Moroccan Hacker Arrested by the Interpol in “Operation Lyrebird”
The Threat Actor Responsible for Targeting Thousands of Unwitting Victims Over Several Years and Staging Multiple Malware Attacks Was Apprehended.
Law enforcement authorities and Interpol have arrested the hacker responsible for hacking telecom companies, major banks, and multinational corporations in France in an investigation dubbed as “Operation Lyrebird”.
The investigation lasted for two years and resulted in the arrest of a Moroccan citizen nicknamed Dr HeX.
It seems that Dr HeX has been active since at least 2009 and is responsible for a number of cybercrimes, including phishing, defacing, malware development, fraud, and carding that resulted in thousands of unsuspecting victims.
The cyberattacks in which Dr HeX was involved worked by deploying a phishing kit consisting of web pages that spoofed banking entities in the country.
This was followed by sending mass emails that were mimicking the targeted companies and prompting email recipients to enter login information on the rogue website. Once the unsuspecting victims were entering the credentials on the fake web page they were redirected to the perpetrator’s email.
It seems that the phishing kits were also “sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims,” according to a statement provided by Interpol.
Acting under the signature name of ‘Dr Hex’, the suspect is believed to have targeted thousands of unsuspecting victims over several years through global phishing, fraud and carding activities involving credit card fraud.
He is also accused of defacing numerous websites by modifying their appearance and content, and targeting French-speaking communications companies, multiple banks and multinational companies with malware campaigns.
The suspect also allegedly helped developing card and phishing kits, which were then sold to other individuals through online forums to allow them to facilitate similar malicious campaigns against victims.
These were then used to impersonate online banking facilities, allowing the suspect and others to steal sensitive information and defraud trusting individuals for financial gain, with the losses of individuals and companies published online in order to advertise these malicious services.
Under Operation Lyrebird, INTERPOL’s Cybercrime Directorate worked closely with Group-IB and with Moroccan Police via the INTERPOL National Central Bureau in Rabat to eventually locate and apprehend the individual who remains under investigation.
The scripts sold by the hacker included in the phishing kit the name of Dr HeX and the individual’s contact email address. By making use of these materials the cybercriminal was eventually identified and deanonymized.
It’s interesting to note that Dr Hex’s digital footprint left a tell-tale trail of malicious activities that stretched between 2009 and 2018. The hacker defaced in this period of time no less than 134 web pages and created a large number of posts on different underground forums devoted to malware trading and evidence, therefore showing his involvement in attacks on French corporations to steal financial information.