SniperDz is a centralized, turnkey Phishing-as-a-Service (PhaaS) and Push-Notification-as-a-Service (PNaaS) affiliate ecosystem that operated for nearly a decade before being dismantled in June 2026. Uncovered by Group-IB during an investigation into phishing campaigns targeting users across the Middle East and North Africa (MENA), the platform provided over 80 ready-made phishing templates impersonating more than 30 globally recognized brands, including PayPal, Facebook, Instagram, Netflix, Steam, and regional telecommunications providers. The platform was entirely free to affiliates, monetizing instead through stolen credential harvesting, carrier-billing fraud, premium SMS subscriptions, and browser push-notification abuse. On June 11, 2026, Group-IB announced that INTERPOL’s Operation Ramz, conducted across 13 MENA countries between October 2025 and February 2026, resulted in 201 arrests, the seizure of 53 servers, and the arrest of SniperDz’s primary developer and administrator by the Algerian National Police. Although the platform’s infrastructure has been disrupted, residual campaigns, downloaded phishing kits, and affiliated operators may continue their activities. UAE and MENA organizations and their users remain at risk from ongoing downstream campaigns leveraging SniperDz templates and push-notification infrastructure.
Active since at least 2015, SniperDz operated as a full-stack criminal service platform that used fake Facebook and Instagram accounts to impersonate politicians, public figures, telecom providers, and trusted brands. These accounts promoted fraudulent offers such as free mobile data, government subsidies, and financial rewards. To evade detection, victims were first routed through trusted link-aggregation services such as Linktree and Linkbio before being redirected through multiple stages to attacker-controlled infrastructure. The platform also employed traffic-cloaking techniques that served benign content to security researchers, web crawlers, and automated scanners.
The final stage of the attack chain tricked victims into granting browser push-notification permissions through fake verification pages. Once permission was granted, subscription tokens and browser metadata were collected, enabling the persistent delivery of scams, phishing campaigns, and affiliate content. Victims who did not provide credentials were often redirected into carrier-billing fraud and premium SMS subscription schemes. Investigators linked numerous campaigns through a shared VAPID public key, identifying more than 900 suspicious domains connected to the ecosystem. Over nine years, more than 20,000 SniperDz-associated domains were documented, while the platform’s free-to-use model was funded through the collection of stolen credentials from affiliate campaigns.
Delivery and Infection Chain:
SniperDz-powered campaigns operate across social media, luring, link-aggregation, reputation abuse, cloaked multi-stage redirection, and browser push-notification hijacking simultaneously. Key confirmed TTPs observed in the campaign are as follows:
Technical Capabilities:
The VAPID public-key reuse across all SniperDz-linked campaigns is the platform’s most significant technical fingerprint. Group-IB extracted this recurring key as a critical indicator of compromise, using it to pivot across infrastructure and cluster more than 900 suspicious domains and interconnected IP addresses into a single attribution set. Because the VAPID key is embedded in the push-subscription registration page served to every victim, it allowed analysts to definitively link otherwise geographically and thematically disparate campaigns spanning telecom impersonation in Algeria, financial-brand phishing across MENA, and gaming-platform credential theft globally back to the same centralized SniperDz notification backend.
The cloaking engine demonstrates a sophisticated operational-security posture. By distinguishing researcher traffic from victim traffic at the HTTP layer and serving different content to each, SniperDz maintained a durable infrastructure with a significantly longer operational lifespan than most phishing platforms. The platform’s multilingual template library (Arabic, English, French, and formerly Spanish and Hebrew) reflects a deliberate geographic-targeting strategy. The entirely free affiliate model, unique among PhaaS platforms, dramatically lowered the barrier to entry while ensuring SniperDz operators received stolen credential streams from every affiliate campaign, creating a self-sustaining credential-harvesting engine operating at global scale for nearly ten years.
Attribution and Evolution:
Active since at least 2015, the phishing-as-a-service (PhaaS) platform became one of the longest-running operations of its kind. Researchers from Palo Alto Networks identified more than 140,000 phishing pages linked to the platform between 2023 and 2024, while earlier platform statistics showed over 45,000 victim records collected by 2016. Intelligence gathered by Group-IB and shared with INTERPOL supported Operation Ramz, which ran from October 2025 to February 2026 across 13 MENA countries, leading to 201 arrests and the seizure of 53 servers. On June 11, 2026, INTERPOL and the Algerian National Police announced the arrest of the platform’s primary developer and administrator. Despite the disruption, downloaded phishing kits, remaining infrastructure, and independent affiliate campaigns continue to pose an active threat.
Active Campaign and Geographic Spread:
SniperDz campaigns were primarily focused on the MENA region, particularly Algeria, Morocco, and other Arabic-speaking populations. The platform used Arabic-language phishing templates and telecom-brand impersonation, making UAE users a notable target. Reports indicate that some campaigns specifically impersonated UAE telecom providers, while the Telegram-based delivery infrastructure remained accessible without geographic restrictions. Although the original platform has been disrupted, affiliates may continue to operate independently using previously downloaded kits. UAE users who recently interacted with suspicious promotional links, enabled notifications on unfamiliar websites, or experienced unexpected premium SMS charges should consider the possibility of exposure.
Conclusion:
Although SniperDz has been disrupted through Operation Ramz and the arrest of its primary developer, the threat remains. Residual phishing kits, independent affiliates, and previously compromised browser push-notification subscriptions may continue to facilitate phishing, scams, and fraud. Organisations across the UAE and MENA region should raise awareness of social-media impersonation, link-aggregation abuse, and notification-based threats while ensuring that security controls can detect and block related infrastructure.
Successful execution of a SniperDz campaign can result in multiple layers of harm: credential theft from brand-impersonation phishing pages (PayPal, Facebook, banking portals), enabling account takeover and financial fraud; persistent browser push-notification access, enabling the ongoing delivery of scam content and secondary phishing campaigns; carrier-billing fraud and unauthorised premium SMS subscription charges; and personal-data harvesting. For UAE and MENA organisations, the impersonation of government entities, telecom providers, and public figures represents a direct social-engineering risk targeting employees and citizens. UAE PDPL obligations may be triggered where employee credentials or personal information are harvested through brand-impersonation campaigns. Critical infrastructure operators and government entities impersonated in SniperDz templates may face NCA ECC reporting obligations if their brand is actively exploited in campaigns targeting their users or employees.
https://www.group-ib.com/blog/inside-sniperdz-phaas-ecosystem/
https://www.group-ib.com/media-center/press-releases/sniperdz-investigation/
https://www.infosecurity-magazine.com/news/interpol-dismantles-sniperdz/
https://cybersecuritynews.com/hackers-abuse-sniperdz-phaas-ecosystem/