Most phishing investigations chase a single campaign. The takedown of SniperDz went after the factory. Group-IB, working with INTERPOL and the Algerian National Police, has dismantled a phishing-as-a-service (PhaaS) platform that operated for roughly nine years and handed thousands of low-skill criminals everything they needed to steal credentials at scale — and arrested the man it identifies as the platform’s developer and administrator.

What SniperDz sold

SniperDz was active since at least 2015 and ran the full phishing-as-a-service model: ready-made phishing kits, infrastructure hosting, and operational support for anyone willing to use it. The scale Group-IB documented is what makes this more than a routine bust:

  • 20,000+ unique phishing domains tied to the ecosystem
  • 80 phishing templates in five languages — Arabic, English, French, Spanish, and Hebrew
  • 30+ impersonated brands, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam, spanning financial services, gaming, telecom, email, and social media
  • a Telegram channel with 7,300+ subscribers and a Facebook account with 19,000+ followers used to coordinate and recruit

Group-IB ties at least 45,000 victim records to the platform’s own statistics — a figure dating back to around 2016 and almost certainly a floor rather than a lifetime total. Phishing-as-a-service platforms exist precisely to remove the technical barrier to entry, turning credential theft into a point-and-click subscription. A nine-year run with templates in five languages is what that industrialization looks like.

The arrest

Group-IB’s investigation centered on an actor using the handle “Guedz,” identified as the primary developer and administrator of SniperDz. He was arrested in Algeria by the Algerian National Police. The specific charges have not been disclosed, and his real name has not been released — the kind of gaps that usually close as a prosecution proceeds.

The identification was the hard part. Group-IB describes a multi-year effort — infrastructure analysis, open-source intelligence, and digital-footprint correlation stretching back to 2015 — to link the handle to a real person and map his activity across platforms. That intelligence was handed to INTERPOL, which fed the Algerian enforcement action.

Part of Operation Ramz

The SniperDz takedown was one component of Operation Ramz, INTERPOL’s broad MENA-region campaign that ran from October 2025 to February 2026 across 13 countries. We covered the operation’s headline results — 201 arrests across the MENA region — when they were announced. One framing note worth keeping straight: those 201 arrests are the total for the entire 13-country operation, not the SniperDz case alone. The June news cycle around SniperDz was driven by Group-IB’s public disclosure of its role, not by a fresh arrest.

Why takedowns like this matter — and where they fall short

Dismantling a PhaaS platform removes a force multiplier. Every domain SniperDz spun up and every template it shipped lowered the cost of phishing for criminals who could not have built the infrastructure themselves. Taking out the developer and the platform is a genuinely higher-leverage win than arresting any single phisher who rented it.

It also fits a broader pattern of platform-focused enforcement that has defined the past year — from the takedown of the Tycoon 2FA phishing platform to Operation Secure’s dismantling of a global infostealer empire. Going after the suppliers rather than the customers is the right instinct.

The caveat is the one that always applies: the market reconstitutes. Phishing-as-a-service is a category, not a company, and the displaced customers of SniperDz will find another storefront. The value of this case is partly the disruption and partly the precedent — that a handle can be tied to a person across a decade of operational security, and that the person can be reached.

Sources