DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:13:27ZSOURCES: 14CRITICAL: 30
⚠ ACTIVE ALERTS
@FalconFeedsio CRITICAL β€” 🚨 Ransomware Alert: The Gentlemen RaaS group continues active DLS postings. Now at 478… /// @DarkWebInformer CRITICAL β€” 🚨 ServiceNow discloses June 5 security update tied to anomalous activity β€” KB3067321.… /// @MsftSecIntel CRITICAL β€” MSTIC analysis of The Gentlemen ransomware (tracked internally): self-propagating… /// @GossiTheDog CRITICAL β€” ServiceNow KB3067321 situation is worse than the vendor comms suggest. Advisory was gated… /// @AlvieriD CRITICAL β€” The '340M OnlyFans' listing on the leak forum is a compiled corpus β€” seller confirmed to…
30Critical Threats
15Active CVEs
1IOCs Tracked
14New Advisories
INTEL FEED/THREAT ACTORS/SNIPERDZ
TLP:WHITETHREAT ACTOR DOSSIER // SNIPERDZ-PHAASFIRST SEEN: 2015

SNIPERDZ

ALSO KNOWN AS: Joker Dz, Storm Dz, Spam Dz, SniperDZ
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Algeria (operator 'Guedz' arrested by Algerian National Police)
ATTRIBUTION:ORGANIZED CRIME
STATUS:● DORMANT
FIRST OBSERVED:2015
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL52/100
RESOURCES52/100
PERSISTENCE55/100
STEALTH47/100
IMPACT61/100

SUBJECT PROFILE

SniperDz was one of the world's longest-running phishing-as-a-service (PhaaS) platforms, active since 2015 and serving cybercriminals in at least 13 MENA-region countries. Operating via Telegram and Facebook, it offered 80 ready-made phishing templates in five languages targeting 30+ global brands including PayPal, Facebook, Netflix, and Steam across 20,000+ domains. The platform and its primary developer-administrator were taken down by INTERPOL Operation Ramz (announced June 11, 2026), resulting in 201 arrests across MENA and the seizure of 53 servers.

Credential theft and phishing-as-a-service monetization; platform offered free phishing kits to lower-barrier cybercriminals globally

OPERATIONAL HISTORY

Phishing-as-a-service platform, 80+ credential-harvesting templates, browser notification abuse (VAPID key exploitation), traffic-brokering, multi-language lure pages (Arabic/English/French/Spanish/Hebrew), Telegram/Facebook distribution channels

CONSUMER FINANCE USERS
SOCIAL MEDIA USERS
STREAMING PLATFORM USERS
PAYMENT PLATFORM USERS
GENERAL PUBLIC

KNOWN INFRASTRUCTURE

20,000+ unique phishing domains impersonating 30 major brands; PhaaS web panel (seized); Telegram and Facebook operator channels; 53 servers seized by INTERPOL Operation Ramz; platform rebranded over years as Joker Dz, Storm Dz, Spam Dz

ATTRIBUTED CAMPAIGNS

FILE DATE: JUN 2026
Operation Ramz Takedown β€” Administrator Arrested
On June 11, 2026, Group-IB disclosed its role in INTERPOL-led Operation Ramz: the SniperDz platform was dismantled and its primary developer 'Guedz' arrested in Algeria after a 9-year operation that collected 45,000+ victim records.
FILE DATE: OCT 2025
Operation Ramz Multi-Country Sweep (MENA)
INTERPOL coordinated with 13 MENA-region countries from October 2025 to February β–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ 201 arrests, 382 suspects identified, 53 servers seized, and 3,867 victims documented.
SHARE BRIEF:βœ• Post on Xin Share on LinkedIn