CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

INTERPOL-led Operation Ramz disrupts MENA cybercrime networks with 201 arrests and infrastructure takedowns

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

INTERPOL coordinated a regional cybercrime disruption campaign across 13 MENA countries from October 2025 to February 2026, resulting in 201 arrests, identification of 382 additional suspects, and the seizure of 53 servers. The operation, codenamed Ramz, targeted phishing and malware threats, cyber scams, and phishing-as-a-service (PhaaS) operations, identifying 3,867 victims. Technical actions included server seizures (e.g., Algerian PhaaS infrastructure), takedowns of compromised devices in Oman and Qatar, and dismantling of a human trafficking-linked financial fraud ring in Jordan. Private sector contributions—including Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, and TrendAI—provided actionable intelligence on over 5,000 compromised accounts, including government-associated entities. Operation Ramz is the third major cybercrime crackdown led by INTERPOL in 2026, following March’s Operation Synergia III, which sinkholed 45,000 malicious IP addresses and resulted in 94 arrests across 72 countries.

Timeline

  1. 18.05.2026 20:21 2 articles · 10h ago

    INTERPOL’s Operation Ramz dismantles MENA cybercrime networks with 201 arrests and 53 server seizures

    The operation’s scope is reiterated: 201 arrests and 382 suspect identifications across 13 MENA countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the U.A.E.), with 53 servers seized and 3,867 victims identified. Authorities dismantled a phishing-as-a-service platform in Algeria, secured compromised devices in Qatar, disabled a malware-infected server in Oman, and dismantled a human trafficking-linked investment scam in Jordan. INTERPOL collaborated with private cybersecurity firms—Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI—to neutralize phishing, malware, and fraud networks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Disruption of 53 DDoS-for-hire domains in global law enforcement operation

Law enforcement agencies from 21 countries executed Operation PowerOff, a coordinated takedown of 53 domains linked to DDoS-for-hire services. Four individuals were arrested, 25 search warrants executed, and over 3 million criminal user accounts exposed. Infrastructure was seized to disrupt ongoing attacks, and 75,000 warning communications were sent to identified service users. The operation expanded into a prevention phase targeting remaining online resources, including the removal of over 100 URLs from search engines and warnings placed on cryptocurrency and blockchain platforms used by cybercriminals. Europol described DDoS-for-hire services as one of the most accessible cybercrime trends, enabling low-skilled attackers to execute disruptive attacks.

Open in new tab

Takedown of fraudulent CSAM distribution scam platform "Alice with Violence CP"

An international Europol-backed law enforcement operation, codenamed Operation Alice, dismantled the fraudulent dark web platform "Alice with Violence CP" and over 373,000 related sites advertising fake child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS) offerings. The takedown ran from March 9–19, 2026, and involved 22 countries, including Germany, the US, UK, and Ukraine. The platform, operated by a 35-year-old Chinese national, defrauded approximately 10,000 victims into paying between €17 and €215 in Bitcoin, extracting an estimated €345,000 ($396,000) over a six-year period (2019–2025). The scam advertised both non-existent CSAM packages and CaaS services such as stolen card data and access to compromised systems. Authorities identified 440 users in 23 countries, with over 100 under investigation for attempted CSAM purchase. Seized infrastructure included 287 servers, 105 of which were located in Germany. An international arrest warrant has been issued for the operator. The operation follows other major takedowns, including the 2024 Kidflix CSAM platform disruption, highlighting continued cross-border efforts against online child exploitation.

Open in new tab

SocksEscort Proxy Network Disrupted by Law Enforcement

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy. Additionally, Operation Synergia III, conducted between July 2025 and January 2026, involved authorities from 72 countries. The operation resulted in 94 arrests and 110 suspects under investigation. Police in Togo arrested 10 suspects operating a fraud ring involving social media hacking, romance scams, and sextortion. Bangladeshi police arrested 40 suspects and seized 134 electronic devices related to loan scams, job scams, identity theft, and credit card fraud. Chinese investigators in Macau identified over 33,000 phishing and fraudulent websites impersonating casinos, banks, government sites, and payment services.

Open in new tab