Interpol arrests “Dr. Hex”, a famous cyber criminal after a 2 year operation

Operation Lyrebird, deployed by the international police agency Interpol in collaboration with infosec firm Group-IB, led to the arrest of one of the most wanted threat actors in the world of cybercrime, linked to dozens of high-profile attacks, affecting telecommunications companies, financial institutions and even some transnational firms. The accused, originally from Morocco, was arrested by his country’s authorities after nearly two years of investigation.

Known in the hacking community as “Dr. Hex”, the defendant has been active since at least 2009 and is singled out as primarily responsible for a number of cybercriminal campaigns, including phishing attacks, malware deployment, wire fraud and payment card theft, compromising thousands of victims worldwide.

The investigation began with the detection of a phishing kit with which hackers copied the image of a renowned French bank in order to deceive its victims. This malicious tool allowed cybercriminals to steal hundreds of credentials to log in to the systems of the affected organizations. One fact to note is that virtually all the scripts contained in this hacking tool contained the nickname Dr. Hex, plus a contact email address.

Following this email address, investigators detected a YouTube channel also called “Dr. Hex.” On this platform, Group-IB experts found a link to an Arabic-language crowdfunding website. The DNS associated with this platform was used to register at least two domains created using the phishing kit detected by the experts.

Interpol’s work was made easier by the collaboration of Group-IB, which used a patented tool to detect other elements of the cybercriminal infrastructure from the information collected up to that point. In addition, investigators detected five other email addresses associated with the defendant, plus six more nicknames and usernames on Instagram, Facebook, Skype and WhatsApp.

Experts discovered that Dr. Hex was able to create around 130 malicious websites, in addition to finding posts associated with these campaigns on hundreds of websites. Group-IB also suggests that Dr. Hex actively participated in multiple cyberattacks aimed at stealing confidential information from bank customers.

The joint operation allowed Moroccan authorities to arrest the accused, who faces cybercriminal charges in multiple countries.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.