French Police Arrest HexDex Over Wave of Data Breaches Across France
French authorities arrested a 20-year-old suspect known online as HexDex in western France over a broad hacking campaign that prosecutors say is tied to about 100 breach reports filed since late 2025. Investigators said the suspect admitted using the HexDex alias to claim responsibility for intrusions and to publish or repost stolen data on BreachForum and Darkforum. Police also seized the suspect’s Darkforum account and computer equipment, while forensic analysis and the wider investigation continue.
The alleged victims span public institutions, sports federations, and private organizations across France, including multiple national sports bodies, Logis Hôtels, Brit Hotel, the Philharmonie de Paris, food banks, the Moselle prefecture, and e-campus, a training platform used by the national police. Prosecutors also linked the case to the French Ministry of National Education’s Compas database, where a March breach exposed personal data belonging to about 243,000 employees, and said the suspect is also under scrutiny over a breach involving a government firearms information system. Authorities said a separate cyberattack on France Titres detected on April 15 is not currently being attributed to the suspect.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
HexDex indicted and placed in pretrial detention
On 2026-04-23, French prosecutors indicted the suspected hacker known as HexDex on six charges related to the fraudulent extraction, possession, and transmission of personal data from state systems. Authorities also placed him in pretrial detention following his arrest the previous day.
Authorities seize suspect's Darkforum account and devices
Following the arrest, investigators seized the suspect’s Darkforum account and computer equipment for forensic analysis. Authorities said the broader investigation remains ongoing, including suspected links to other government-system breaches.
French police arrest suspected hacker 'HexDex' in Vendée
On April 22, 2026, French police arrested a 20-year-old suspect in western France in connection with the breach campaign. Prosecutors said he admitted using the HexDex alias to claim responsibility for stolen data leaks posted on BreachForum and Darkforum.
HexDex detained while allegedly preparing new data leak
French authorities reportedly detained the suspect known as HexDex on 2026-04-20 as he was allegedly preparing to publish additional stolen data online. The detention preceded his formal arrest announcement and later indictment in the broader French data-theft investigation.
France Titres detects separate cyberattack
French authorities said France Titres detected a cyberattack on April 15, 2026. Officials stated that this incident is not currently being linked to the HexDex suspect.
March breach exposes data from Education Ministry Compas database
In March 2026, an attack on the French Ministry of National Education’s Compas database exposed personal data belonging to about 243,000 employees. Authorities later linked this breach to the broader HexDex investigation.
Wave of French data-exfiltration incidents begins
French investigators said they received about 100 reports of data exfiltration incidents tied to the case starting on December 19, 2025. The breaches affected a range of French organizations, including public institutions, sports federations, hotel groups, and cultural entities.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
French police arrest hacker ‘HexDex’ for alleged widespread data theft | brief | SC Media
scworld.com
Open sourceAprès une centaine de victimes, le tonitruant pirate " HexDex " a ...
zdnet.fr
Open sourceFrench Police Arrest HexDex Hacker Over Mass Data Theft and Leaks
hackread.com
Open sourceHacker with a special interest in breaching sports institutions ends behind bars - Help Net Security
helpnetsecurity.com
Open sourceFuite de données : la France arrête le hacker responsable de l'explosion des cyberattaques
01net.com
Open source" Hexdex ", un jeune hacker de 21 ans, soupçonné de cyberattaques massives, notamment contre des fédérations sportives, arrêté - Le Parisien
leparisien.fr
Open sourceFrench police arrest suspected hacker behind dozens of data breaches | The Record from Recorded Future News
therecord.media
Open sourceInterview de HexDex, le pirate qui secoue le web francophone - ZATAZ.COM
zataz.com
Open sourceFrench police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches
bitdefender.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
HexDex Lists Stolen Customer and Operational Data From French Retailers
Threat actor **HexDex** has claimed breaches at two French e-commerce companies and is offering the allegedly stolen data for sale. One listing targets **Airsoft-Entrepot**, where the actor says it obtained more than 10 database files covering 2013 to 2026, including roughly **383,000 customer profiles**, **328,000 email addresses**, **243,000 phone numbers**, and **333,000 full address records**. The exposed material reportedly goes beyond customer PII to include **orders, invoices, supplier data, delivery history, accounting records, B2B orders, and warehouse or inventory information**, suggesting compromise of both customer-facing and back-office systems. A second listing targets **Allopneus**, a major French online tire retailer, with HexDex claiming to hold data spanning 2014 to 2026 for **453,299 customers** across **739,316 records**, including **513,089 phone numbers** and **453,299 email addresses**. The actor reportedly published proof links, sample records, and 1,000-line excerpts for both datasets while soliciting offers through underground channels. If authentic, the disclosures would expose large volumes of customer contact data and purchase-related information, while the Airsoft-Entrepot cache could also reveal sensitive supplier, financial, and logistics details that increase fraud, phishing, and business intelligence risks.
Mar 23, 2026
France Titres Breach Exposed Up to 19 Million Identity Records
France Titres, the French agency formerly known as ANTS and responsible for identity and registration documents, confirmed a breach of its `ants.gouv.fr` portal after threat actor **breach3d** advertised a trove of stolen records for sale on cybercrime forums. The agency said the compromised data may include login IDs, full names, email addresses, dates and places of birth, account identifiers, and in some cases postal addresses and phone numbers from both individual and professional accounts. Other reporting on the sale listings said the dataset could contain 18 million to 19 million records, including fields indicating government-verified identities, raising the risk of phishing, social engineering, and identity fraud if the claims are fully accurate. French authorities said unusual activity was identified in mid-April and launched parallel technical and judicial investigations involving **ANSSI**, **CNIL**, the Paris Public Prosecutor, and anti-cybercrime investigators. Prosecutors later announced the arrest of a 15-year-old suspect in connection with the case after records linked to the agency were allegedly offered for sale online, and said the inquiry covers unauthorized access, persistence, and extraction of personal data from a state-operated system. France Titres has notified affected individuals and said the stolen information does not provide direct access to user accounts or the portal itself, while warning citizens to remain alert for follow-on scams and impersonation attempts.
May 25, 2026
French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its `Compass` platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about **243,000 people**, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on **multi-factor authentication**, stronger data segmentation, and reduced application exposure. Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about **1.5 million people**. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves **"Ryolait"** allegedly offered the stolen database for sale starting at **$2,000**. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
Mar 26, 2026