SniperDz: Decade-Long Free Phishing-as-a-Service Platform Dismantled in INTERPOL's Operation Ramz

Group-IB, INTERPOL, and the Algerian National Police have dismantled SniperDz, a phishing-as-a-service (PhaaS) platform that operated for nearly a decade and enabled credential theft at global scale. The platform's developer and administrator was arrested, and hardware containing phishing software and scripts was seized.

SniperDz cycled through the aliases JokerDz, StormDz, and SpamDz, and had been serving cybercriminals since at least 2015. It operated through Telegram and Facebook channels, offering 80 ready-made phishing templates targeting customers of more than 30 major global brands, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam. Over its lifetime, Group-IB linked more than 20,000 unique domains to the ecosystem.

The free PhaaS model

What distinguished SniperDz from commercial competitors was its price: free. Where subscription-based PhaaS operations charge for access, SniperDz offered its infrastructure at no cost, sharply lowering the barrier to entry for would-be fraudsters and helping the kit proliferate.

Free access did not mean no revenue. The operators monetised the ecosystem indirectly — harvesting stolen credentials, and redirecting victims who did not surrender credentials into carrier billing fraud, premium SMS subscriptions, browser notification abuse, and other affiliate-driven scams. The platform also included an automated tool that converted standard HTML phishing pages into Blogger-compatible format, letting operators host campaigns on a legitimate, widely trusted platform to evade security checks.

Once a victim landed on a phishing page, SniperDz captured credentials, the timestamp of compromise, the victim's IP address, and their country of origin. Templates were maintained in Arabic, English, and French as the operational core, with Spanish and Hebrew editions retired in 2019 and 2020 as the operators refocused their targeting.

How the operator was caught

The investigation began in 2024, when Group-IB traced a wave of MENA-region social engineering attacks — fake Facebook accounts impersonating prominent politicians, offering gifts and free internet access. The phishing sites behind them shared consistent technical signatures.

The operators' own mistakes unravelled the operation. Across every rebrand and domain migration, they reused identical registrant data in WHOIS records — and Group-IB had archived those records over the years, letting investigators reconstruct the ownership history and definitively link the domains. The decisive break came from the developer's own content: he produced video tutorials to recruit and train affiliates, and in multiple recordings inadvertently exposed historical administrator email addresses and live admin panels in the background. Each instructional video became a piece of attribution evidence. Correlating the technical indicators with years of social media and Telegram activity resolved the picture into a single operator using the alias Guedz.

Operation Ramz

The takedown was part of Operation Ramz, INTERPOL's first cybercrime operation of its scale across the MENA region, which ran from October 2025 to February 2026. Group-IB delivered intelligence on more than 5,000 compromised regional accounts — including some tied to government infrastructure — that fed directly into the operation. SniperDz's infrastructure was disrupted, the developer Guedz was arrested by Algerian authorities, and the broader operation resulted in 201 arrests, 382 suspects identified, 3,867 victims recorded, and 53 servers seized across 13 countries. In Jordan, investigators also uncovered an investment-scam facility staffed by 15 trafficking victims forced to run scam scripts under withheld travel documents.

Why It Matters

SniperDz is a clean illustration of two trends defenders should track. First, free PhaaS lowers the barrier to credential-theft campaigns dramatically — a single free kit fuelled 20,000+ malicious domains across 30+ brands, meaning the attack surface for any given organisation's customers is far wider than subscription-based economics would suggest. Second, the case underscores that brand impersonation at this scale is sustained, multilingual, and infrastructure-light. Organisations whose brands are common phishing lures — financial services, social platforms, streaming — should assume their login pages are being cloned continuously and invest accordingly in takedown monitoring, customer-facing anti-phishing education, and phishing-resistant authentication (FIDO2/passkeys) that renders harvested passwords useless.