INTERPOL concluded Operation Ramz on May 18, 2026, announcing 201 arrests, the identification of 382 additional suspects, and the seizure of 53 servers used for malware distribution and phishing infrastructure across 13 Middle East and North Africa countries. The operation ran from October 2025 through February 2026 and targeted organized cybercriminal networks responsible for large-scale phishing, fraud, and malware campaigns affecting victims globally.
Operation Ramz: Five-Month MENA Cybercrime Sweep Yields 201 Arrests and 53 Seized Servers
The five-month duration of Operation Ramz — spanning October 2025 to February 2026 — placed it among the longer sustained INTERPOL-led cybercrime enforcement campaigns in the region. INTERPOL coordinated national law enforcement agencies across all 13 participating MENA nations throughout the operation’s duration, enabling simultaneous or sequenced actions across a geographically dispersed criminal network.
The 201 arrests represent actors directly taken into custody; the separate identification of 382 suspects indicates a broader investigative footprint that national authorities in participating countries will pursue through their own follow-on proceedings.
The 53 Seized Servers: Malware and Phishing Infrastructure Dismantled Across the Region
The 53 servers seized during Operation Ramz formed the operational backbone of several regional cybercrime networks, handling malware distribution, phishing kit hosting, and related criminal infrastructure. Dismantling physical server infrastructure interrupts the delivery mechanisms that allow criminal networks to reach victims at scale.
Phishing and malware infrastructure seized in coordinated operations frequently contains data linking operators to victims and accomplices across multiple jurisdictions. The cross-border intelligence sharing enabled by INTERPOL’s coordination framework is designed to extend the operation’s investigative impact beyond the initial arrest totals.
382 Additional Suspects Identified for Follow-On Investigation After February 2026 Conclusion
Beyond the 201 arrests, the identification of 382 additional suspects provides participating national law enforcement agencies with actionable intelligence for continued prosecution efforts. This two-tier outcome — arrests plus identified suspects — is consistent with the structure of prior INTERPOL-led cybercrime operations, where the public arrest totals represent a subset of a larger investigative action still in progress at the time of disclosure.
The operation’s results were disclosed publicly on May 18, 2026, following the operational conclusion in February 2026. The roughly three-month interval between the end of the operation and the public announcement is typical for complex multi-country enforcement actions, where final arrest tallies and seized asset inventories must be consolidated across participating jurisdictions before disclosure.
Operation Ramz and INTERPOL’s Expanding MENA Cybercrime Enforcement Posture
Operation Ramz follows prior INTERPOL-led enforcement actions — including Operations Falcon and Synergia — that dismantled criminal infrastructure in other regions. The MENA region, which has historically had less-developed cybercrime enforcement capacity relative to Europe and North America, has become an increasing focus for INTERPOL-coordinated operations as regional threat actor activity has grown.
The 13-country geographic scope of Operation Ramz is broader than many prior regional actions and reflects the cross-border nature of the criminal networks under investigation. Phishing and fraud campaigns operating from infrastructure in one country routinely target victims in others, requiring coordinated enforcement responses that no single national agency can execute alone.
