Full Report
INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these
Analysis Summary
# Incident Report: Operation Ramz MENA Cybercrime Crackdown
## Executive Summary
Interpol coordinated "Operation Ramz," a first-of-its-kind multi-national cybercrime crackdown involving 13 countries across the Middle East and North Africa (MENA). The operation successfully disrupted diverse criminal activities including Phishing-as-a-Service (PhaaS), financial fraud, and malware distribution, resulting in 201 arrests and the identification of nearly 4,000 victims. The initiative highlighted a critical link between cybercrime and human trafficking in the region.
## Incident Details
- **Discovery Date:** October 2025 (Initiation of Operation)
- **Incident Date:** October 2025 – February 2026
- **Affected Organization:** Multiple (Government infrastructure, private citizens, financial sector)
- **Sector:** Cross-sector (Government, Finance, Private Individuals)
- **Geography:** MENA Region (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and U.A.E.)
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing through late 2025.
- **Vector:** Phishing, exploitation of critical software vulnerabilities.
- **Details:** Attackers utilized Phishing-as-a-Service platforms and exploited unpatched servers to gain entry into victim environments.
### Lateral Movement
- **Details:** Not explicitly detailed in the report, though evidence suggests the use of compromised legitimate servers and devices as proxies to mask further activity.
### Data Exfiltration/Impact
- **Details:** Theft of banking data, compromised government account credentials, and fraudulent investment of assets into fake trading platforms.
### Detection & Response
- **Detection:** Intelligence sharing between INTERPOL, Group-IB, and Team Cymru.
- **Response Actions:** Coordinated raids, seizure of 53 servers and various hardware (hard drives, mobile phones), and neutralization of phishing scripts.
## Attack Methodology
- **Initial Access:** Phishing (PhaaS), exploitation of critical security vulnerabilities.
- **Persistence:** Implementation of malware on legitimate residential and commercial servers.
- **Credential Access:** Phishing scripts designed to harvest banking and government credentials.
- **Discovery:** Scanning for vulnerable servers (as seen in the Oman case).
- **Lateral Movement:** Use of compromised devices in Qatar to spread "malicious threats."
- **Exfiltration:** Transfer of stolen banking data to external hard drives and actor-controlled servers.
- **Impact:** Financial loss through fraudulent trading platforms; use of human trafficking victims for forced labor in cybercrime "scam centers."
## Impact Assessment
- **Financial:** Severe (Thousands of victims scammed via fraudulent investment platforms).
- **Data Breach:** Over 5,000 compromised accounts, including those associated with government infrastructure.
- **Operational:** 53 servers seized and taken offline; PhaaS infrastructure dismantled.
- **Reputational:** High impact on trust in regional digital trading and banking systems.
## Indicators of Compromise
- **Network Indicators:** Phishing infrastructure (URLs and IPs defanged: `hxxp[://]phishing-service[.]com`).
- **File Indicators:** Phishing scripts and "malicious software" found on seized hard drives in Algeria and Morocco.
- **Behavioral Indicators:** Legitimate residential servers exhibiting unusual traffic patterns associated with malware distribution.
## Response Actions
- **Containment:** Disabling infected servers in Oman and securing compromised devices in Qatar.
- **Eradication:** Confiscation of hard drives, PhaaS software, and scripts by Algerian and Moroccan authorities.
- **Recovery:** Notifying identified victims (3,867 individuals) and providing security measures to affected device owners.
## Lessons Learned
- **Cross-Border Intelligence:** Cybercrime is borderless; collaboration between law enforcement and private intelligence firms (Group-IB, Team Cymru) is essential for mapping infrastructure.
- **Human Factors:** Cybercrime operations in the region are sometimes manned by victims of human trafficking, adding a layer of complexity to criminal investigations.
- **Infrastructure Hygiene:** Legitimate servers in private residences often lack professional monitoring, making them prime targets for hosting malicious activities.
## Recommendations
- **Patch Management:** Ensure all internet-facing servers are updated against critical vulnerabilities.
- **PhaaS Awareness:** Implement advanced email filtering to detect common phishing script signatures.
- **Public Awareness:** Educate citizens on the signs of fraudulent investment platforms and "too good to be true" employment offers.
- **Multi-Factor Authentication (MFA):** Mandatory MFA for all government and banking accounts to mitigate the impact of stolen credentials.