Sniper Dz rebranded four times, spun out 20,000+ attack domains, and harvested 45,000+ victim records before INTERPOL's cross border takedown reached its Algerian administrator.
For ten years, Sniper Dz sold turnkey phishing kits to anyone willing to pay, rebranding each time law enforcement closed in. The INTERPOL-coordinated takedown disclosed on June 11, 2026 is less a closing chapter than a case study in how a phishing-as-a-service economy outran defenders while staying in business.
Group-IB, the Singapore-headquartered threat intelligence firm that analyzed the platform and helped drive the announcement, called Sniper Dz a "sophisticated criminal platform" that had evolved over a decade into a fully serviced phishing-as-a-service operation. According to Group-IB's research as reported by The Hacker News, Sniper Dz had been active since at least 2015, harvesting more than 45,000 victim records across its lifespan and spinning out 20,000+ unique attack domains.
The platform's longevity was built on a familiar playbook executed with unusual discipline. Sniper Dz rebranded four times, cycling through Joker Dz, Storm Dz, and most recently Spam Dz, each time shedding a name that had drawn too much attention. It offered ready-made phishing kits, hosting infrastructure, and operational support to subscribers, with 80 phishing templates in five languages (Arabic, English, French, Spanish, and Hebrew) impersonating more than 30 major global brands including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam.
The PhaaS service ran a Telegram channel with more than 7,300 subscribers, documented by Palo Alto Networks Unit 42 in October 2024, that served as both storefront and customer-support channel. Subscribers could buy access to phishing kits targeting regional banks, telecoms, and government services, then deploy them against victims with minimal technical skill. Group-IB's research, as summarized by The Hacker News, characterizes this as a fully serviced criminal marketplace rather than a single tool.
What made Sniper Dz distinctive in the MENA region was its social engineering layer. Operators used fake accounts impersonating well-known political personalities to push phishing links as promotional offers or free internet access, exploiting trust in public figures to lower victim defenses. This regionally tailored approach is the most durable element of the Sniper Dz story: cheap, ready-made tooling plus locally resonant impersonation outran defenders for years.
Operation Ramz, the INTERPOL-led effort that ran from October 2025 through February 2026 across 13 Middle East and North Africa countries, resulted in 201 arrests. The platform's primary developer and administrator, identified as "Guedz," was arrested by the Algerian National Police. Authorities took down the PhaaS website used to offer services to other cybercriminals and seized hardware containing phishing software and scripts.
The framing of the operation as a decisive win deserves caution. The 20,000+ domains Sniper Dz spawned are largely still in the wild, the Telegram channel remained active as of late 2024, and the 45,000+ victim records the platform collected represent a decade of harvested credentials, financial data, and personal information that is no longer in a single criminal's hands but already circulating in secondary markets. Cross-border disruption arrived only after the damage was done.
What Sniper Dz ultimately exposes is the structural durability of the phishing-as-a-service economy. A single administrator, a rebranding strategy, and a regionally tailored social engineering playbook were enough to run a decade-long operation that harvested tens of thousands of victims before a single arrest was made. Operation Ramz demonstrates that international coordination can dismantle the operator. It does not yet demonstrate that the model itself can be disrupted before the next Sniper Dz stands up.