Suspected hacker Dr HeX arrested over cybercrime, bank fraud impacting thousands

Moroccan police tracked down the alleged criminal following an Interpol investigation.
Written by Charlie Osborne, Contributing Writer

Law enforcement has arrested an individual suspected of being a prolific cybercriminal responsible for phishing, carding, and bank fraud. 

On Tuesday, Interpol and Group-IB revealed the results of a two-year probe into "Dr HeX," a target of Interpol's Operation Lyrebird, leading to a suspect being apprehended in May with the help of Moroccan police.

Interpol has accused the miscreant of prolific cybercrime, including phishing campaigns targeting French speakers and widespread website defacement.

He is also suspected of developing and selling phishing exploit kits, used to steal the financial details of victims and to conduct financial fraud, on underground forums.  

Dr HeX reportedly impersonated online banking services to lure unwitting visitors into submitting their account credentials and was also involved in the carding industry -- the sale and use of credit card information without the owner's consent.

In addition, the alleged cybercriminal targeted French-speaking telecom firms, numerous banks in the country, and enterprise companies with attacks designed to distribute malware. 

The individual, as of yet unnamed, is being accused of targeting "thousands of unsuspecting victims over several years."

Cybersecurity firm Group-IB, a member of the Project Gateway initiative -- a collaborative effort between Interpol and private sector organizations to tackle cybercrime -- was heavily involved in the investigation

Group-IB has actively monitored the activities of Dr HeX, which allegedly included attacks on 134 websites between 2009 and 2018. 

The firm used signatures left on the defaced domains, together with a phishing kit containing the same Dr HeX brand -- and a contact email -- to map out the cybercriminal's activities and to help track the suspect down. 

Further investigation led to the discovery of a YouTube channel and connections to an Arabic crowdfunding platform. The team then found two domains registered with the same email address included in the phishing kit, and overall, a total of five email accounts, six nicknames, and the suspect's YouTube, Facebook, Instagram, and Skype accounts were discovered.

"Group-IB analysts have also found the cybercriminal's posts on several popular underground platforms intended for malware trading that indicate the latter's involvement in malware development," the company added.

The suspect, a citizen of Morocco, is now under investigation for his alleged criminal activities. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards