INTERPOL Just Arrested 201 Cybercriminals Across 13 MENA Countries — Operation Ramz Is the First of Its Kind
INTERPOL announced Operation Ramz, the first regional cybercrime enforcement operation focused on MENA. Active October 2025 – February 28, 2026: 201 arrests, 53 servers seized, 3,867 victims across 13 participating countries. Kaspersky and Group-IB contributed.
INTERPOL on May 18, 2026 announced Operation Ramz, the first regional cybercrime enforcement operation focused on the Middle East and North Africa. Active October 2025 through February 28, 2026, the operation produced 201 arrests, 382 additional identified suspects, 53 servers seized, and 3,867 confirmed victims across 13 participating countries. Kaspersky and Group-IB supplied private-sector threat intelligence. Operation Ramz is the latest in a sustained law-enforcement cycle that includes Operation Endgame 2.0, Operation PowerOFF, Operation Eastwood, and Operation Cronos.
LYON, FRANCE — On May 18, 2026, INTERPOL announced the results of Operation Ramz — the first regional cybercrime enforcement operation focused on the Middle East and North Africa (MENA) region. Active from October 2025 through February 28, 2026, the operation produced 201 arrests, identified 382 additional suspects, seized 53 servers, identified 3,867 victims, and disseminated roughly 8,000 pieces of cyber threat intelligence across participating agencies. Thirteen countries participated: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates. The crime types targeted were phishing-as-a-service, malware, and cyber scams. Algeria dismantled a phishing-as-a-service site during the operation; Morocco seized computers, phones, and external drives containing banking data and phishing software. Kaspersky and Group-IB provided private-sector threat intelligence. Operation Ramz joins a sustained regional and global enforcement cycle that includes Operation Endgame, Operation PowerOFF, Operation Eastwood, Operation Cronos, and the May 19-22, 2026 Operation Endgame 2.0 takedown coordinated through Eurojust.
What Happened
The Operation
INTERPOL coordinated Operation Ramz across thirteen MENA-region national police agencies between October 2025 and February 28, 2026. The five-month active window targeted three crime types: phishing-as-a-service infrastructure, malware operators, and cyber scam networks — the high-volume, financially-motivated end of the regional cybercrime stack. The operational architecture mirrors prior INTERPOL regional efforts elsewhere in the world: national agencies conducted enforcement actions on their own territory while INTERPOL's general secretariat in Lyon coordinated cross-border intelligence-sharing, infrastructure takedowns, and arrests targeting suspects whose operations spanned multiple participating countries.
The Country-Level Actions
Algeria dismantled a phishing-as-a-service site — the kind of subscription-style criminal infrastructure that lets non-technical actors rent ready-to-deploy phishing kits and credential-harvesting backends. Morocco seized computers, phones, and external drives containing stolen banking data and phishing software, suggesting at least one full operator's-kit recovery. The remaining eleven participating countries — Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Oman, Palestine, Qatar, Tunisia, and the UAE — contributed arrests, intelligence, and case work that INTERPOL has not publicly broken out at country level. The 382 additional identified suspects suggest substantial follow-on enforcement is queued against actors who were not arrested in the active window.
The Private-Sector Contribution
Kaspersky and Group-IB both publicly confirmed their threat-intelligence contributions to Operation Ramz. Kaspersky published its own statement noting that "over 200 arrests" resulted from intelligence-sharing under the operation. Group-IB issued a parallel press release confirming its role as a contributing private-sector partner. The private-sector contribution pattern — vendors supplying tactical threat intelligence to a multinational law-enforcement consortium — is the same one that powered Operation Endgame, Operation Eastwood, and the broader 2025-2026 takedown cycle.
Scope and Impact
Operation Ramz is the first regional cybercrime operation of its kind focused on MENA, but it lands inside the most aggressive law-enforcement disruption tempo in the history of transnational cybercrime enforcement. The current cycle runs from Operation Endgame's 2024 dismantling of Bumblebee, Lactrodectus, Qakbot, DanaBot, HijackLoader, Trickbot, and WarmCookie infrastructure through Operation Cronos against LockBit, Operation Eastwood against NoName057(16), and into May 19-22, 2026's Operation Endgame 2.0 takedown coordinated through Eurojust. The combined regional and global disruption volume is now larger than at any prior point in the cybercrime enforcement timeline.
