SniperDz Ecosystem Exploits Push Notifications for Large-Scale Fraud

Summary:

SniperDz is a centralized, turnkey Phishing-as-a-Service (PhaaS) and Push-Notification-as-a-Service (PNaaS) affiliate ecosystem that operated for nearly a decade before being dismantled in June 2026. Uncovered by Group-IB during an investigation into phishing campaigns targeting users across the Middle East and North Africa (MENA), the platform provided over 80 ready-made phishing templates impersonating more than 30 globally recognized brands, including PayPal, Facebook, Instagram, Netflix, Steam, and regional telecommunications providers. The platform was entirely free to affiliates, monetizing instead through stolen credential harvesting, carrier-billing fraud, premium SMS subscriptions, and browser push-notification abuse. On June 11, 2026, Group-IB announced that INTERPOL’s Operation Ramz, conducted across 13 MENA countries between October 2025 and February 2026, resulted in 201 arrests, the seizure of 53 servers, and the arrest of SniperDz’s primary developer and administrator by the Algerian National Police. Although the platform’s infrastructure has been disrupted, residual campaigns, downloaded phishing kits, and affiliated operators may continue their activities. UAE and MENA organizations and their users remain at risk from ongoing downstream campaigns leveraging SniperDz templates and push-notification infrastructure.

Technical Description:

Active since at least 2015, SniperDz operated as a full-stack criminal service platform that used fake Facebook and Instagram accounts to impersonate politicians, public figures, telecom providers, and trusted brands. These accounts promoted fraudulent offers such as free mobile data, government subsidies, and financial rewards. To evade detection, victims were first routed through trusted link-aggregation services such as Linktree and Linkbio before being redirected through multiple stages to attacker-controlled infrastructure. The platform also employed traffic-cloaking techniques that served benign content to security researchers, web crawlers, and automated scanners.

The final stage of the attack chain tricked victims into granting browser push-notification permissions through fake verification pages. Once permission was granted, subscription tokens and browser metadata were collected, enabling the persistent delivery of scams, phishing campaigns, and affiliate content. Victims who did not provide credentials were often redirected into carrier-billing fraud and premium SMS subscription schemes. Investigators linked numerous campaigns through a shared VAPID public key, identifying more than 900 suspicious domains connected to the ecosystem. Over nine years, more than 20,000 SniperDz-associated domains were documented, while the platform’s free-to-use model was funded through the collection of stolen credentials from affiliate campaigns.

Delivery and Infection Chain:

SniperDz-powered campaigns operate across social media, luring, link-aggregation, reputation abuse, cloaked multi-stage redirection, and browser push-notification hijacking simultaneously. Key confirmed TTPs observed in the campaign are as follows:

  • Affiliates create fake Facebook and Instagram accounts impersonating politicians, public figures, and telecom providers such as Algérie Télécom. They promote fraudulent offers, including free data, subsidies, and cash rewards. Links are often routed through trusted aggregation services such as Linktree and Linkbio to evade detection.
  • The platform identifies security researchers, crawlers, and automated scanners through request analysis and behavioural checks. Non-target visitors are served benign pages or error messages, while legitimate victims are redirected through multiple stages to hidden phishing or push-notification infrastructure.
  • Victims are presented with cloned login pages impersonating brands such as PayPal, Facebook, Netflix, Steam, banks, and telecom providers. Submitted credentials are sent directly to the operator’s backend. The platform’s free-service model is sustained by retaining copies of harvested credentials.
  • Victims encounter fake verification pages that instruct them to click “Allow” to continue. This action creates a browser push-notification subscription linked to the operator’s infrastructure. Subscription tokens and browser data are collected, enabling persistent access even after browser restarts.
  • Collected subscription tokens are used to deliver unsolicited browser notifications containing scams, phishing lures, affiliate content, and carrier-billing fraud redirects. This provides operators with a long-term communication channel. Victims who do not submit credentials may instead be enrolled in premium SMS subscription schemes.

