Interpol Dismantles SniperDz Phishing-as-a-Service Platform After Decade-Long Operation
Interpol, with support from Group-IB, has dismantled the SniperDz phishing-as-a-service platform, which operated for over a decade enabling large-scale credential theft.
Interpol, in coordination with cybersecurity firm Group-IB, has successfully dismantled the SniperDz phishing-as-a-service (PaaS) platform, a long-running operation that provided cybercriminals with ready-made phishing kits and infrastructure for over a decade. The takedown marks a significant blow to the cybercrime ecosystem, disrupting a service that enabled thousands of credential-theft attacks worldwide.
SniperDz operated as a PaaS model, offering subscribers a comprehensive suite of tools including phishing page templates, hosting, and automated credential harvesting. Group-IB's investigation revealed the full scale of the operation, documenting how the platform evolved over ten years to evade detection and support a wide range of targeted attacks against financial institutions, email providers, and social media platforms.
The platform's longevity was due in part to its sophisticated infrastructure, which included multiple layers of obfuscation and rapid domain rotation to avoid takedown attempts. Group-IB researchers noted that SniperDz provided detailed analytics to its customers, showing real-time statistics on successful credential theft, which helped attackers refine their campaigns.
Interpol's Cybercrime Directorate led the operation, working with law enforcement agencies across multiple countries to seize servers and domain names associated with the platform. The coordinated action involved digital forensics and intelligence sharing facilitated by Interpol's Global Cybercrime Programme, which has been increasingly focused on dismantling cybercrime-as-a-service operations.
The takedown of SniperDz is part of a broader trend of law enforcement targeting the infrastructure that enables cybercrime. Similar operations have recently shut down other PaaS platforms, such as the LabHost service in 2024, which was used for credential theft and financial fraud. These actions aim to disrupt the supply chain of cybercrime by removing the tools that lower the barrier to entry for less technically skilled attackers.
Group-IB's detailed report on SniperDz highlights the importance of private-sector threat intelligence in supporting law enforcement operations. The company's researchers spent months mapping the platform's infrastructure, identifying its operators, and gathering evidence that was crucial for the takedown. This collaboration between public and private sectors is increasingly seen as essential for combating sophisticated cybercrime networks.
While the takedown is a major success, experts caution that the cybercrime ecosystem is resilient. The operators behind SniperDz may attempt to rebuild or migrate to other platforms, and the stolen credentials already harvested remain a threat. Users are advised to enable multi-factor authentication and monitor accounts for suspicious activity.
The dismantling of SniperDz sends a clear message that law enforcement is capable of targeting even long-running cybercrime services. As Group-IB noted, the operation demonstrates that no matter how sophisticated or well-established a criminal platform is, international cooperation can bring it down.