SniperDz takedown: a phishing kit cloned 30+ brands, and how to spot the fakes
INTERPOL, Group-IB and the Algerian police dismantled SniperDz, a nine-year phishing-as-a-service operation that sold ready-made fake login pages for PayPal, Facebook, Netflix, Steam and dozens more. Here is what phishing-as-a-service is, and how to recognize a templated fake brand page no matter how real it looks.
Is a pixel-perfect brand login page safe just because it looks real?
Verdict: no. A login page for PayPal, Netflix, Facebook or any brand is phishing if it sits on a domain that is not that brand's official one, no matter how perfect the copy looks. SniperDz, a phishing-as-a-service operation just dismantled by INTERPOL and Group-IB, shows why. It sold 80 ready-made templates that cloned 30+ major brands across more than 20,000 domains, so the fake pages were pixel-perfect by design. The look tells you nothing. The domain in the address bar tells you everything. The one habit that beats every kit: never log in from a link. Type the address yourself or open a saved bookmark, and read the real domain before you type a password.
The headline
In June 2026, Group-IB reported that its investigation helped INTERPOL and the Algerian National Police dismantle SniperDz, a phishing-as-a-service platform that had operated for roughly nine years. According to Group-IB, the platform offered 80 phishing templates impersonating at least 30 major global organizations, served in five languages, and was tied to more than 20,000 unique domains over its lifetime. The primary developer and administrator was arrested. The takedown is a milestone, but the templates it sold are now copied across the underground, so the pages outlive the platform. This post explains the model and the defense.
What phishing-as-a-service actually means
Phishing-as-a-service, or PhaaS, is exactly what it sounds like: phishing sold as a product. Instead of building a fake login page from scratch, a low-skill scammer rents or buys a ready-made kit. The kit ships with cloned brand templates, hosting, and the plumbing to collect whatever the victim types. The buyer points it at targets and waits. The skill barrier collapses, which is the whole point of the model and the reason it scales.
SniperDz is a textbook case. Group-IB describes a catalog of 80 templates impersonating more than 30 well-known organizations, with named brands including PayPal, Facebook, Instagram, Yahoo, Netflix and Steam. The templates were offered in five languages, Arabic, English, French, Spanish and Hebrew, so the same kit could target victims across regions without the buyer writing a word. Group-IB linked over 20,000 unique domains to the operation across its run.
The economics matter more than any single page. When a clone is a template, not a craft, the marginal cost of the next fake PayPal page is close to zero. That is why one kit produces thousands of near-identical login screens, and why "it looked completely real" is not evidence of safety. Looking real is the cheapest feature in the kit.
How the kit reached scammers, and victims
According to the reporting around the takedown, SniperDz was promoted openly through messaging and social channels, including a Telegram channel with thousands of subscribers where tutorials and access were shared. The infrastructure was offered to buyers with operational support, and the operators monetized the harvested traffic in several ways: stolen credentials, and redirection of victims into carrier-billing and premium-SMS fraud and affiliate-style scams. One kit, many revenue streams.
For the victim, the experience is mundane. A link arrives in an email, a text, a DM, or rides in on a search ad or a poisoned result. It opens a login page that carries a familiar logo, the right colors, the right layout. The victim types a password, maybe a one-time code, and the credentials land in the operator's panel. There is no dramatic exploit. The entire attack is a convincing page on the wrong domain, mass-produced.
Check a suspicious brand login link
Got a login link for PayPal, Netflix, your bank, or any brand and you are not sure it is the real site? Paste it below. Our 3-layer engine (Local + APIs + AI) reads the page and checks whether a known brand is sitting on a domain that is not its official one, then returns a verdict in about three seconds. Free, no signup.
How to spot a templated fake brand page
A kit can clone the pixels, but it cannot clone the brand's real domain or its real flow. That is where the tells live. Run this checklist before you type anything into a login page.