Technical Capabilities:

The VAPID public-key reuse across all SniperDz-linked campaigns is the platform’s most significant technical fingerprint. Group-IB extracted this recurring key as a critical indicator of compromise, using it to pivot across infrastructure and cluster more than 900 suspicious domains and interconnected IP addresses into a single attribution set. Because the VAPID key is embedded in the push-subscription registration page served to every victim, it allowed analysts to definitively link otherwise geographically and thematically disparate campaigns spanning telecom impersonation in Algeria, financial-brand phishing across MENA, and gaming-platform credential theft globally back to the same centralized SniperDz notification backend.

The cloaking engine demonstrates a sophisticated operational-security posture. By distinguishing researcher traffic from victim traffic at the HTTP layer and serving different content to each, SniperDz maintained a durable infrastructure with a significantly longer operational lifespan than most phishing platforms. The platform’s multilingual template library (Arabic, English, French, and formerly Spanish and Hebrew) reflects a deliberate geographic-targeting strategy. The entirely free affiliate model, unique among PhaaS platforms, dramatically lowered the barrier to entry while ensuring SniperDz operators received stolen credential streams from every affiliate campaign, creating a self-sustaining credential-harvesting engine operating at global scale for nearly ten years.

Attribution and Evolution:

Active since at least 2015, the phishing-as-a-service (PhaaS) platform became one of the longest-running operations of its kind. Researchers from Palo Alto Networks identified more than 140,000 phishing pages linked to the platform between 2023 and 2024, while earlier platform statistics showed over 45,000 victim records collected by 2016. Intelligence gathered by Group-IB and shared with INTERPOL supported Operation Ramz, which ran from October 2025 to February 2026 across 13 MENA countries, leading to 201 arrests and the seizure of 53 servers. On June 11, 2026, INTERPOL and the Algerian National Police announced the arrest of the platform’s primary developer and administrator. Despite the disruption, downloaded phishing kits, remaining infrastructure, and independent affiliate campaigns continue to pose an active threat.

Active Campaign and Geographic Spread:

SniperDz campaigns were primarily focused on the MENA region, particularly Algeria, Morocco, and other Arabic-speaking populations. The platform used Arabic-language phishing templates and telecom-brand impersonation, making UAE users a notable target. Reports indicate that some campaigns specifically impersonated UAE telecom providers, while the Telegram-based delivery infrastructure remained accessible without geographic restrictions. Although the original platform has been disrupted, affiliates may continue to operate independently using previously downloaded kits. UAE users who recently interacted with suspicious promotional links, enabled notifications on unfamiliar websites, or experienced unexpected premium SMS charges should consider the possibility of exposure.

Conclusion:

Although SniperDz has been disrupted through Operation Ramz and the arrest of its primary developer, the threat remains. Residual phishing kits, independent affiliates, and previously compromised browser push-notification subscriptions may continue to facilitate phishing, scams, and fraud. Organisations across the UAE and MENA region should raise awareness of social-media impersonation, link-aggregation abuse, and notification-based threats while ensuring that security controls can detect and block related infrastructure.

Impact:

Successful execution of a SniperDz campaign can result in multiple layers of harm: credential theft from brand-impersonation phishing pages (PayPal, Facebook, banking portals), enabling account takeover and financial fraud; persistent browser push-notification access, enabling the ongoing delivery of scam content and secondary phishing campaigns; carrier-billing fraud and unauthorised premium SMS subscription charges; and personal-data harvesting. For UAE and MENA organisations, the impersonation of government entities, telecom providers, and public figures represents a direct social-engineering risk targeting employees and citizens. UAE PDPL obligations may be triggered where employee credentials or personal information are harvested through brand-impersonation campaigns. Critical infrastructure operators and government entities impersonated in SniperDz templates may face NCA ECC reporting obligations if their brand is actively exploited in campaigns targeting their users or employees.

