Marrakech – Global cybersecurity firms Kaspersky and Group-IB have disclosed their contributions to Operation Ramz, the first large-scale cybercrime crackdown coordinated by INTERPOL across the Middle East and North Africa region.
The operation, which ran from October 2025 to February 2026, brought together 13 countries and resulted in 201 arrests, with 382 additional suspects identified. Investigators recorded 3,867 victims and seized 53 servers. Nearly 8,000 pieces of data and intelligence were shared among participating nations to launch and support investigations.
Morocco was among the countries that took part. Moroccan authorities confiscated computers, smartphones, and external hard drives containing banking data and software used in phishing operations. Three individuals are currently undergoing judicial procedures, while others remain under investigation.
Kaspersky’s Threat Research Center supplied technical data on region-specific cyber threats and malicious infrastructure involved in the control or distribution of malware, including information on command-and-control servers. The Moscow-founded cybersecurity company was one of five private-sector partners that worked alongside INTERPOL during the operation, together with Group-IB, the Shadowserver Foundation, Team Cymru, and TrendAI.
Yuliya Shlychkova, Kaspersky’s Vice President of Global Public Affairs, cast the operation as evidence of how “the synergy between law enforcement and private sector experts” can “dismantle sophisticated cybercrime networks at scale.” Providing “timely and high-quality” threat intelligence, she added, enables investigators “to act quickly, protect users, and ultimately make the digital ecosystem safer for all.”
Read also: Kaspersky, INTERPOL Flag 2.1 Million Compromised Credentials During AFCON 2025
Group-IB, headquartered in Singapore, delivered actionable intelligence on more than 5,000 compromised accounts, including accounts linked to government infrastructure.
The firm’s analysts identified and mapped active phishing infrastructure across the MENA region, producing intelligence on two distinct threat actor clusters: one responsible for creating and distributing phishing resources, and another involved in the sale and distribution of leaked data. Group-IB described this as adversary-centric intelligence, tracking not just the infrastructure but the human actors behind it.
Group-IB CEO Dmitry Volkov pointed to “a sharp rise in phishing and scam infrastructure targeting financial platforms, government services, and individual victims” across the region.
The operation, he noted, “was the result of strong collaboration between our Digital Crime Resistance Centers across the MENA and APAC regions.” Volkov affirmed his company’s commitment to “supporting international efforts to dismantle cybercriminal ecosystems and strengthen cyber resilience.”
The Group-IB press release offered additional detail on Morocco’s role, noting that the phishing operations targeted financial institutions and their customers. The company characterized the Moroccan operation as part of a broader pattern of financially motivated cybercrime aimed at the region’s banking sector, with criminal networks deploying phishing tools and harvested credentials to defraud individuals and compromise financial infrastructure.
For INTERPOL’s Director of Cybercrime Neal Jetton, the operation was a demonstration of “the effectiveness of global collaboration.” INTERPOL, he declared, “is dedicated to working with its member countries and private sector partners to take down malicious infrastructure, disrupt criminal groups and bring perpetrators to justice.”
Beyond Morocco, the operation uncovered a range of criminal activity. In Jordan, police dismantled a financial fraud ring and uncovered a human trafficking operation in which 15 individuals from Asia had been coerced into running scams. In Algeria, a phishing-as-a-service website was taken down, and one suspect was detained.
In Qatar, compromised devices were secured after investigators found they had been used to spread malicious threats without their owners’ knowledge. In Oman, a malware-infected server in a private residence was identified and disabled.
The 13 participating countries were Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE. The operation received support from Qatar’s Ministry of Interior and was partially funded by the European Union and the Council of Europe under the CyberSouth+ project.

Join on WhatsApp
Join on Telegram







