Dr Hex has been active for several years and used phishing, credit card fraud, and malware attacks to target a number of victims in France as part of a worldwide operation to steal money from big companies, telecom companies, and banks, according to The Hacker News.
According to media reports, the investigation known as Operation Lyrebird resulted in the detention of a Moroccan man who goes by the pseudonym Dr. HeX. Cybersecurity firm Group-IB released a report detailing the findings of the investigation.
During the cyberattacks, phishing kits were used by the bad actor which consisted of web pages imitating legitimate financial entities. Numerous victims fell into the rogue websites traps by entering login credentials, data that was subsequently transferred to the cybercriminal’s email address. At least three unique phishing kits have been uncovered, all apparently produced by the threat actor.
Scam websites were created to look exactly like legitimate ones
Luckily, the phishing kits included his email address, full name, address, as well as a URL that was used by Interpol to identify and de-anonymize the cybercriminal. Interpol suspects that the kits were sold to third-parties as well.
Other noteworthy details that lead to his arrest included a YouTube channel and a name that he used to register a minimum of two fake domain names. Group-IB claims to have tracked down the infrastructure, malware and linked accounts that have been used in several phishing efforts.
Interpol stated, “These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services.”
In nine years (2009 – 2018), Dr Hex’s digital shadow left traces of malicious activities, ranging from defacing 134 web pages to discovering posts published by the hacker on various hacking forums.
