A major international law enforcement operation has resulted in the arrest of 201 individuals and the identification of 382 additional suspects across the Middle East and North Africa (MENA) region. Dubbed Operation Ramz, the 13-country effort also saw the seizure of 53 servers and the identification of 3,867 victims, according to Interpol.

Phishing and malware threats were the primary focus of the operation, which ran from October 2025 to February 2026. Participating nations included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates. Authorities received crucial support from private cybersecurity partners such as Group-IB, Kaspersky, the Shadowserver Foundation, Team Cymru, and TrendAI. These organizations helped track illegal activities, identify malicious infrastructure, and analyze digital evidence.

Country-by-Country Breakdown of Actions

In Algeria, law enforcement shut down a phishing-as-a-service (PhaaS) website, arresting one suspect and seizing a server, a computer, a phone, and hard drives containing malicious software and scripts. The takedown disrupted a service that had enabled dozens of other cybercriminals to launch attacks.

Jordanian police located a computer used in financial fraud scams and arrested two individuals for orchestrating the scheme. More disturbingly, investigators discovered that 15 individuals were carrying out the scams, but all were victims of human trafficking. The suspects had promised employment to people from various Asian countries, then confiscated their passports upon arrival in Jordan and forced them to participate in the fraudulent activities.

In Morocco, authorities arrested three individuals and seized computers, phones, and hard drives linked to phishing operations. The suspects were believed to be part of a larger network targeting local banks and email users.

In Oman, authorities disabled a server containing sensitive information that had been affected by multiple critical vulnerabilities and was infected with malware. The server belonged to a government agency, and its compromise could have led to extensive data breaches.

In Qatar, law enforcement identified compromised devices that had been used to spread malware without their owners’ knowledge. The systems were secured, and the owners were notified, preventing further propagation.

Broader Context of Cybercrime in the MENA Region

The Middle East and North Africa have become a growing hotspot for cybercriminal activities, ranging from ransomware attacks on critical infrastructure to large-scale phishing campaigns targeting financial institutions and government agencies. The region’s rapid digital transformation has increased the attack surface, with many organizations struggling to keep pace with evolving threats. Interpol has repeatedly warned that cybercrime networks are becoming more sophisticated and often operate across multiple jurisdictions.

Phishing-as-a-service (PhaaS) platforms have lowered the barrier to entry for aspiring cybercriminals, allowing them to purchase ready-made attack kits and infrastructure. This trend was evident in Operation Ramz, where such platforms were dismantled. Malware distribution, often via compromised websites or malicious email attachments, remains a persistent problem. The human trafficking element uncovered in Jordan adds a grim dimension, showing how cybercrime can intersect with other serious crimes.

Private Sector and International Cooperation

“Cybercrime is borderless, and the only effective response is one that is equally borderless. Operation Ramz is exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on,” said Joe Sander, CEO of Team Cymru, one of the private partners involved.

The partnership between law enforcement agencies and cybersecurity firms enabled real-time sharing of threat intelligence, which proved critical in identifying compromised servers and tracking criminal networks. Group-IB provided threat hunting capabilities, while Kaspersky contributed expertise in malware analysis. The Shadowserver Foundation helped map malicious infrastructure across the region, and TrendAI applied machine learning to detect anomalies in network traffic.

This collaborative model aligns with Interpol’s broader strategy of fostering public-private partnerships to combat transnational crime. Similar operations in other regions have yielded significant results, including the dismantling of botnets and the arrest of key cybercrime figures.

Impact on Victims and the Response

With 3,867 victims identified, the operation likely prevented substantial financial losses and data breaches. Victims included individuals, small businesses, and government entities. The seizures of servers and hardware will allow forensic analysts to gather further evidence and potentially identify additional perpetrators. Authorities in participating countries have committed to ongoing monitoring and follow-up investigations.

The human trafficking victims in Jordan have been offered support and legal assistance, highlighting the importance of a victim-centered approach in cybercrime investigations. The uncovering of forced labor within a scam operation serves as a reminder that cybercrime is not just about code; it often involves real-world exploitation.

Operation Ramz also underscores the critical need for international legal frameworks that allow for swift extradition and evidence sharing. While the operation was a success, experts caution that many cybercriminal networks remain active and are likely to adapt their tactics. Continued investment in cybersecurity capacity building, public awareness campaigns, and cross-border cooperation will be essential to sustain momentum.

The operation stands as a notable achievement in the fight against phishing and malware in the MENA region, demonstrating that coordinated action can disrupt even well-established criminal enterprises. As cyber threats continue to evolve, such operations will remain a vital tool in the global law enforcement arsenal.

Source: SecurityWeek News