INTERPOL has coordinated the first cybercrime crackdown of its kind in the Middle East and North Africa (MENA), resulting in 201 arrests and the identification of an additional 382 suspects.
The initiative involved efforts by 13 countries in the region between October 2025 and February 2026, with the aim of investigating and neutralizing malicious infrastructure, arresting the criminals behind these activities, and preventing future harm.
“The operation focuses on neutralizing phishing and malware threats, as well as combating cyber scams, which cause serious harm to the region,” Interpol said in a statement. “In addition to the arrests, 3,867 victims were identified, and 53 servers were seized.”
operation, codename RamazIts servers were seized after Algerian authorities disrupted a phishing-as-a-service (PhaaS), along with a computer, a mobile phone, and hard drives containing phishing software and scripts. A suspect was arrested in connection with the scheme.
Elsewhere, Moroccan authorities seized computers, smartphones and external hard drives that contained banking data and software used for phishing operations.
Authorities also identified a legitimate server located in a private residence in Oman that contained sensitive information. The server suffered from several serious security vulnerabilities and was infected with malware. Interpol said action was taken to disable the server.
In a similar case, compromised devices were discovered in Qatar, whose owners themselves were unaware that their systems were being used to spread “malicious threats”. Although the exact nature of these threats was not disclosed, affected machines were said to have been secured, and device owners were alerted to take appropriate security measures.
Finally, Jordanian police identified a computer that was used to run financial fraud scams, where unsuspecting users were duped into investing their assets in a legitimate trading platform, only to have it shut down after the funds were deposited.
Interpol said, “The raids uncovered 15 individuals who perpetrated the scam, but investigators determined that they were victims of human trafficking, recruited from their home countries in Asia under false promises of employment.”
“Upon arrival in Jordan, their passports were confiscated, and they were forced to participate in the plan. Two individuals were arrested on suspicion of carrying out the operation.”
Group-IB, which was one of the private sector companies participating in the effort, said it provided “actionable intelligence” on more than 5,000 compromised accounts, including accounts linked to government infrastructure, and shared details about phishing infrastructure operating across the region.
“Cyber crime is borderless, and the only effective response is one that is equally borderless,” said Joe Sander, CEO of Team Cymru. “Operation RAMZ is exactly that kind of response, with law enforcement and trusted private sector partners gathering intelligence, moving in together, and destroying the infrastructure that criminals depend on.”
Countries participating in Operation Ramaz included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates.
series of law enforcement actions
The arrests come against the backdrop of law enforcement actions announced by Germany and the US Department of Justice (DOJ) in recent weeks –
- Tomasz Szabo (aka Plank, Jonah and Cypher), 27, of Romania, was sentenced to 48 months in prison for his role as the mastermind of an online swatting ring that targeted more than 75 public officials, four religious institutions and several journalists.
- Ove Martin Andresen (aka Speedstepper), the suspected chief administrator of the illegal darknet marketplace Dream Market, has been indicted on money laundering charges following his arrest in Germany last week.
- The closure of the relaunched version of the CrimeNetwork marketplace (it was originally scheduled to be dismantled in December 2024) and the arrest of a suspected administrator, a 35-year-old German citizen, on the Spanish island of Majorca.
- Sohaib Akhtar, 34, of Alexandria, Virginia, was convicted by a federal jury of deleting 96 databases that store U.S. government information and stealing the plaintext password of a person who submitted a complaint on the Equal Employment Opportunity Commission’s public portal.
- Kingdom Markets’ Slovakian administrator, Alan Bill, 33, of Bratislava, was sentenced to 200 months (over 16 years) in prison earlier this January after pleading guilty to conspiracy to distribute controlled substances, illegal drugs, stolen financial data, counterfeit documents and malware.
- David Jose Gomez Segarra, 25, of Venezuela, was sentenced to pay a total of $294,820 in restitution in connection with ATM jackpotting incidents between October 5 and November 11, 2024 in the US states of New York, Massachusetts and Illinois.
- Marlon Ferro (aka GothFerrari), 20, of Santa Ana, California, was sentenced to 78 months in prison in connection with a social engineering conspiracy that stole more than $250 million in cryptocurrency from victims across the United States between late 2023 and early 2025.
“it [social engineering] “The scheme blended sophisticated online fraud with old-fashioned theft to extort millions of dollars of digital assets from victims,” said U.S. Attorney Jeanine Ferris Pirro.
“The operators of the conspiracy generally targeted individuals holding significant cryptocurrency holdings. Its members induced victims to surrender access to their digital wallets through elaborate fraudulent schemes. When victims stored their cryptocurrencies in hardware wallets, physical devices that cannot be remotely accessed, the enterprise turned to Faroese.”
