Operation Lyrebird Leads to the Arrest of Moroccan Hacker “Dr. Hex”

Written by Bill Toulas
Last updated September 28, 2021

Interpol has received valuable information from Group-IB and managed to locate and arrest a Moroccan hacker using the nickname “Dr. Hex” (among others). The person is considered responsible for multiple cyber-attacks against French banks, French IT firms, and several high-profile organizations in the European country. The main trick used by the hacker was a phishing kit with which he created several phishing websites to steal valuable bank system user credentials.

Group-IB managed to analyze this kit and investigated the email address hardcoded in it. Using this lead, the researchers found a YouTube channel that contained links to an Arabic crowd-funding platform. This, in turn, led to a full name, and then to a DNS analysis, then to another two domains registered under that name. Eventually, the circle was closed by discovering the website had been built using the same phishing kit.

The researchers connected the hacker with five more email addresses, found infrastructure traces, linked him with specific campaigns, and also found more accounts on YouTube, Facebook, Instagram, and Skype, all belonging to him. Having a complete record of his digital footprint spanning from 2009 to 2018, Interpol was able to coordinate with the Moroccan police and arrested the suspect last month.

As Group-IB’s CTO, Dmitry Volkov, stated about this success:

Having zero tolerance for cybercrime, Group-IB has always stressed its focus not only on protecting our customers against cyberattacks but also on identifying perpetrators behind them to ensure that they’re duly punished. The ‘Lyrebird’ operation is yet another example of strong coordinated cooperation between international law enforcement agencies, regional police, and cybersecurity players. These are international cooperation, data exchange, and the long-standing experience in cyber investigations that help Group-IB lead its work to a logical conclusion — bring cybercriminals to justice.

“Dr. Hex” is now facing several charges relating to 130 website defacements, phishing, malware development, fraud, and carding activities that affected thousands of victims. This should incur several years in prison as well as a hefty fine for the man.

Back in March 2020, we covered a similar story about a careless Moroccan hacker targeting large French firms using an email address connected to his real identity, his physical business, and several social media accounts. Maybe OpSec mishandling is a thing among Moroccan hackers, as the two don’t appear to be linked in any way.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: