A long-running series of cyber frauds of phishing credticards targeting the customers of French banks, telecoms, and multinational corporations ran under the mom de guerre ‘Dr HeX‘ arrested by Morocco police.

The arrest marked a milestone in a two-year investigation, dubbed ‘Operation Lyrebird’.

The starting point in its research to identify and deanonymize the alleged cybercriminal was the extraction of a phishing kit exploiting the brand of a large French bank.

Scripts contained in the phishing kit had its creator’s handle, Dr HeX, and a contact email address that was reused for other purposes across the web.

According to the DNS data analysis, this name was used to register at least two domains, which were created using the email from the phishing kit. A total of five email addresses associated with the accused were identified, along with six nicknames, and his accounts on Skype, Facebook, Instagram, and Youtube.

The suspect was involved in attacks on 134 websites from 2009-2018, leaving behind his signature name on the target web pages. Further analysis of Dr Hex’s digital footprint revealed his association with other malicious activities including posts on several underground forums related to malware development.