For the MENA region specifically, Operation Ramz extends a pattern CyberSignal has tracked across the cycle. Operation PowerOFF dismantled 53 booter domains and unmasked 75,000 DDoS-for-hire users on the global stage. The Scattered Spider arrests culminated in Tyler Buchanan's guilty plea and follow-on arrest of Peter Stokes in Finland on April 10, 2026. Operation Ramz adds a regional layer that the prior operations did not cover — phishing-as-a-service and cyber scams operating out of MENA jurisdictions where extradition pathways have historically been less developed than in Europe and North America.
Response and Attribution
INTERPOL has not publicly named the criminal groups or marketplaces dismantled in Operation Ramz beyond the categorical descriptions: phishing-as-a-service, malware, and cyber scams. The 53 seized servers and 3,867 identified victims provide the operational scale, but specific operator names, marketplace handles, and infrastructure providers remain undisclosed in the public announcement. Each of the thirteen participating national agencies retains discretion to release country-level details on the cases it prosecuted; expect downstream disclosures from Algerian, Moroccan, and UAE authorities as case work moves into the courts.
The May 18 announcement also surfaced inside the same 24-hour window as Operation Endgame 2.0's May 19-22 takedown coordinated through Eurojust. That timing is not accidental. INTERPOL, Europol, and Eurojust have moved to a tempo where major regional and global disruption operations announce in clusters, maximizing the headline-cycle pressure on cybercrime operators across jurisdictions simultaneously. Operators reading this week's news see Operation Ramz close MENA enforcement gaps on the same calendar day that Operation Endgame 2.0 closes a separate set of European malware-infrastructure gaps.
The CyberSignal Analysis
Signal 01 — Regional Cybercrime Operations Now Cover Jurisdictions That Used to Be Safe Havens
The MENA region historically presented a less aggressive enforcement environment for cybercrime operators than Europe or North America, in part because regional law-enforcement cooperation infrastructure had not been built out to the same level. Operation Ramz changes the operating-assumption math: the 201 arrests, 53 server seizures, and ~8,000 shared intelligence items demonstrate that regional cooperation infrastructure now exists and is producing results comparable to prior operations against Eastern European and East Asian operators. The implication for threat models is straightforward — operators who relied on MENA-region jurisdictional safety should expect parity-of-enforcement going forward. The Operation PowerOFF takedown demonstrated the same pattern against the DDoS-for-hire economy globally; Operation Ramz extends the pattern regionally.
Signal 02 — Private-Sector Threat Intelligence Is Now a Structural Input
Kaspersky and Group-IB both publicly confirmed their contributions to Operation Ramz. That is the third major 2025-2026 takedown to involve named private-sector threat-intelligence vendors, following the broader Operation Endgame and Operation Eastwood patterns. The operational implication is that private-sector telemetry — the IOCs, malware family attributions, victim-identification data, and infrastructure mapping that vendors collect through their commercial products — has become a structural input to multinational law-enforcement operations, not an optional add-on. CISOs in scope of victim notification under Operation Ramz should expect their threat-intelligence vendors to be the channel through which INTERPOL communicates downstream. The same dynamic shaped the Scattered Spider enforcement track and the broader 2025-2026 takedown cycle.
Signal 03 — The Tempo Is the Story
Operation Ramz on May 18, Operation Endgame 2.0 on May 19-22, and a cycle of follow-on regional operations expected through Q3 2026 represent the most sustained law-enforcement tempo against transnational cybercrime in the history of the discipline. The combined effect compresses the operational window for cybercrime operators: infrastructure that took weeks to stand up now has a shorter mean time to seizure, and operators who managed to evade arrest in one region face higher probability of arrest in another. Defenders should expect the tempo to continue and should plan threat-intelligence consumption around the cycle — disruption operations announce in clusters, and the IOCs and operator attributions that come out of them are most operationally useful in the 30 days immediately following announcement.
