Operation Ramz, coordinated by Interpol from October 2025 to 28 February 2026, also identified 382 further suspects and 3,867 victims, marking the first cyber operation of this scale led by the international police body across the MENA region. Investigators seized 53 servers and shared nearly 8,000 pieces of operational intelligence among participating countries to support raids, infrastructure takedowns and follow-up inquiries.
Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia and the UAE took part in the operation. The action focused on cyber scams that used fraudulent investment platforms, phishing kits, compromised devices and malware command-and-control infrastructure to steal credentials, banking data and funds from individuals and businesses.
The scale of the arrests underlines the growing pressure on law enforcement agencies to move beyond national investigations, as cybercriminal networks increasingly distribute their infrastructure, victims and money flows across borders. MENA economies have expanded digital banking, e-commerce, online government services and fintech adoption at speed, creating new opportunities for fraud groups that exploit weak authentication, public-facing systems and low awareness among users.
Jordanian investigators traced a computer used to run financial fraud schemes linked to a fake trading platform. Victims were persuaded to deposit money through a website that appeared legitimate before the platform shut down. A raid found 15 people carrying out scam-related activity, while two suspected organisers were arrested.
Algerian authorities dismantled a website offering phishing-as-a-service tools. Investigators located and seized a server, a computer, a mobile phone and hard drives containing phishing scripts and software. One suspect was taken into custody.
Morocco reported the seizure of computers, smartphones and external hard drives containing banking data and phishing software. Three people are undergoing judicial procedures, while other suspects remain under investigation. Oman identified and disabled a server located in a private residence that contained sensitive information, while Qatar used operational intelligence to detect compromised devices, secure affected systems and notify device owners.
The operation drew on cooperation between police agencies and private-sector cyber intelligence firms, including Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru and TrendAI. Their role centred on mapping malicious infrastructure, identifying command-and-control servers, tracing compromised systems and converting technical indicators into leads usable by investigators.
Neal Jetton, Interpol’s director of cybercrime, said the operation demonstrated the effectiveness of global collaboration against criminals who exploit the borderless nature of digital networks. His remarks reflected a broader shift in policing, where enforcement now depends as much on data-sharing and infrastructure disruption as on arrests.
Cybercrime specialists view the MENA region as increasingly exposed to blended fraud operations that combine social engineering, credential theft, malware deployment and laundering through digital payments. Fraudulent trading platforms, fake banking portals, romance scams, business email compromise and data-stealing malware remain persistent threats because they can be adapted quickly across languages, jurisdictions and payment channels.
Operation Ramz also highlights the operational difficulty of separating perpetrators from victims in cyber scam compounds and loosely organised fraud rings. Some individuals found inside scam operations may have been coerced, recruited through false job offers or trafficked into online fraud work, a pattern seen in other regions where cybercrime and human exploitation overlap.
For governments, the arrests offer evidence that cross-border operations can disrupt criminal infrastructure. They also expose gaps that remain in digital forensics capacity, judicial coordination, asset recovery and victim support. Arrest figures alone rarely show whether stolen funds can be recovered, whether higher-level organisers are reached, or whether dismantled servers are quickly replaced by mirror systems elsewhere.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
