INTERPOL arrests 200 in cybercrime sweep, seizes 53 servers

Operation Ramz dismantled phishing infrastructure, shut down a PhaaS platform, and uncovered a human trafficking operation forcing Asian workers to run fraud schemes in Jordan.

What happened

INTERPOL's Operation Ramz has resulted in more than 200 arrests and the identification of 382 additional suspects across 13 countries in the Middle East and North Africa. According to BleepingComputer, law enforcement seized 53 servers used for phishing, malware distribution, and online fraud, with nearly 8,000 intelligence packages retrieved from the equipment confirming at least 3,867 victims. Countries involved include Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE. INTERPOL collaborated with Kaspersky, Group-IB, The Shadowserver Foundation, Team Cymru, and TrendAI to track the malicious infrastructure.

Going deeper

The operation produced several notable individual actions across the region. In Algeria, a phishing-as-a-service platform was shut down and one suspect was arrested. In Jordan, a human trafficking operation was dismantled in which 15 workers from Asia had been trafficked and forced to run fraud schemes, with two organizers arrested. In Qatar, compromised devices unknowingly being used to spread malware were secured. In Oman, a malware-infected server containing sensitive data was disabled. In Morocco, devices and banking data linked to phishing operations were seized, and multiple suspects were placed under judicial investigation. The operation targeted the intersection of cybercrime infrastructure and organized crime, with human trafficking emerging as a documented element of the region's fraud ecosystem.

What was said

INTERPOL stated in its official announcement that "the operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region," describing Operation Ramz as the first coordinated cybercrime operation of its kind in the MENA region. INTERPOL noted that the intelligence packages recovered from seized servers were central to confirming the victim count and building the evidentiary basis for the arrests and ongoing judicial investigations.

In the know

Operation Ramz is the third major INTERPOL cybercrime operation concluded in 2026. According to BleepingComputer, Operation Synergia III in March 2026 resulted in the sinkholing of 45,000 malicious IP addresses, the seizure of 212 devices and servers, and the arrest of 94 individuals across 72 countries for phishing, hacking, fraud, and malware distribution. Before that, Operation Red Card 2.0 in February 2026 resulted in 651 arrests across 16 African countries, targeting investment fraud, mobile money scams, and fake loan apps linked to more than $45 million in losses. The three operations together represent sustained international enforcement momentum against phishing and fraud infrastructure through the first half of 2026.

The big picture

The Jordan component of Operation Ramz, where trafficked workers were forced to operate fraud schemes, shows a documented convergence between organized crime and cybercrime infrastructure that has expanded across Southeast Asia and the Middle East. Fraud operations of this scale require a sustained phishing and social engineering infrastructure to generate contact with victims and payment-processing systems to collect proceeds. The seizure of 53 servers tied directly to that infrastructure removes active capability, while the arrests address the human operational layer. For healthcare organizations with staff or vendors operating in the region, the documented presence of phishing-as-a-service infrastructure in Algeria and credential-targeting operations across multiple countries reinforces that the global phishing supply chain that feeds attacks across sectors, including healthcare, continues to operate at scale. The FBI's 2025 Internet Crime Report recorded total US cybercrime losses of $20.9 billion for the year, with phishing the most reported complaint category, indicating the same criminal infrastructure that operations like Ramz are working to dismantle internationally.

FAQs

What is a phishing-as-a-service platform, and why does shutting one down matter?

A PhaaS platform provides ready-made phishing tools, templates, and infrastructure to criminal operators who pay for access rather than building their own capability. Shutting down the platform removes a multiplier that was enabling multiple operators to run campaigns simultaneously, rather than just stopping a single attacker.

How does human trafficking connect to online fraud operations?

Fraud operations at scale require workers to manage victim communications, process payments, and handle the volume of outreach required to make schemes profitable. Organized crime groups have exploited trafficked workers as a labor pool for these operations, with documented cases across Southeast Asia and now the Middle East, where individuals are coerced into running fraud schemes against their will.

What does seizing servers accomplish beyond arresting individuals?

Server seizures provide evidence for prosecutions, cut off active campaigns running at the time of the operation, and allow intelligence teams to extract victim lists, attacker communications, and infrastructure maps to support further investigations. The nearly 8,000 intelligence packages recovered from Operation Ramz's 53 servers show the evidentiary value of infrastructure seizure beyond the immediate operational disruption.

Why does INTERPOL partner with private cybersecurity firms in operations like this?

Private firms maintain real-time threat intelligence on malicious infrastructure, including IP addresses, domain registrations, malware command-and-control servers, and phishing kit distributions. That intelligence cannot be gathered at the same speed or scale by law enforcement alone, making private sector collaboration a standard component of large-scale cybercrime operations.

What do three major INTERPOL operations in five months indicate about enforcement direction?

The pace of coordinated international cybercrime operations in 2026 shows both increased political will for cross-border enforcement and improved intelligence sharing frameworks developed through prior operations. Each operation builds on the infrastructure intelligence and suspect networks identified in the previous one, compressing the timeline between detection and enforcement action.