INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests

INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests

INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests

Ravie LakshmananMay 18, 2026Cybercrime / Malware

INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these activities, and prevent future losses. It took place between October 2025 and February 2026. "The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region," INTERPOL said in a statement. "In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized." The operation, codenamed Ramz, led to the disruption of a phishing-as-a-service (PhaaS) by Algerian authorities after its server was confiscated, along with a computer, a mobile phone, and hard drives containing phishing software and scripts. One suspect was arrested in connection with the scheme. Elsewhere, Moroccan officials seized computers, smartphones, and external hard drives that contained banking data and software used for phishing operations.

Authorities also identified a legitimate server located in a private residence in Oman that contained sensitive information. The server suffered from multiple critical security vulnerabilities and was infected by malware. INTERPOL said actions were taken to disable the server.

In a similar case, compromised devices were discovered in Qatar, with the owners themselves unaware that their systems were being used to spread "malicious threats." Although the exact nature of these threats was not disclosed, the impacted machines are said to have been secured, and the device owners were alerted to take appropriate security measures.

Lastly, Jordanian police identified a computer that was used to run financial fraud scams, where unsuspecting users were tricked into investing their assets in a seemingly legitimate trading platform, only for it to shut down once the funds were deposited. "A raid uncovered 15 individuals carrying out the scams, but investigators determined that they were victims of human trafficking who had been recruited under the false promise of employment from their home countries in Asia," INTERPOL said. "Upon arrival in Jordan, their passports were confiscated, and they were forced or coerced into participating in the scheme. Two individuals suspected of orchestrating the operation were arrested."

Group-IB, which was one of the private sector companies that participated in the effort, said it provided "actionable intelligence" on over 5,000 compromised accounts, including those that were associated with government infrastructure, and shared details about active phishing infrastructure across the region. "Cybercrime is borderless, and the only effective response is one that is equally borderless," Joe Sander, CEO of Team Cymru, said. "Operation Ramz is exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on."

Countries that took part in Operation Ramz included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the U.A.E. Series of Law Enforcement Actions The arrests come against the backdrop of a string of law enforcement actions announced by Germany and the U.S. Department of Justice (DoJ) in recent weeks -

The sentencing of Thomasz Szabo (aka Plank, Jonah, and Cypher), 27, of Romania, to 48 months in prison for his role as the mastermind of an online swatting ring that targeted more than 75 public officials, four religious institutions, and multiple journalists. The indictment of Owe Martin Andresen (aka Speedstepper), the suspected main administrator of the illicit darknet marketplace, Dream Market, on money laundering charges, following his arrest in Germany last week. The shutdown of a relaunched version of the Crimenetwork marketplace (it was originally dismantled in December 2024) and the arrest of a suspected administrator, a 35-year-old German citizen, on the Spanish island of Mallorca. The conviction of Sohaib Akhter, 34, of Alexandria, Virginia, by a federal jury for deleting 96 databases storing U.S. government information and stealing the plaintext password of an individual who had submitted a complaint to the Equal Employment Opportunity Commission's Public Portal. The sentencing of Alan Bill, 33, of Bratislava, the Slovakian Administrator of Kingdom Market, to 200 months (more than 16 years) in prison after he pleaded guilty to a conspiracy to distribute controlled substances, illegal drugs, stolen financial data, counterfeit documents, and malware earlier this January. The sentencing of David Jose Gomez Cegarra, 25, of Venezuela to time served and pay restitution totaling $294,820 in connection with a string of ATM jackpotting incidents between October 5 and November 11, 2024, in the U.S. states of New York, Massachusetts, and Illinois. The arrest of a 21-year-old from Dordrecht for their involvement in a tool called JokerOTP that's used by cybercriminals to intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes for hijacking online accounts by impersonating trusted organizations such as banks, cryptocurrency exchanges, and other major service providers. The sentencing of Marlon Ferro (aka GothFerrari), 20, of Santa Ana, California, to 78 months in prison in connection with a social engineering conspiracy that stole more than $250 million in cryptocurrency from victims across the U.S. between late 2023 and early 2025.

"This [social engineering] scheme blended sophisticated online fraud with old-fashioned burglary to drain victims of millions of dollars in digital assets," U.S. Attorney Jeanine Ferris Pirro stated. "The conspiracy's operatives typically targeted individuals believed to hold significant cryptocurrency holdings. Its members manipulated victims into surrendering access to their digital wallets through elaborate fraud schemes. When victims stored their cryptocurrency in hardware wallets, physical devices that cannot be accessed remotely, the enterprise turned to Ferro."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SHARE    

Tweet Share Share Share

SHARE  cryptocurrency, Cybercrime, cybersecurity, darknet, data theft, Fraud, Interpol, law enforcement, Malware, Phishing

⚡ Top Stories This Week

Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories

Microsoft Warns of Two Actively Exploited Defender Vulnerabilities

9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros

GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension

GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos

Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems

NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE

Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective

The New Phishing Click: How OAuth Consent Bypasses MFA

Developer Workstations Are Now Part of the Software Supply Chain

⭐ Featured Resources

Claim ANY.RUN Anniversary Offer for Faster Malware Analysis

[Guide] Learn to Detect AI Typosquatting Risks in Your Domain

[Guide] Get Key Identity Security Insights From 2026 Snapshot

Discover How to Navigate the Era of Constant Cyber Exposure

Cybersecurity Webinars

With HD Moore (Creator of Metasploit) Learn How to Detect Threats Beyond Zero Day Attacks Learn practical strategies to detect and defend against cyber threats beyond zero-day vulnerabilities. Register

Tired of False Positives? Validate Automated Pentesting Results Before Acting Learn how to validate automated pentesting results for accurate security decisions. Register

⚡ Latest News

Cybersecurity Resources

AI Is Reshaping Every Attack Surface. Train for What's NextSANSFIRE 2026 in D.C. brings 50+ courses, AI-focused sessions, and NetWars. July 13–18. Save $500. Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk ManagementLead the future of cybersecurity risk management with an online Master’s from Georgetown. ​

Expert Insights Articles Videos

You Can't Patch Your Way Out of This One

May 25, 2026 Read ➝

How to Test Ransomware Recovery Without Reinfecting Your Environment

May 25, 2026 Read ➝

The Scam Before the Game: CTM360 Reveals Threats Targeting FIFA World Cup 2026 Fans

May 25, 2026 Read ➝

7 Signs Your Organization Is Vulnerable to Business Email Compromise

May 18, 2026 Read ➝

Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.

Email