INTERPOL Just Arrested 201 Cybercriminals Across 13 MENA Countries—And the People Running One Scam Center Were Trafficking Victims Being Forced

The Operation By the Numbers

On May 18, 2026, INTERPOL announced the results of Operation Ramz, the first coordinated MENA wide cybercrime crackdown the organization has ever attempted. The operation ran from October 2025 to February 2026 and pulled together law enforcement from thirteen countries: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates.

The headline figures:

• 201 arrests
• 382 additional suspects identified for follow on action
• 3,867 victims documented across the thirteen countries
• 53 servers hosting phishing kits, malware command and control, and stolen banking data seized
• 5,000+ compromised accounts flagged through Group-IB's intelligence feed, including credentials tied to government infrastructure

INTERPOL's announcement frames the campaign around "phishing and malware threats, as well as cyber scams that inflict severe cost to the region." That phrasing is bureaucratic, but the underlying threat surface is concrete: email lures impersonating banks, government ministries, telecom operators, and shipping carriers, sent from infrastructure stood up specifically to evade Arabic language filtering.

The Jordan Raid Changed the Conversation

The detail that international press has largely buried—and that compliance officers, NGO researchers, and labor regulators should not—came from Jordan. Police there identified a computer running financial fraud scams targeting investment victims. When they raided the location, they found fifteen people working at the keyboards. Two were the orchestrators. The other thirteen were trafficking victims who had been coerced into participating.

This is the same pattern researchers have been documenting in Southeast Asian "pig butchering" compounds for three years. Forced labor scam centers operate in Myanmar, Cambodia, and Laos under armed guard, with workers held by debt bondage, document confiscation, and physical violence. What Operation Ramz confirms is that the model has now reached the Middle East. The infrastructure, the lures, the cryptocurrency cash out chain—it is the same business, exported.

For prosecutors that means complicated charging decisions: the workers committed real fraud, but they did it under coercion that may meet the standard for human trafficking under the Palermo Protocol. For private sector compliance teams investigating fraud chargebacks, it means the obvious "sue the scammer" calculus is wrong if the person you would be naming is also a victim. The orchestrators are usually two timezones away.

What Each Country Actually Seized

The country level disclosures are short but revealing.

• Algeria: Dismantled a phishing as a service operation. The seized server held phishing kit templates and the deployment scripts a paying customer would use to spin up a new campaign in minutes. One operator arrested.
• Morocco: Confiscated computers, smartphones, and external hard drives containing banking data and phishing software. The phrasing suggests stolen credentials—not just the tools to steal them.
• Oman: Identified a server inside a private residence that contained sensitive information, multiple critical vulnerabilities, and active malware infections. The detail that the server was in a residence rather than a data center is consistent with operator practice—keeping infrastructure close enough to monitor physically while staying off the corporate cloud audit trail.
• Qatar: Discovered compromised devices whose owners had no idea their machines were participating in "malicious threats." This is the bystander side of the operation—people whose laptops became part of a botnet without their knowledge.
• Jordan: The trafficking compound described above. Two arrests.

The other eight participating countries did not publish individual raid details, but the 201 total arrest figure implies sustained activity across the region. INTERPOL coordinated through its Cybercrime Directorate and the Cyber Fusion Centre in Abu Dhabi, which acts as the regional clearing house for cross border investigations.

Group-IB and the Private Sector Role

Operation Ramz is notable for INTERPOL's explicit acknowledgment of a private threat intelligence vendor as a contributor. Singapore based Group-IB provided what INTERPOL describes as "actionable intelligence" on over 5,000 compromised accounts, with details about active phishing infrastructure. The accounts included credentials linked to government infrastructure in the participating countries—a fact INTERPOL was willing to disclose, which suggests the affected governments had already been notified and remediation was underway.

The Group-IB contribution illustrates a pattern that has been growing for five years: police agencies do not have the budget or the engineering staff to operate the kind of credential leak monitoring infrastructure that vendors like Group-IB, Recorded Future, and Flashpoint run at scale. The deal is reciprocal—the vendor gets case studies and credibility, the agency gets indicators it could not otherwise generate. The downside, as compliance researchers have noted, is that the vendors operate under no public accountability framework, and the intelligence they share is intermediated by their commercial priorities.

What This Means For Email Defenders Outside MENA

Most readers of cybercrime takedown coverage assume the affected region is the one being protected. That misreads the architecture. Operation Ramz seized infrastructure that was, in many cases, hosting phishing operations targeting victims across Europe and North America from MENA based servers. The phishing kit templates recovered in Algeria can be sold to operators anywhere. The bulletproof hosting model that brought the servers into the region in the first place will rebuild elsewhere within months.

For inbox defenders, the operational signal is the same one that drives every takedown: arrests disrupt operators, not infrastructure. The phishing volume Microsoft reported in its Q1 2026 blocked phishing figure of 8.3 billion emails will move sideways, not down. Email security stacks should not interpret this announcement as a reason to relax filtering posture; if anything, the displaced operators are about to try slightly different lures from slightly different domains, against a slightly different victim pool. The fraud reports the FBI's IC3 quantified at $17.6 billion last year are not going to stop because 201 people went to jail.

The takedown that matters is the structural one: if the workers running these scam centers are increasingly trafficking victims, the way to dismantle the model is not to prosecute the keyboards, it is to disrupt the recruitment networks that move workers from South Asia to the Gulf under false job postings. That requires labor inspectors and immigration authorities, not cyber units. INTERPOL's announcement does not say whether that handoff has happened. The next eighteen months of follow on prosecutions will tell.

For Compliance Teams This Week

Three practical takeaways from Operation Ramz that should land on a compliance team's desk:

1. Update your sanctions and trafficking screening to include the affected jurisdictions and any third party fraud investigators you employ. A vendor that gets fraud "resolved" by negotiating with the perpetrator may be negotiating with a trafficking victim.
2. Audit your phishing simulation provider's lure inventory. If your simulator pulls templates from open source phishing kits, some of those kits were recovered in this operation. Older templates will continue to bypass filters because they were never widely fingerprinted.
3. Recheck the source of your threat intelligence feed. If you subscribe to Group-IB, Recorded Future, or Flashpoint, ask explicitly whether your subscription covers MENA region IOCs from Operation Ramz. The vendor that contributed the intelligence will be releasing the cleaned IOCs first to paying customers, then to free feeds with a lag.

The arrests are real. The model behind them is intact. The next iteration of these scam compounds is already being recruited in Karachi, Manila, and Dhaka.