviction of Sohaib Akhter, 34, of Alexandria, Virginia, by a federal judge for deleting 96 US government databases and stealing the password of a complainant on the Public Portal of the Equal Employment Opportunity Commission.
• The sentencing of Alan Bill, 33, of Bratislava, Slovakian Administrator of Kingdom Market, to 200 months (more than 16 years) in prison after pleading guilty to conspiracy to distribute controlled substances, illegal drugs, stolen financial data, forged documents, and computer malware earlier this January.
• The sentencing of David Jose Gomez Cegarra, 25, of Venezuela served time and paid a total of $294,820 in connection with a series of ATM fraud incidents between October 5 and November 11, 2024, in the US states of New York, Massachusetts, and Illinois.
• The sentencing of Marlon Ferro (aka GothFerrari), 20, of Santa Ana, California, to 78 months in prison for a social engineering conspiracy that stole more than $250 million in cryptocurrency from victims across the US between late 2023 and early 2025.

“This [social engineering] the scheme combined sophisticated online fraud and old-fashioned hacking to defraud victims of millions of dollars in digital assets,” said US Attorney Jeanine Ferris Pirro.

“Conspiracy operatives often targeted individuals believed to have large amounts of cryptocurrency. Its members tricked victims into giving up access to their digital wallets through sophisticated fraud schemes. When victims stored their cryptocurrency in hardware wallets, physical objects that could not be accessed remotely, the company turned to Ferro.”