Operation Ramz seizes 53 servers linked to cyber scams and malware threats
6 min. read 
Published on
INTERPOL’s Operation Ramz has led to 201 arrests, the seizure of 53 servers, and the identification of 3,867 cybercrime victims across the Middle East and North Africa.
The operation ran from October 2025 to February 28, 2026, with 13 countries taking part. Investigators also identified 382 additional suspects and shared nearly 8,000 pieces of intelligence to support national investigations.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The crackdown focused on phishing infrastructure, malware activity, compromised devices, and online scams that caused financial and personal harm across the region.
What Operation Ramz uncovered
Operation Ramz targeted the infrastructure that helps cybercriminal groups scale attacks. That included servers used for phishing kits, malware delivery, stolen data handling, and scam operations.
INTERPOL said the action marked the first cyber operation of this scale coordinated by the agency in the MENA region. The goal was not only to arrest suspects, but also to prevent future losses by disrupting the systems that supported criminal campaigns.
The operation brought together law enforcement agencies, private cybersecurity companies, and regional partners. That mix helped investigators connect technical evidence with real-world suspects and victims.
| Operation Ramz result | Confirmed figure |
|---|---|
| Arrests | 201 |
| Additional suspects identified | 382 |
| Victims identified | 3,867 |
| Servers seized | 53 |
| Countries involved | 13 |
| Intelligence items shared | Nearly 8,000 |
Thirteen countries took part
The participating countries were Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates.
The operation focused on cybercrime networks operating across borders. That mattered because phishing kits, malware servers, stolen credentials, and scam platforms can support victims and suspects in several countries at once.
By sharing intelligence during the operation, investigators could move faster against servers, fraud schemes, and people behind the campaigns.
Qatar found compromised devices spreading malware
In Qatar, intelligence from Operation Ramz helped investigators identify compromised devices that were being used to spread malicious threats.
The device owners were not treated as suspects in that part of the operation. Investigators found that they were victims themselves and did not know their systems had been hijacked.
The affected devices were secured, and owners were notified so they could take preventive action. This part of the operation highlights how attackers can turn ordinary users’ devices into malware distribution points without their knowledge.
Jordan uncovered a scam operation tied to trafficking
Jordanian police traced a computer used in financial fraud scams. Victims were pushed toward what looked like a legitimate trading platform, which shut down after deposits were made.
A raid uncovered 15 people carrying out the scam. Investigators later determined that those individuals were victims of human trafficking who had been recruited from Asian countries under false job promises.
Their passports were confiscated after arrival, and they were forced or coerced into taking part in the fraud. Two people suspected of organizing the operation were arrested.
Oman, Algeria, and Morocco also disrupted cybercrime activity
In Oman, investigators found a server in a private residence that contained sensitive information. The owner had legitimate access to the information, but the server had serious security weaknesses and a malware infection.
Authorities disabled the server to prevent further harm. In Algeria, investigators dismantled a phishing-as-a-service website, seized a server, computer, mobile phone, and hard drives, and arrested one suspect.
Moroccan authorities seized computers, smartphones, and external hard drives containing banking data and phishing tools. Three people are undergoing judicial procedures, while others remain under investigation.
| Country | Operational highlight |
|---|---|
| Qatar | Compromised devices used to spread malware were secured and owners were notified |
| Jordan | Financial fraud scheme disrupted, with trafficking victims identified and two organizers arrested |
| Oman | Vulnerable malware-infected server containing sensitive information was disabled |
| Algeria | Phishing-as-a-service platform dismantled and one suspect arrested |
| Morocco | Devices containing banking data and phishing tools were seized |
Private-sector intelligence helped investigators
INTERPOL worked with Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru, and TrendAI during the operation.
These partners helped track malicious infrastructure, identify servers, map phishing activity, and provide intelligence that law enforcement could use in investigations.
Group-IB said it supplied intelligence on more than 5,000 compromised accounts, including accounts linked to government infrastructure. It also mapped phishing infrastructure and threat actor clusters operating across the region.
- Group-IB contributed intelligence on compromised accounts and phishing infrastructure.
- Kaspersky provided threat intelligence on malware distribution and command-and-control infrastructure.
- Shadowserver Foundation, Team Cymru, and TrendAI supported infrastructure tracking and analysis.
- INTERPOL coordinated intelligence sharing among participating countries.
Why the server seizures matter
The seizure of 53 servers disrupted the technical backbone of multiple cybercrime activities. Servers can host phishing pages, store stolen data, distribute malware, relay traffic, or support scam platforms.
Taking down infrastructure does not always end a cybercrime group. Attackers can rebuild. However, seizures can interrupt campaigns, expose evidence, identify victims, and give investigators leads on operators and customers.
That is why Operation Ramz focused on both arrests and infrastructure disruption. The two parts work together: seized servers can reveal suspects, and arrested suspects can reveal more infrastructure.
Cybercrime and organized crime are overlapping
The Jordan case shows how online scams can connect with human trafficking and forced labor. This pattern has appeared in other scam compounds and fraud operations around the world.
In these schemes, some people seen operating scams may also be victims. They may have been recruited through fake jobs, transported across borders, and forced into cyber-enabled fraud.
That overlap makes cybercrime investigations more complex. Law enforcement must identify organizers and technical operators while also protecting people forced to participate.
What users and organizations can learn from Operation Ramz
Operation Ramz shows that phishing, malware, and investment fraud continue to depend on both technical infrastructure and social engineering.
Users should treat trading platforms, investment offers, and urgent account messages with caution. Organizations should watch for compromised devices being used as part of larger criminal infrastructure.
Security teams should also monitor for unusual outbound traffic, suspicious login attempts, phishing kits, and unauthorized remote access tools.
- Verify investment platforms before sending money.
- Use multi-factor authentication on email, banking, and business accounts.
- Keep routers, phones, laptops, and servers patched.
- Monitor devices for unknown remote access tools or malware alerts.
- Report suspected phishing pages and scam platforms quickly.
- Do not assume only computers can be abused by attackers.
Why Operation Ramz matters for MENA cybercrime enforcement
Operation Ramz signals a more coordinated regional response to cybercrime across the Middle East and North Africa.
The operation combined victim identification, intelligence sharing, arrests, server seizures, and public-private cooperation. That approach matters because modern cybercrime networks move across countries faster than traditional investigations can move alone.
Future operations will likely build on this model. The pressure on phishing-as-a-service platforms, malware operators, and scam networks will depend on fast intelligence sharing and continued cooperation between law enforcement and cybersecurity companies.
FAQ
Operation Ramz is an INTERPOL-coordinated cybercrime crackdown across the Middle East and North Africa. It targeted phishing infrastructure, malware threats, compromised devices, and online scam operations.
INTERPOL said Operation Ramz led to 201 arrests. Investigators also identified 382 additional suspects and 3,867 victims.
Authorities seized 53 servers linked to cybercriminal activity, including phishing, malware, and scam infrastructure.
The participating countries were Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages