Group-IB, a leading creator of predictive cybersecurity technologies to investigate, prevent, and fight digital crime, today announced its contribution to INTERPOL-coordinated Operation Ramz, the first cybercrime operation of its scale conducted across the Middle East and North Africa (MENA) region. Running from October 2025 to February 2026, the operation targeted phishing infrastructure, malware threats, and cyber scams inflicting severe financial and personal harm on individuals and organisations across the region.
The operation, conducted with the participation of 13 countries across the MENA region resulted in the arrest of 201 individuals, with a further 382 suspects identified. Investigators identified 3,867 victims, seized 53 servers, and disseminated nearly 8,000 pieces of actionable data and intelligence among participating countries to initiate and support investigations.
Devices seized by law enforcement authorities in Jordan during Operation Ramz. Image credit: INTERPOL Jordan.
As part of the operation, Group-IB delivered actionable intelligence on more than 5,000 compromised accounts — including accounts associated with government infrastructure — giving investigators a precise picture of the scale of credential compromise across the region. Group-IB’s analysts also identified and mapped active phishing infrastructure across MENA, providing intelligence on two distinct threat actor clusters: those responsible for the creation and distribution of phishing resources, and separate actors engaged in the sale and distribution of leaked data. This adversary-centric intelligence — tracking not just the infrastructure but the human actors operating behind it — significantly contributed to the overall success of the operation.
Operation Ramz uncovered a range of criminal schemes across the region. In Qatar, investigators identified compromised devices whose owners were themselves victims of cyberattacks — unaware their systems were being used to propagate malicious threats. The affected systems were immediately secured and device owners were notified to take the necessary preventive measures. In Jordan, authorities dismantled a financial fraud operation impersonating a legitimate trading platform.The investigation revealed that the 15 individuals conducting the scams were themselves victims of human trafficking: recruited from their home countries in Asia under false promises of employment, their passports were confiscated upon arrival in Jordan and they were forced or coerced into carrying out the fraud. Two individuals suspected of orchestrating the operation were arrested. In Oman, investigators identified a server in a private residence containing sensitive information; despite the owner having legitimate access, the server carried multiple critical security vulnerabilities including active malware infection, and was disabled to prevent further harm. In Algeria, a phishing-as-a-service website was identified and taken down, with one suspect detained and hardware containing phishing software and scripts seized. In Morocco, authorities seized computers and external drives containing banking data and phishing tools, with three individuals placed under judicial procedures.
Devices seized by law enforcement authorities in Morocco during Operation Ramz. Image credit: INTERPOL Morocco.
“The MENA region has seen a sharp rise in phishing and scam infrastructure targeting financial platforms, government services, and individual victims. Operation Ramz shows what coordinated, intelligence-led action can achieve — and it would not be possible without the kind of deep, regionally relevant threat intelligence that Group-IB’s DCRCs are built to deliver. This operation was the result of strong collaboration between our Digital Crime Resistance Centers across the MENA and APAC regions, reflecting the breadth of our regional presence and our commitment to fighting cybercrime wherever it operates. We are committed to continuing our support for international efforts to dismantle cybercriminal ecosystems and strengthen cyber resilience.”
CEO of Group-IB
“In a world where cybercriminals exploit the digital landscape without borders, Operation Ramz demonstrates the effectiveness of global collaboration. INTERPOL is dedicated to working with its member countries and private sector partners to take down malicious infrastructure, disrupt criminal groups and bring perpetrators to justice.”
Director of Cybercrime, INTERPOL
Group-IB maintains long-standing partnerships with international law enforcement organisations including INTERPOL, Europol, and AFRIPOL, providing threat intelligence and investigative support to global cybercrime investigations. Through its global network of Digital Crime Resistance Centers (DCRCs), regional expertise, and predictive threat and fraud intelligence capabilities, Group-IB helps transform technical indicators into actionable intelligence to support coordinated cybercrime disruption efforts worldwide.
As cybercrime continues to evolve in scale and sophistication, public-private collaboration remains critical to identifying emerging threats, disrupting criminal infrastructure, and strengthening cyber resilience across the MENA region and beyond.
Note to editors
Participating countries include: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia and UAE.
