INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests  Ravie Lakshmanan  May 18, 2026 Cybercrime / Malware INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these activities, and prevent future losses. "The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region," INTERPOL said in a statement. "In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized." The operation, codenamed Ramz , led to the disruption of a phishing-as-a-service (PhaaS) by Algerian authorities after its server was confiscated, along with a computer, a mobile phone, and hard drives containing phishing software and scripts. One suspect was arrested in connection with the scheme. Elsewhere, Moroccan officials seized computers, smartphones, and external hard drives that contained banking data and software used for phishing operations. Authorities also identified a legitimate server located in a private residence in Oman that contained sensitive information. The server suffered from multiple critical security vulnerabilities and was infected by malware. INTERPOL said actions were taken to disable the server. In a similar case, compromised devices were discovered in Qatar, with the owners themselves unaware that their systems were being used to spread "malicious threats." Although the exact nature of these threats was not disclosed, the impacted machines are said to have been secured, and the device owners were alerted to take appropriate security measures. Lastly, Jordanian police identified a computer that was used to run financial fraud scams, where unsuspecting users were tricked into investing their assets in a seemingly legitimate trading platform, only for it to shut down once the funds were deposited. "A raid uncovered 15 individuals carrying out the scams, but investigators determined that they were victims of human trafficking who had been recruited under the false promise of employment from their home countries in Asia," INTERPOL said. "Upon arrival in Jordan, their passports were confiscated, and they were forced or coerced into participating in the scheme. Two individuals suspected of orchestrating the operation were arrested." Group-IB, which was one of the private sector companies that participated in the effort, said it provided "actionable intelligence" on over 5,000 compromised accounts, including those that were associated with government infrastructure, and shared details about active phishing infrastructure across the region. "Cybercrime is borderless, and the only effective response is one that is equally borderless," Joe Sander, CEO of Team Cymru, said . "Operation Ramz is exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on." Countries that took part in Operation Ramz included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the U.A.E. Series of Law Enforcement Actions The arrests come against the backdrop of a string of law enforcement actions announced by Germany and the U.S. Department of Justice (DoJ) in recent weeks - The sentencing of Thomasz Szabo (aka Plank, Jonah, and Cypher), 27, of Romania, to 48 months in prison for his role as the mastermind of an online swatting ring that targeted more than 75 public officials, four religious institutions, and multiple journalists. The indictment of Owe Martin Andresen (aka Speedstepper), the suspected main administrator of the illicit darknet marketplace, Dream Market, on money laundering charges, following his arrest in Germany last week. The shutdown of a relaunched version of the Crimenetwork marketplace (it was originally dismantled in December 2024) and the arrest of a suspected administrator, a 35-year-old German citizen, on the Spanish island of Mallorca. The conviction of Sohaib Akhter , 34, of Alexandria, Virginia, by a federal jury for deleting 96 databases storing U.S. government information and stealing the plaintext password of an individual who had submitted a complaint to the Equal Employment Opportunity Commission's Public Portal. The sentencing of Alan Bill , 33, of Bratislava, the Slovakian Administrator of Kingdom Market , to 200 months (more than 16 years) in prison after he pleaded guilty to a conspiracy to distribute controlled substances, illegal drugs, stolen financial data, counterfeit documents, and malware earlier this January. The sentencing of David Jose Gomez Cegarra , 25, of Venezuela to time served and pay restitution totaling $294,820 in connection with a string of ATM jackpotting incidents between October 5 and November 11, 2024, in the U.S. states of New York, Massachusetts, and Illinois. The sentencing of Marlon Ferro (aka GothFerrari), 20, of Santa Ana, California, to 78 months in prison in connection with a social engineering conspiracy that stole more than $250 million in cryptocurrency from victims across the U.S. between late 2023 and early 2025. "This [social engineering] scheme blended sophisticated online fraud with old-fashioned burglary to drain victims of millions of dollars in digital assets," U.S. Attorney Jeanine Ferris Pirro stated. "The conspiracy's operatives typically targeted individuals believed to hold significant cryptocurrency holdings. Its members manipulated victims into surrendering access to their digital wallets through elaborate fraud schemes. When victims stored their cryptocurrency in hardware wallets, physical devices that cannot be accessed remotely, the enterprise turned to Ferro." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  cryptocurrency , Cybercrime , cybersecurity , darknet , data theft , Fraud , Interpol , law enforcement , Malware , Phishing ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage