INTERPOL's Operation Ramz Arrests Over 200, Seizes 53 Malware and Phishing Servers Across Middle East and North Africa
INTERPOL's Operation Ramz has led to the arrest of over 200 individuals and the seizure of 53 servers used for phishing, malware, and online fraud across 13 countries in the Middle East and North Africa.
INTERPOL announced on Monday the results of Operation Ramz, a coordinated law enforcement action targeting cybercrime across the Middle East and North Africa. The operation resulted in the arrest of more than 200 individuals and the seizure of 53 servers used for phishing, malware distribution, and online fraud. Authorities also identified another 382 suspects across 13 countries, including Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates.
According to INTERPOL, the operation neutralized phishing and malware threats while tackling cyber scams that inflict severe financial and social costs on the region. From nearly 8,000 intelligence packages retrieved from the seized equipment, law enforcement confirmed at least 3,867 victims. The operation was supported by private cybersecurity firms including Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI.
Among the specific actions taken during Operation Ramz, authorities in Qatar secured compromised devices that were unknowingly being used to spread malware. In Jordan, an investment scam operation was dismantled, where 15 trafficked workers from Asia had been forced to run fraud schemes; two organizers were arrested. In Oman, a vulnerable malware-infected server containing sensitive data was disabled. In Algeria, a phishing-as-a-service platform was shut down and one suspect was arrested. In Morocco, devices and banking data and devices linked to phishing operations were seized, with multiple suspects now under judicial investigation.
This is the third major cybercrime crackdown operation INTERPOL has concluded in 2026. In March, the agency announced Operation Synergia III, which resulted in sinkholing 45,000 malicious IP addresses, seizing 212 devices and servers, and arresting 94 individuals across 72 countries for phishing, hacking, fraud, and malware distribution. In February, INTERPOL announced the arrest of 651 suspects across 16 African countries as part of Operation Red Card 2.0, targeting investment fraud, mobile money scams, and fake loan apps linked to more than $45 million in losses.
The operation highlights the growing sophistication of cybercriminal infrastructure in the MENA region, particularly the rise of phishing-as-a-service platforms that lower the barrier to entry for attackers. By dismantling these platforms and seizing the underlying servers, INTERPOL and its partners aim to disrupt the supply chain of cybercrime. The collaboration with private sector threat intelligence firms was critical to tracking the malicious infrastructure and identifying the scale of the operation.
INTERPOL's continued focus on coordinated, multi-country operations reflects the transnational nature of modern cybercrime. As criminal groups increasingly operate across borders, law enforcement agencies are adapting by pooling resources and intelligence. Operation Ramz demonstrates that even when individual arrests are made, the seizure of infrastructure can have a lasting impact on the ecosystem that enables phishing, malware, and fraud at scale.
SecurityWeek's report adds granular details from the operation, including the takedown of a phishing-as-a-service website in Algeria, the rescue of 15 human trafficking victims forced to run financial scams in Jordan, and the identification of 3,867 victims across the 13 participating countries. Private-sector partners Group-IB, Kaspersky, Shadowserver, Team Cymru, and TrendAI provided intelligence support, while authorities in Oman disabled a server infected with malware and riddled with critical vulnerabilities.