- The domain is not the brand's official one. This is the single decision that settles it. A PayPal login lives on paypal.com; a Netflix login lives on netflix.com. A perfect-looking PayPal page on a "secure-paypal-verify" host is phishing, full stop. Read the actual registered domain, the part just before the first single slash, not the words around it.
- You arrived by clicking a link, not by typing the address. A kit needs you to click in. If you reached the login by email, text, DM or ad, treat it as hostile until you have verified the domain yourself.
- The padlock proves encryption, not identity. A green padlock means the connection is encrypted. It does not mean the site is who it claims to be. Kits get free certificates in minutes, so a fake page can have a perfect padlock. The padlock is not a trust signal here; the domain is.
- Manufactured urgency. "Your account is suspended", "verify within 24 hours", "unusual login detected". Templated pages lean on a deadline to stop you from checking the domain. Real account problems wait for you to log in normally.
- It asks for more than it should. A login that immediately wants your card number, a one-time code by phone, or a wallet seed phrase is harvesting, not authenticating. Real logins ask for credentials, then take you into the account.
- Reused or slightly-off page assets. Templated clones often pull logos and styles from an old version of the brand, or load images from an unrelated host. A logo that is the wrong shade, a copyright year that is stale, or a "forgot password" link that goes nowhere are quiet signs the page was assembled, not served by the brand.
Any one of these is reason to stop. The domain check alone is enough to settle most cases. If the address bar is not exactly the brand's official site, nothing else on the page matters.
How SafeBrowz blocks this threat
SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI. A templated phishing page is precisely the pattern it is built to catch, because the giveaway is structural, a real brand on a domain that is not the brand's, and that does not depend on the page looking fake.
- Layer 1, local: 60+ URL pattern signatures and 550+ brand signatures run inside the extension. When a page carries a known brand (PayPal, Netflix, Steam, your bank) on a domain that is not that brand's official one, it flags content-free, before the login form finishes rendering. A pixel-perfect clone does not have to fool a model to get caught here. The brand-versus-domain mismatch is enough, which is exactly why a kit's "it looks real" advantage does not help it.
- Layer 2, APIs: aggregates threat intelligence including Google Safe Browsing, PhishTank, URLhaus, ScamAdviser and scam-TLD signals to catch domains that have already been reported, including the kind of throwaway hosts a kit cycles through.
- Layer 3, AI deep scan (Premium): AI content analysis via our proxy reads the live page in 100+ languages, recognizes login-form mimicry and credential-capture layouts, and can flag a brand-new clone the moment it loads, before any blocklist has the domain. This is what catches a fresh template on a domain nobody has reported yet.
Honest scope: SafeBrowz flags the fake login page before you type, which is the right moment to break this attack. It cannot un-steal a password you already submitted, which is why the habit of never logging in from a link, plus two-factor authentication, sits alongside the engine. The free browser extension does this on desktop, and the SafeBrowz Android app on Google Play applies the same engine to links you open on your phone, where many of these texts and ads land.
Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.
What these templated fake pages look like
You cannot tell a kit-built clone apart by its appearance, because the appearance is copied. The tell is always the host. These are illustrative patterns, not live domains, to show the shape these kits reuse: a real brand name welded onto a domain the brand does not own.
- secure-paypal-verify[.]com (PayPal logins live on paypal.com, never a "secure-verify" host)
- netflix-billing-update[.]net (Netflix never moves its sign-in to a separate "billing-update" domain)
- steam-community-login[.]xyz (a Steam clone on a cheap throwaway TLD is the classic kit pattern)
The lesson is not to memorize bad domains, because a kit spins up new ones constantly. It is that the brand on the page and the domain in the address bar must match. When they do not, the polish of the page is irrelevant.
What to do right now
The defense against a mass-produced clone is not better eyesight. It is a routine that never lets a link choose where you log in.
- Never log in from a link. Not from email, not from a text, not from an ad or a search result. If a message says your account needs attention, leave the message and reach the account on your own.
