INTERPOL Operation Ramz: 201 Arrests in MENA Cybercrime Sweep

Law enforcement agencies across the Middle East and North Africa have concluded INTERPOL Operation Ramz with 201 arrests, the seizure of 53 servers, and the identification of nearly 4,000 victims. The coordinated campaign ran from October 2025 through February 2026 and represents the largest cybercrime enforcement action INTERPOL has coordinated in the MENA region.

The operation targeted phishing infrastructure, malware distribution networks, and online financial fraud schemes operating across 13 countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates. Beyond the 201 arrests, authorities identified a further 382 suspects. Nearly 8,000 intelligence packages were exchanged among participating countries to drive investigations and coordinate raids.

What the Seized Servers Revealed

The 53 servers at the center of INTERPOL Operation Ramz were not passive infrastructure. Investigators recovered close to 8,000 intelligence inputs from the equipment, confirming 3,867 victims directly tied to the criminal operations those servers supported. The machines hosted malicious scripts, managed distribution systems for malware, and facilitated financial fraud schemes targeting individuals and businesses across the region.

Private sector partners played a central role in tracking the malicious infrastructure before law enforcement moved in. Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru, and TrendAI all contributed threat intelligence to the effort. Group-IB's contribution alone covered more than 5,000 compromised accounts, including accounts connected to government infrastructure. Its analysts also mapped two distinct threat actor clusters operating across MENA: one focused on building and distributing phishing resources, the other on selling and distributing stolen data.

Country-Level Findings

The operation produced significant findings at the national level, with each country contributing specific pieces of a wider criminal picture.

In Algeria, authorities dismantled a phishing-as-a-service platform after locating its server. Investigators seized the server alongside computers, mobile phones, and hard drives loaded with phishing software and scripts. One suspect was taken into custody. The PhaaS model — where criminalactors sell ready-to-deploy phishing kits to other criminals — has grown into one of the more efficient delivery mechanisms for credential theft at scale.

Moroccan authorities seized computers, smartphones, and external hard drives containing banking data and phishing tools. Three individuals are currently in judicial proceedings, with others still under investigation.

In Qatar, intelligence gathered through the operation led investigators to devices whose owners had no idea they were being used to spread malicious activity. The affected systems were secured and owners were notified.

Oman presented a more unusual case. Investigators found a server inside a private residence that stored sensitive information. The owner had legitimate access to that data, but the server carried multiple critical vulnerabilities and was actively infected with malware. Authorities disabled it to prevent further harm.

Human Trafficking and Cybercrime

The Jordan findings introduced a dimension that went well beyond typical cybercrime enforcement. Police tracked a fraudulent investment scheme built on a fake trading platform that disappeared once victims had deposited funds. But a raid on the operation revealed something more troubling: 15 of the individuals carrying out the scams were themselves victims of human trafficking.

They had been recruited from countries in Asia under the promise of legitimate employment. On arrival in Jordan, their passports were confiscated and they were coerced into running the fraud. Two suspected organizers were arrested. The intersection of human trafficking and cyber fraud reflects how criminal networks have evolved, with some operations now relying on coerced labor to execute digital schemes.

A Milestone for Regional Cooperation

INTERPOL has described this as the first cybercrime operation of its scale coordinated in the MENA region. The results were enabled by close to 8,000 pieces of shared intelligence flowing across 13 jurisdictions, a level of coordination that would have been difficult without sustained investment in cross-border information sharing.

The operation received support from Qatar's Ministry of Interior and was partially funded by the European Union and the Council of Europe under the CyberSouth+ initiative. That external funding matters. Building the infrastructure for regional cybercrime cooperation requires resources that individual countries often lack, particularly when the criminal networks they are targeting operate seamlessly across multiple legal systems.

Operation Ramz follows a string of INTERPOL-coordinated enforcement actions in recent months. Operation Synergia III resulted in the sinkholing of 45,000 malicious IP addresses and the arrest of 94 individuals across 72 countries. Operation Red Card 2.0 produced 651 arrests across 16 African countries, targeting investment fraud and mobile money scams linked to more than $45 million in losses.

What the Numbers Mean in Practice

The scale of INTERPOL Operation Ramz reflects something the security community has tracked closely: cybercriminal infrastructure in the MENA region has grown in both sophistication and volume. Phishing-as-a-service platforms, large-scale credential theft operations, and organized financial fraud schemes have found fertile ground in a region experiencing rapid digital adoption alongside gaps in regional enforcement coordination.

The 201 arrests and 53 server seizures are significant. But the 382 additional suspects still under investigation, and the nearly 4,000 confirmed victims pulled from those servers, point to the scale of what remains. Disrupting this infrastructure requires the kind of sustained, intelligence-led cooperation that this operation demonstrated. A single raid clears a server. Coordinated international action, backed by private sector intelligence, dismantles the networks behind it.