Interpol Arrests Moroccan Hacker Engaged in Phishing Attacks


As part of a global phishing and credit card fraud scheme, law enforcement authorities with Interpol apprehended a threat actor responsible for targeting thousands of unwitting victims over several years and staging malware attacks on telecom companies, major banks, and multinational corporations in France. According to a report published on 6th July by cybersecurity firm Group-IB, the two-year investigation, called Operation Lyrebird by the international, intergovernmental group, resulted in the arrest of a Moroccan citizen nicknamed Dr HeX.

According to the cybersecurity firm, Dr HeX has been "active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims." The cyber-attacks included the use of a phishing kit that included online pages that spoofed banking firms in the country, as well as mass emails that imitated the targeted companies and asked users to enter login credentials on the rogue website. 

The credentials submitted by unwitting victims on the phoney web page were then forwarded to the perpetrator's email address. At least three separate phishing kits were discovered, all of which were apparently created by the threat actor. The phishing kits were also "sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims," Interpol said in a statement. "These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services." 

The name Dr HeX and the individual's contact email address were included in the phishing kit scripts, which allowed the cybercriminal to be identified and deanonymized, revealing a YouTube channel as well as another name used by the adversary to register at least two fraudulent domains used in the attacks. Furthermore, Group-IB claimed it was able to link the email address to the accused's malicious infrastructure, which includes up to five email addresses, six nicknames, and accounts on Skype, Facebook, Instagram, and YouTube. 

Dr Hex's digital footprint left a tell-tale trail of malicious activities between 2009 and 2018, during which the threat actor defaced 134 web pages, as well as posts created by the attacker on various underground forums devoted to malware trading and evidence suggesting his involvement in attacks on French corporations to steal financial information.