INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects.
The initiative involved the efforts of 13 countries from the region, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these activities, and prevent future losses. It took place between October 2025 and February 2026.
“The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region,” INTERPOL said in a statement. “In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized.”
The operation, codenamed Ramz, led to the disruption of a phishing-as-a-service (PhaaS) by Algerian authorities after its server was confiscated, along with a computer, a mobile phone, and hard drives containing phishing software and scripts. One suspect was arrested in connection with the scheme.
Elsewhere, Moroccan officials seized computers, smartphones, and external hard drives that contained banking data and software used for phishing operations.
Authorities also identified a legitimate server located in a private residence in Oman that contained sensitive information. The server suffered from multiple critical security vulnerabilities and was infected by malware. INTERPOL said actions were taken to disable the server.
In a similar case, compromised devices were discovered in Qatar, with the owners themselves unaware that their systems were being used to spread “malicious threats.” Although the exact nature of these threats was not disclosed, the impacted machines are said to have been secured, and the device owners were alerted to take appropriate security measures.
Lastly, Jordanian police identified a computer that was used to run financial fraud scams, where unsuspecting users were tricked into investing their assets in a seemingly legitimate trading platform, only for it to shut down once the funds were deposited.
“A raid uncovered 15 individuals carrying out the scams, but investigators determined that they were victims of human trafficking who had been recruited under the false promise of employment from their home countries in Asia,” INTERPOL said.
“Upon arrival in Jordan, their passports were confiscated, and they were forced or coerced into participating in the scheme. Two individuals suspected of orchestrating the operation were arrested.”
Group-IB, which was one of the private sector companies that participated in the effort, said it provided “actionable intelligence” on over 5,000 compromised accounts, including those that were associated with government infrastructure, and shared details about active phishing infrastructure across the region.
“Cybercrime is borderless, and the only effective response is one that is equally borderless,” Joe Sander, CEO of Team Cymru, said. “Operation Ramz is exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on.”
Countries that took part in Operation Ramz included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the U.A.E.
Series of Law Enforcement Actions
The arrests come against the backdrop of a string of law enforcement actions announced by Germany and the U.S. Department of Justice (DoJ) in recent weeks –
- The sentencing of Thomasz Szabo (aka Plank, Jonah, and Cypher), 27, of Romania, to 48 months in prison for his role as the mastermind of an online swatting ring that targeted more than 75 public officials, four religious institutions, and multiple journalists.
- The indictment of Owe Martin Andresen (aka Speedstepper), the suspected main administrator of the illicit darknet marketplace, Dream Market, on money laundering charges, following his arrest in Germany last week.
- The shutdown of a relaunched version of the Crimenetwork marketplace (it was originally dismantled in December 2024) and the arrest of a suspected administrator, a 35-year-old German citizen, on the Spanish island of Mallorca.
- The conviction of Sohaib Akhter, 34, of Alexandria, Virginia, by a federal jury for deleting 96 databases storing U.S. government information and stealing the plaintext password of an individual who had submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal.
- The sentencing of Alan Bill, 33, of Bratislava, the Slovakian Administrator of Kingdom Market, to 200 months (more than 16 years) in prison after he pleaded guilty to a conspiracy to distribute controlled substances, illegal drugs, stolen financial data, counterfeit documents, and malware earlier this January.
- The sentencing of David Jose Gomez Cegarra, 25, of Venezuela to time served and pay restitution totaling $294,820 in connection with a string of ATM jackpotting incidents between October 5 and November 11, 2024, in the U.S. states of New York, Massachusetts, and Illinois.
- The arrest of a 21-year-old from Dordrecht for their involvement in a tool called JokerOTP that’s used by cybercriminals to intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes for hijacking online accounts by impersonating trusted organizations such as banks, cryptocurrency exchanges, and other major service providers.
- The sentencing of Marlon Ferro (aka GothFerrari), 20, of Santa Ana, California, to 78 months in prison in connection with a social engineering conspiracy that stole more than $250 million in cryptocurrency from victims across the U.S. between late 2023 and early 2025.
“This [social engineering] scheme blended sophisticated online fraud with old-fashioned burglary to drain victims of millions of dollars in digital assets,” U.S. Attorney Jeanine Ferris Pirro stated.
“The conspiracy’s operatives typically targeted individuals believed to hold significant cryptocurrency holdings. Its members manipulated victims into surrendering access to their digital wallets through elaborate fraud schemes. When victims stored their cryptocurrency in hardware wallets, physical devices that cannot be accessed remotely, the enterprise turned to Ferro.”
