INTERPOL’s Operation Ramz: Disruption of Transnational Cybercrime Networks, Over 200 Individuals Arrested
Published
Key Takeaways
- Operational Disruption: Law enforcement apprehended over 200 individuals and decommissioned more than 50 malicious servers.
- Victimology and Suspect Profiles: The 13-nation operation identified almost 4,000 victims and 400 additional subjects of interest.
- Mitigation of Critical Threats: INTERPOL focused on neutralizing phishing infrastructure, malware distribution, and sophisticated financial cyber-fraud.
A comprehensive multilateral law enforcement operation within the Middle East and North Africa (MENA) region resulted in 201 arrests and the seizure of 53 servers. This 13-nation deployment targeted systemic phishing operations, malware propagation, and fraudulent cyber schemes. During the operational phase, authorities identified 382 suspects and 3,867 victims.
Coordinated Interventions and Operational Highlights
Law enforcement agencies executed precision interventions based on shared tactical intelligence, an INTERPOL press release said.
In Jordan, authorities disrupted a financial fraud operation, identifying 15 personnel as victims of human trafficking coerced into illicit activities, “who had been recruited under the false promise of employment from their home countries in Asia” and had their passports confiscated. Two primary facilitators were apprehended.
In Qatar, investigators identified and secured compromised endpoints of unsuspecting owners utilized as vectors for threat propagation. In Oman, authorities decommissioned a private server that contained sensitive information but suffered critical vulnerabilities, including malware infection.
Algerian law enforcement dismantled a Phishing-as-a-Service (PhaaS) platform, seizing a server, a computer, a mobile phone, and hard drives containing phishing software and scripts. One suspect was detained.
Concurrently, Moroccan authorities seized computers, smartphones, and external hard drives containing exfiltrated banking data and phishing software, and initiated judicial proceedings against three individuals.
Multilateral and Private Sector Partnerships
Coordinated by INTERPOL, Operation Ramz was conducted from October 2025 through 28 February 2026. The operation was supported by the Qatar Ministry of Interior and partially funded by the EU and the Council of Europe under the CyberSouth+ project.
To facilitate these investigations, INTERPOL disseminated approximately 8,000 intelligence packages and critical data points among participating member states. Participating jurisdictions included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE.
To monitor these illicit activities and identify malicious infrastructure, INTERPOL collaborated with private sector entities, including Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru, and TrendAI.
In April, the suspected head of a cyberfraud syndicate was extradited from Cambodia to China and the U.S. sanctioned Cambodian senator Kok An and 28 affiliates over a global scam network. The suspected cyber scam kingpin and head of Prince Group was arrested in Cambodia and extradited to China in January.
Cambodian fraud compound operators Legend Innovation and crypto Marketplace Xinbi were sanctioned by the U.K. in late March. In September 2025, the U.S. Treasury cracked down on Southeast Asian cyber scams exploiting forced labor.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular