‘Dr HeX’ claimed thousands of French-speaking victims through phishing attacks

Police have arrested a Moroccan cybercrime suspect

Moroccan police have arrested a suspect in a long-running series of cyber-frauds targeting the customers of French banks, telcos, and multinational corporations.

Operating under the nom de guerre ‘Dr HeX’, the suspect claimed thousands of victims through phishing and credit card fraud.

The miscreant is further accused of defacing corporate websites and launching malware campaigns against the corporate networks of French-speaking communications companies, multiple banks, and various multinational companies.

In addition, the suspect allegedly developed carding and phishing kits which they subsequently sold onto to would-be cybercriminals through online forums.

Lyre, Lyre

The as yet unnamed suspect was arrested in May by the Moroccan police, based on cybercrime threat intelligence provided by Group-IB, a cybersecurity company.

The arrest marked a milestone in a two-year investigation, dubbed ‘Operation Lyrebird’.


Catch up on the latest cybercrime news


According to Group-IB, the starting point in its research to identify and deanonymize the alleged cybercriminal was the extraction of a phishing kit (a tool used to create phishing web pages and conduct social engineering campaigns) exploiting the brand of a large French bank.

Scripts contained in the phishing kit had its creator’s handle, Dr HeX, and a contact email address that was reused for other purposes across the web, according to a statement on its investigation by Group-IB:

The email mentioned in the phishing kit enabled Group-IB threat intelligence analysts to find the alleged attacker’s YouTube channel signed up under the same name – Dr HeX. In the description to one of the videos, the attacker left a link leading to an Arabic crowd funding platform, which enabled Group-IB researchers to record another name associated with the cybercriminal.

According to the DNS data analysis, this name was used to register at least two domains, which were created using the email from the phishing kit.

Using its patented graph network analysis technology, Group-IB researchers built a network graph, based on the email address from the phishing kit, that showed other elements of the threat actor’s malicious infrastructure employed by him in various campaigns along with his personal pages.

A total of five email addresses associated with the accused were identified, along with six nicknames, and his accounts on Skype, Facebook, Instagram, and Youtube.

OPSEC fail

Group-IB claims that the suspect was involved in attacks on 134 websites from 2009-2018, leaving behind his signature name on the target web pages.

Further analysis of Dr Hex’s digital footprint revealed his association with other malicious activities including posts on several underground forums related to malware development.

“In addition, Group-IB has also discovered evidence suggesting Dr Hex’s involvement in attacks on several huge French corporations with the aim of stealing customer’s bank card data,” the firm said in a statement on the case.

Interpol’s Cybercrime Directorate worked closely with Group-IB and with Moroccan Police to eventually locate and apprehend the suspect, who remains under investigation.

In May, Interpol launched a new cyber operations desk to boost the capacity of 49 African countries to fight cybercrime. The Africa desk will “drive intelligence-led coordinated actions against cybercriminals and support joint operations such as Lyrebird”, according to Interpol.


YOU MAY ALSO LIKE REvil ransomware attackers demand $70m following Kaseya VSA supply chain attack