A recent Operation Lyrebird has successfully identified a threat actor believed to be responsible for multiple cybercrimes. The same threat actor was allegedly responsible for attacks on French telecommunications companies.

What has happened?

Interpol’s Cybercrime Directorate, with the help of Group-IB and Moroccan Police, successfully located and arrested the perpetrator who is under investigation. He was actively involved in cybercrime in several regions for years.
  • Group-IB’s research to identify the threat actor started with the extraction of a phishing kit used to abuse French banks.
  • The alleged threat actor, dubbed Dr. HeX, is living in Morocco. He was arrested in May by the Moroccan police, based on the information about his cybercrimes.
  • He has been active since 2009 and is reported to be behind numerous cybercrimes, such as malware development, carding, phishing, fraud, and defacing that ultimately resulted in affecting thousands of victims.
  • The arrested suspect was responsible for attacking 134 websites between 2009 and 2018. After attacking the website, he was using his signature name on web pages.

How did agencies track him?

Dr. HeX was using a phishing kit with scripts in almost every attack with its creator’s nickname, which aligns with the contact email address. This email address was used to identify the culprit.
  • The contact email address enabled analysts to discover the attacker’s YouTube channel. This channel was signed up with Dr. HeX’s name.
  • Further investigation revealed his malicious infrastructure, five additional email addresses, digital footprint, and name on underground platforms for malware trading.

Conclusion

The threat actor was active for more than a decade and carried out numerous cyberattacks in multiple regions. Therefore, this arrest comes as a breath of fresh air for the security community. The suspect is under investigation and more details may emerge in the future, which may be helpful for the security community.
Cyware Publisher

Publisher

Cyware