Suspected Cyber-Criminal "Dr Hex" Tracked Down Via Phishing Kit

Security researchers have revealed how patient detective work enabled them to trace and identify a suspected prolific cyber-criminal, who was finally arrested in May.

A two-year investigation into the individual, who often went by the online moniker “Dr Hex,” ended when Interpol’s Operation Lyrebird swooped on the man in Morocco earlier this year.

Group-IB’s Threat Intelligence team claimed the individual was active since 2009 and allegedly responsible for phishing, defacing, malware development, fraud, and carding, resulting in thousands of unsuspecting victims. These included customers of French telecoms companies, banks and other multinationals.

The trail began when the threat intelligence team identified and deanonymized a phishing kit that was used to target a French bank. It found that almost every script used in the kit featured the name “Dr Hex” and an email address.

That email led them to a YouTube channel signed up under the same name, and in turn to an Arabic crowdfunding platform, which revealed another name associated with the individual. This name was apparently used to register two domains created using the email from the phishing kit.

“Using its patented graph network analysis technology, Group-IB researchers built a network graph, based on the email address from the phishing kit, that showed other elements of the threat actor’s malicious infrastructure employed by him in various campaigns along with his personal pages,” Group-IB said.

“A total of five email addresses associated with the accused were identified, along with six nicknames, and his accounts on Skype, Facebook, Instagram, and YouTube.”

Further analysis of this digital footprint revealed that from 2009 to 2018, the threat actor defaced over 130 web pages while also posting on underground platforms — indicating he was involved in malware development.

The research helped Interpol and Moroccan police finally track down the individual.

“This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide,” comments Interpol executive director of police services, Stephen Kavanagh.

“The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.”

What’s Hot on Infosecurity Magazine?