Group-IB, a leading creator of predictive cybersecurity technologies to investigate, prevent, and fight digital crime, today announced its contribution to a coordinated investigation led by INTERPOL and the Algerian National Police that resulted in the arrest of the primary developer and administrator of SniperDz, a phishing-as-a-service (PhaaS) platform that operated for nearly a decade. According to statistics published by the platform in 2016, campaigns run through the service had already collected more than 45,000 victim records, highlighting the scale of the operation and its impact on users worldwide.
Active since at least 2015, SniperDz evolved into a sophisticated criminal platform offering ready-made phishing kits, hosting infrastructure, and operational support to cybercriminals. Over the past nine years, Group-IB identified more than 20,000 unique domains associated with the SniperDz phishing-as-a-service (PhaaS) ecosystem. The platform targeted more than 30 major global organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam.
Group-IB’s Investigations team identified 80 phishing templates deployed in five languages including Arabic, English, French, Spanish, and Hebrew,targeting users of consumer, technology, and payment platforms across multiple geographies. The templates impersonated organizations across a range of sectors, including financial services, online gaming, telecommunications, email providers, social media platforms, and government entities. Victims were lured to convincing imitation websites designed to harvest credentials, personal information, and other sensitive data.
Beyond traditional credential theft, the platform also leveraged social engineering techniques that exploited the popularity and credibility of public figures across the Middle East and North Africa. Threat actors created fake social media accounts impersonating well-known political personalities and used them to promote phishing links disguised as promotional offers or free internet access.
From Infrastructure Analysis to Attribution
Group-IB first identified SniperDz while tracking large-scale phishing activity targeting globally recognized brands, online services, and payment platforms. As the operation expanded across thousands of domains and enabled credential theft at scale, it became a growing threat to the organizations and consumers Group-IB helps protect through its fraud and cybercrime investigations.
Group-IB’s Investigations team conducted a multi-month investigation that combined infrastructure analysis, open-source intelligence (OSINT), and digital footprint correlation to identify the individual believed to be responsible for developing and operating the SniperDz platform.
Rather than focusing solely on malicious infrastructure, Group-IB’s adversary-centric approach enabled investigators to map the threat actor’s online presence across multiple platforms and years of activity. By correlating technical indicators with publicly available information, researchers were able to transform fragmented signals into actionable intelligence that supported law-enforcement efforts.
The investigation revealed a significant operational security failure by the suspect. Publicly available video tutorials created to recruit and train affiliates inadvertently exposed administrative information and account credentials. Researchers also uncovered years of social media activity documenting the platform’s evolution, affiliate recruitment efforts, and the release of new phishing templates. A Telegram channel used to coordinate operations, which had more than 7,300 subscribers when Group-IB shared its findings with INTERPOL, and a Facebook account followed by more than 19,000 users, provided additional evidence linking the suspect to the platform’s activities between 2015 and 2025.
Intelligence-Led Collaboration Leads to Arrest
Group-IB shared its findings with INTERPOL, which coordinated with the Algerian National Police to act on the intelligence. As part of Operation Ramz, infrastructure associated with the SniperDz phishing-as-a-service (PhaaS) was identified and disrupted, including the takedown of a website used to offer phishing-as-a-service capabilities to cybercriminals. The operation resulted in the arrest of the individual identified as the primary developer and administrator of SniperDz, bringing an end to a criminal operation that had remained active for nearly a decade.
“SniperDz is a textbook example of why adversary-centric intelligence matters. Disrupting cybercrime requires more than taking down phishing pages. It requires understanding the people, infrastructure, and criminal ecosystems behind them. By combining threat intelligence, attribution, and close collaboration with law enforcement, we were able to help identify the individual responsible for nearly a decade of phishing activity and contribute to bringing that operation to an end”
CEO of Group-IB
“Phishing-as-a-Service (PhaaS) is a significant global cyberthreat, facilitating millions to be targeted in phishing attacks and causing billions in victim losses. INTERPOL, working with private sector partner Group-IB, was able to provide actionable intelligence and operational support to Algerian law enforcement to achieve significant results – the identification and arrest of the developer and administrator of SniperDz. This outcome is a direct result of strong partnerships which drive the most effective response to combatting cybercrime.”
Director Cybercrime, INTERPOL
The arrest highlights the growing importance of intelligence-driven collaboration between law enforcement agencies and private-sector cybersecurity partners in combating cybercrime. By combining local law-enforcement action with globally sourced threat intelligence, investigators were able to identify and disrupt a long-running criminal operation that had enabled phishing campaigns at significant scale.
The SniperDz takedown is the latest in a series of successful operations supported by Group-IB in collaboration with international law enforcement agencies, including INTERPOL, Europol, and AFRIPOL. To date, Group-IB has contributed to more than 1,600 high-tech crime investigations across 60+ countries, helping identify, investigate, and disrupt cybercriminal infrastructure and threat actors worldwide.
As phishing-as-a-service platforms continue to lower the barrier to entry for cybercriminals, intelligence-led investigations remain critical to dismantling the infrastructure, ecosystems, and individuals behind these operations. Group-IB will continue to support international law enforcement efforts through its predictive threat intelligence capabilities, helping organizations move from reactive response to proactive disruption of digital crime.
