INTERPOL has concluded Operation Ramz, a four-month coordinated enforcement campaign across 13 Middle East and North Africa countries that resulted in 201 arrests, the identification of 382 additional suspects, the seizure of 53 servers, and the confirmation of 3,867 victims of phishing, malware, and online financial fraud. Announced on May 18, 2026, it is the first operation of its kind INTERPOL has run in the MENA region.
The operation ran across Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates. Each participating country contributed national cybercrime units coordinating through INTERPOLβs command structure.
What Operation Ramz Targeted
Operation Ramz focused on three categories of cybercrime that have been accelerating across the MENA region: phishing-as-a-service infrastructure, malware distribution networks, and large-scale online financial fraud.
The 53 seized servers were not peripheral β they were operational infrastructure actively running phishing kits, hosting malware payloads, and processing stolen credentials. Investigators identified nearly 4,000 confirmed victims, a number that reflects direct losses traceable to the seized infrastructure rather than total exposure estimates.
Team Cymru provided network intelligence support to the operation, contributing threat data that helped investigators map criminal infrastructure across borders before arrests were made.
Jordan: Fraud Operation Concealing Human Trafficking
The most significant finding came out of Jordan, where investigators probing financial fraud scams uncovered 15 individuals who were victims of human trafficking.
The trafficking pattern follows a template seen increasingly in Southeast Asian scam compounds: victims were recruited in their home countries across Asia through fraudulent job advertisements promising legitimate employment. After arriving in Jordan, their passports were confiscated. They were then forced or coerced into working the fraud operation β making calls, managing fake accounts, and running scam workflows under threat of violence.
The discovery is a reminder that cybercrime operations at scale are not run exclusively by willing participants. Scam infrastructure in MENA, like the compounds documented in Myanmar and Cambodia, increasingly relies on coerced labor to staff its operations.
Authorities have not publicly identified the nationalities of the 15 trafficking victims or specified the charges filed against the individuals who ran the scheme.
The Scale of MENA Cybercrime
Operation Ramz is INTERPOLβs first coordinated cybercrime enforcement action specifically targeting the MENA region, which reflects how the threat landscape has shifted. For years, INTERPOLβs major cybercrime operations β Operation Synergia, Operation Africa Cyber Surge, Operation First Light β focused on Southeast Asia, West Africa, and Eastern Europe. A dedicated MENA campaign signals that organized cybercrime infrastructure has matured significantly in the region.
The 13-country footprint also highlights the cross-border nature of the operations being dismantled. Phishing infrastructure, fraud proceeds, and trafficking networks donβt respect national borders. Investigators had to coordinate across Arabic-speaking nations with different legal systems, law enforcement capacities, and intelligence-sharing protocols to execute simultaneous takedowns.
201 Arrests, 382 More Suspects Identified
The gap between 201 arrests and 382 identified suspects is significant. It means investigators have built cases against nearly 600 individuals total, but roughly 40% have not yet been taken into custody. That second cohort likely represents suspects across jurisdictions where extradition or domestic prosecution is complicated, individuals still under surveillance, or cases where evidence collection is ongoing.
INTERPOLβs typical post-operation pattern is to continue referring identified suspects to national authorities for prosecution. Arrests announced in the months following an operation are common as countries work through their domestic legal processes.
What Happens to the Infrastructure
The 53 seized servers remove active capability. Phishing kits that were live on those servers are offline. Malware payloads being served from those hosts are no longer reachable. But cybercrime infrastructure is rebuilt quickly β the groups running these schemes have demonstrated the ability to stand up replacement infrastructure within days of seizures.
The more durable impact of Operation Ramz is the intelligence generated: suspect networks identified, financial flows traced, and cross-border relationships between criminal groups mapped. That database of knowledge shapes the next operation more than the server count does.
INTERPOL has not announced a follow-on operation timeline for the MENA region.
Sources:
- The Hacker News β INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests
- BleepingComputer β INTERPOL Operation Ramz Seizes 53 Malware, Phishing Servers
- Help Net Security β 201 Arrested in INTERPOL Disruption of Phishing and Fraud Networks
- CyberScoop β Interpol Leads Cybercrime Crackdown Across 13 Countries in Middle East, North Africa
- Yahoo Finance β Team Cymru Supports INTERPOLβs Operation Ramz
