Background
In 2024, Group-IB’s Investigation Team, working in partnership with INTERPOL, began tracing a pattern of social engineering attacks that had drawn attention in the MENA region. The lure was disarmingly simple: fake Facebook accounts impersonating prominent politicians offered gifts and free internet access. Behind it was something far more sophisticated.
The trail led investigators to SniperDz, a phishing-as-a-service platform that had been quietly serving cybercriminals since at least 2015. Operating through Telegram and Facebook channels, SniperDz offered a toolkit of 80 ready-made phishing templates targeting more than 30 major global brands, among them PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam.
Over its decade-long run, the platform cycled through multiple identities, JokerDz, StormDz, SpamDz, each rebrand accompanied by a migration to new domains. The name changed, but the criminal intent did not.
Behind the scenes
What set SniperDz apart from most competitors was its business model: the platform was entirely free. Where commercial PhaaS operations like Phoenix charge subscription fees, SniperDz offered its infrastructure at no cost, dramatically lowering the barrier to entry for would-be fraudsters.
The absence of subscription fees did not mean the operation lacked a revenue stream. Instead, the operators monetized the ecosystem through both credential theft and victim traffic. Stolen credentials could be harvested through phishing campaigns, while users who did not yield credentials could still be redirected into carrier billing fraud, premium SMS subscriptions, browser notification abuse schemes, and other affiliate-driven scam campaigns.
The developer’s own behavior added a layer of irony. Embedded in the platform’s source code was a hidden message signaling an intention to sell the project, later made explicit in a public Telegram announcement. The asking price was $1,500. Despite the modest valuation and repeated attempts over at least a year, no buyer was found. The platform remained in the developer’s hands until law enforcement came knocking.
Impact
For nearly ten years, SniperDz served as quiet criminal infrastructure, available to anyone with the motivation to use it. The scale of its reach became concrete in 2016, when the platform published statistics showing that campaigns run through its service had already collected more than 45,000 victim records. That figure represented only the activity captured at a single point in time, years before the operation was dismantled.
The damage extended well beyond individual victims. More than 30 major global organizations had their brands weaponized to deceive users. The platform’s multilingual, multi-brand reach meant that fraud was distributed in multiple countries, which compounded the difficulty of detecting systemic patterns.
Group-IB identified more than 20,000 unique domains associated with the SniperDz ecosystem over the course of its investigation. Each domain represented a campaign, a set of victims, and an organization whose reputation had been put at risk.
Storyline
The investigation began with a social engineering scheme and ended with full attribution. Getting there required months of methodical work: correlating years of archived infrastructure data, open-source intelligence, and cross-platform digital forensics.
When Group-IB analysts mapped the MENA social engineering campaigns in 2024, the phishing sites behind them shared consistent technical signatures. The operators kept rebranding the service and registering new domains with identical registrant data — a critical operational security failure. Group-IB Threat Intelligence had archived every change to those WHOIS records over the years, which helped to reconstruct the platform’s ownership history and draw definitive links between the hero-egy[.]com, stormdz[.]com, and jokerdz[.]com domains.
The phishing-as-a-service platform offered an automated conversion tool that transformed standard HTML phishing pages into Blogger-compatible formats. By hosting their campaigns on a legitimate, widely used platform, operators could pass off malicious pages as trusted content and avoid security checks.
Figure 1. The HTML-to-Blogger conversion tool
Once a victim landed on one of these pages, the platform harvested a comprehensive dataset, including:
— User credentials (usernames and passwords)
— Timestamp of the compromise (date and time)
— Victim IP addresses
— Geographic location (country of origin)
Figure 2. SniperDz admin panel
The platform’s reach was shaped by a deliberate localization strategy. Arabic, English, and French templates formed the operational core, while Spanish and Hebrew editions were maintained until 2019 and 2020 respectively, then deprecated as the threat actors refocused their geographic targeting.
Figure 3. Templates shown in various languages
Linking the infrastructure proved the domains belonged to one operation, but the most consequential breakthrough came from the platform’s own educational content. The developer had produced and distributed video tutorials designed to recruit and train affiliates, a decision that proved costly. In multiple recordings, the threat actor inadvertently displayed historical administrator email addresses. In others, the newly provisioned accounts used to manage live operations were visible in the background. Each video meant to teach others how to commit fraud became, in investigators’ hands, a piece of attribution evidence.
Group-IB experts used the proprietary Investigation Graph to correlate the technical indicators with publicly available social media activity: posts documenting the platform’s evolution, affiliate-recruitment announcements, the release of new phishing templates, and Telegram channel communications spanning 2015 to 2025. Together, those findings resolved into a complete picture of the threat actor known as Guedz: the developer and administrator behind SniperDz.
Once attribution was achieved, Group-IB shared the full intelligence package — infrastructure maps, domain histories, digital footprint analysis, and identifying evidence — with INTERPOL and the Algerian National Police.
And justice for all
As part of Operation Ramz, INTERPOL’s first cybercrime operation of its scale conducted across the MENA region, the SniperDz infrastructure was identified and disrupted. A website used to offer phishing-as-a-service capabilities to cybercriminals was taken down. An individual with the username Guedz, identified as the primary developer and administrator of SniperDz, was arrested by Algerian authorities. Hardware containing phishing software and scripts was seized.
Group-IB delivered actionable intelligence on more than 5,000 compromised accounts across the region, including accounts associated with government infrastructure. That intelligence contributed directly to the SniperDz takedown and to the broader operation results: 201 individuals arrested, 382 suspects identified, 3,867 victims recorded, and 53 servers seized in 13 countries.
Conclusion
The arrest brought to an end a criminal operation that had remained active for nearly a decade, surviving multiple rebrands and domain migrations. The operation highlighted the growing importance of intelligence-driven collaboration between law enforcement agencies and private-sector cybersecurity partners in combating cybercrime. By combining local law-enforcement action with globally sourced threat intelligence, investigators were able to identify and disrupt a long-running criminal operation that had enabled phishing campaigns at significant scale.
As phishing-as-a-service platforms continue to lower the barrier to entry for cybercriminals, intelligence-led investigations remain critical to dismantling the infrastructure, ecosystems, and individuals behind these operations. Group-IB will continue to support international law enforcement efforts through its predictive threat intelligence capabilities, helping organizations move from reactive response to proactive disruption of digital crime.