IOC and Context Details:

Topics Details
Tactic Name Initial Access, Credential Access, Resource Development, Collection, Impact
Technique Name Brand Impersonation via Phishing-as-a-Service (PhaaS), Browser Notification Hijacking via Push Notification-as-a-Service (PNaaS), Carrier Billing Fraud, Credential Harvesting (SniperDz ecosystem)
Sub Technique Name Social media lure using fake offers via impersonated accounts → Link aggregation hop through Linktree/Linkbio as a reputation buffer → Cloaked multi-stage redirection → Phishing page for credential harvesting or browser push notification permission request → VAPID subscription captured → Operator backend collects credentials and push notification tokens → Persistent browser access used for continued scam and phishing delivery.
Attack Type Malware
Targeted Applications Microsoft Edge, Google Chrome, Mozilla Firefox, Google Chrome OS; Facebook and Instagram (lure delivery); Linktree and Linkbio (redirection services); 30+ impersonated brands including PayPal, Netflix, Steam, Facebook, Instagram, Yahoo, and regional telecommunications providers.
Region Impacted Global. Primary targeting of MENA users, particularly Arabic-, English-, and French-speaking users in Algeria, Morocco, and the wider MENA region.
Industry Impacted Consumer and Enterprise users across MENA (primary), global users of impersonated brands (secondary), especially organizations whose employees access branded online services.
IOC's
URLs / Domains (Defanged):
  • linktree[.]com (abused for redirection)
  • linkbio[.]com (abused for redirection)
  • sniperdz[.]com (main PhaaS platform – seized)
  • 20,000+ associated domains (see Group-IB Threat Intelligence Portal)
VAPID Key:
BHGs6bFe0K45iP8l_YM4b0YSjFbFpXFnLDKfQmIQkdtzR
CVE N/A

Recommended Actions:

  • Immediately audit all browsers (Chrome, Edge, and Firefox) on corporate and BYOD endpoints for unauthorised push-notification permissions. Navigate to browser site settings and revoke any notification permissions granted to unknown, suspicious, or unexpected sites. This is the most urgent action for any user who may have encountered a SniperDz campaign.
  • Brief all users on the SniperDz lure methodology. Social-media posts offering free data, subsidies, or rewards from impersonated public figures, politicians, or telecom providers should be treated as high-risk indicators. Users should not click promotional links from unverified social-media accounts or link-in-bio aggregation pages promoting unsolicited offers.
  • Configure web proxy and DNS filtering to block known SniperDz-associated domains and IP addresses. Group-IB’s Threat Intelligence Portal provides the full indicator set, including more than 900 suspicious domains linked to the VAPID-key infrastructure fingerprint. Integrate these into your SIEM, MISP, or firewall blocklists.
  • Add social-media lure and brand-impersonation monitoring to your threat-intelligence workflow. Monitor for fraudulent accounts impersonating your organisation, executives, or associated public figures on Facebook and Instagram, and report them for takedown.
  • Configure browser content-filtering rules to alert on or block navigation through link-aggregation services (Linktree, Linkbio) when traffic originates from social-media referrers to non-corporate destinations, as this pattern is a consistent early-funnel indicator in SniperDz campaigns.
  • For users who may have been victimised, advise immediate password resets for any accounts entered on suspected phishing pages (PayPal, Facebook, Netflix, banking portals, or email accounts), enable multi-factor authentication where not already enforced, and review bank and carrier-billing statements for unauthorised premium SMS or subscription charges.
  • Integrate threat-intelligence feeds covering PhaaS and PNaaS infrastructure into your SIEM. Alert on push-notification permission-grant events from corporate-managed browsers and monitor for outbound connections to newly registered domains matching patterns consistent with SniperDz’s infrastructure fingerprint.
  • Coordinate with regional telecom providers and platform operators where your organisation’s brand may be impersonated and report any identified SniperDz-associated phishing pages or social-media impersonation accounts to the relevant platforms and national CERT teams.

Reference:

https://www.group-ib.com/blog/inside-sniperdz-phaas-ecosystem/

https://www.group-ib.com/media-center/press-releases/sniperdz-investigation/

https://www.infosecurity-magazine.com/news/interpol-dismantles-sniperdz/

https://cybersecuritynews.com/hackers-abuse-sniperdz-phaas-ecosystem/