- Type the domain yourself or use a saved bookmark. Open a fresh tab and type the official address, or use a bookmark you made when you knew you were on the real site. This is the one step a kit cannot route around.
- Read the real domain before you type a password. Find the registered domain, the part just before the first single slash, and confirm it is exactly the brand's. Extra words, hyphens, an odd country code, or a brand name buried in a longer host are all tells.
- Turn on two-factor authentication. If a clone steals your password, a second factor means it is not enough to get in. Prefer an authenticator app or a hardware key over SMS codes where you can.
- Report it. In the US, file with the FBI's Internet Crime Complaint Center at ic3.gov and the FTC at reportfraud.ftc.gov. Report the fake page to the impersonated brand too. Include the link you clicked and the domain you landed on.
Updated June 30, 2026.
Catch the fake page before you type
SafeBrowz is a free browser extension for Chrome, Firefox and Edge (Safari coming soon) plus a live Android app that flags a fake login page the moment a known brand shows up on a domain that is not its own. Because the giveaway is the brand-versus-domain mismatch, not how real the page looks, a pixel-perfect kit clone gets caught the same way a sloppy one does. It recognizes 550+ brands, auto-flagged when a page tries to impersonate them, with AI content analysis in 100+ languages for brand-new clones. Free forever, no account needed. Questions: [email protected].
Bottom line: SniperDz proved that a brand login page can be cloned pixel-perfect and mass-produced across tens of thousands of domains, so a page looking real is never proof it is real. The only thing that settles it is the domain. Never log in from a link, type the address yourself, turn on two-factor authentication, and put SafeBrowz on your browser so a templated fake page gets flagged on the brand-versus-domain mismatch before you type your password.
Frequently asked questions
What is phishing-as-a-service (PhaaS)?
Phishing-as-a-service is phishing sold as a ready-made product. Instead of building a fake login page from scratch, a scammer rents or buys a kit that already includes cloned brand templates, hosting, and the tooling to collect whatever a victim types. SniperDz is an example: Group-IB reported it offered 80 templates impersonating 30+ brands in five languages. The model lowers the skill barrier, which is why one kit produces thousands of near-identical fake pages.
What was SniperDz and who took it down?
SniperDz was a phishing-as-a-service platform that operated for roughly nine years. In June 2026, Group-IB reported that its investigation helped INTERPOL and the Algerian National Police dismantle it and arrest its primary developer and administrator. Group-IB linked the operation to more than 20,000 unique domains and 80 phishing templates impersonating at least 30 major organizations, including PayPal, Facebook, Instagram, Yahoo, Netflix and Steam.
If a fake login page is pixel-perfect, how can I tell it apart?
You cannot tell by appearance, because a kit copies the appearance exactly. Check the domain instead. A real brand login lives only on the brand's official domain, so a perfect PayPal page on any other host is phishing. Read the registered domain in the address bar, the part just before the first single slash, before you type a password. The look of the page is the cheapest thing in the kit; the domain is the thing it cannot fake.
Does the padlock icon mean a login page is safe?
No. The padlock means the connection is encrypted, not that the site is who it claims to be. Phishing kits get free certificates in minutes, so a fake page can show a perfect padlock. Treat the padlock as a statement about encryption only, and judge trust by the domain in the address bar.
How does SafeBrowz catch a templated fake brand page?
SafeBrowz runs a 3-layer engine: Local + APIs + AI. Its local layer flags a known brand appearing on a non-official domain content-free, so a clone is caught on the brand-versus-domain mismatch rather than on how real it looks. Reputation APIs catch domains already reported, and AI content analysis reads the live page in 100+ languages to flag brand-new clones the moment they load. No engine is perfect, but a templated clone's polish gives it no advantage against a mismatch check.
The platform was taken down, so is the threat over?
No. A takedown removes the operator and its infrastructure, but the templates and techniques are copied widely across the underground, and other phishing-as-a-service kits remain active. The fake pages outlive the platform that sold them. The defensive habits, never logging in from a link and checking the domain, work against every kit, not just SniperDz.