HexDex

HexDex is a threat actor associated with a series of data breach and data sale claims targeting French public institutions, sports federations, and private-sector organizations. French authorities arrested a 20-year-old suspect in western France in an investigation led by the cybercrime unit of the Paris prosecutor’s office; prosecutors said the suspect admitted using the HexDex alias to claim responsibility for hacks and to publish stolen data on BreachForum and Darkforum. Authorities linked the actor to dozens of breaches, with local media reporting roughly 100 website breach reports since late 2025, and alleged victims including multiple French national sports federations, food banks, Logis Hôtels France, Brit Hotel, the Philharmonie de Paris, and the French Ministry of National Education’s Compas database. Investigators also suspect involvement in a breach of a government firearms information system. In the Compas incident, exposed data reportedly included names, addresses, phone numbers, and employee absence records affecting about 243,000 employees, mostly teachers. HexDex has been specifically named in breach sale listings involving French organizations including the Federation Francaise de Basket-Ball (FFBB), Allopneus, Airsoft-Entrepot, and Therapeutes.com. In the FFBB case, the actor claimed to be selling data on approximately 1.9 million members and about 800,000 parents, including personal, contact, federation, medical, physical, and parental information, including records tied to minors. In the Allopneus case, HexDex claimed to be selling customer data including hundreds of thousands of customer profiles, phone numbers, and email addresses. In the Airsoft-Entrepot case, the actor claimed to be selling more than 10 database files spanning customer, order, invoice, supplier, delivery, accounting, B2B order, and warehouse or inventory data. In the Therapeutes.com case, HexDex claimed to be selling patient and appointment records, including especially sensitive consultation and therapy-reason fields. Across the reporting, HexDex is described as advertising stolen datasets for sale, typically on a make-offer basis, providing proof links and sample data, and using qTox and Session for buyer negotiations; one report also states the actor recommended escrow. Reported ATT&CK mappings in the source material include exploitation of public-facing applications, collection from information repositories, gathering victim identity data such as email addresses, possible use of valid accounts, access to cloud-stored data, and exfiltration over web services. No nation-state attribution is stated in the provided content. Known alias in the content: hexdex.