Operation Ramz Dismantles MENA Cybercrime Infrastructure – 201 Arrests, 382 Suspects Identified
What Happened – INTERPOL coordinated a 13‑country operation (Oct 2025 – Feb 2026) that seized 53 malicious servers, disrupted phishing‑as‑a‑service, malware‑hosting and fraud infrastructures across the Middle East and North Africa, resulting in 201 arrests and the identification of 382 additional suspects.
Why It Matters for TPRM –
- Large‑scale takedowns expose the breadth of supply‑chain‑level cybercrime that can affect any third‑party service provider operating in the region.
- The operation highlights the importance of continuous monitoring of malicious infrastructure that may be leveraged against vendors or their customers.
- Collaboration between law‑enforcement and private‑sector threat intel firms (Group‑IB, Kaspersky, Trend Micro, etc.) demonstrates a model for proactive TPRM threat‑intel sharing.
Who Is Affected – Financial services, telecoms, e‑commerce, government agencies, and any organization that relies on third‑party SaaS or cloud services in the MENA region.
Recommended Actions –
- Review contracts with vendors that have a footprint in the MENA region for cyber‑risk clauses.
- Validate that your suppliers employ threat‑intel feeds and have incident‑response processes for phishing‑as‑a‑service attacks.
- Incorporate the list of seized indicators (domains, IPs, hashes) into your blocklists and continuous monitoring tools.
Technical Notes – The operation targeted phishing‑as‑a‑service platforms, compromised servers used for malware distribution, and fraudulent investment‑scheme infrastructure. No specific CVE was disclosed; the primary vectors were phishing emails, credential harvesting, and malicious server hosting. Source: Security Affairs