French Police Arrest HexDex Over Wave of Data Breaches Across France
French authorities arrested a 20-year-old suspect known online as HexDex in western France over a broad hacking campaign that prosecutors say is tied to about 100 breach reports filed since late 2025. Investigators said the suspect admitted using the HexDex alias to claim responsibility for intrusions and to publish or repost stolen data on BreachForum and Darkforum. Police also seized the suspect’s Darkforum account and computer equipment, while forensic analysis and the wider investigation continue.
The alleged victims span public institutions, sports federations, and private organizations across France, including multiple national sports bodies, Logis Hôtels, Brit Hotel, the Philharmonie de Paris, food banks, the Moselle prefecture, and e-campus, a training platform used by the national police. Prosecutors also linked the case to the French Ministry of National Education’s Compas database, where a March breach exposed personal data belonging to about 243,000 employees, and said the suspect is also under scrutiny over a breach involving a government firearms information system. Authorities said a separate cyberattack on France Titres detected on April 15 is not currently being attributed to the suspect.
Timeline
Apr 23, 2026
HexDex indicted and placed in pretrial detention
On 2026-04-23, French prosecutors indicted the suspected hacker known as HexDex on six charges related to the fraudulent extraction, possession, and transmission of personal data from state systems. Authorities also placed him in pretrial detention following his arrest the previous day.
Apr 22, 2026
Authorities seize suspect's Darkforum account and devices
Following the arrest, investigators seized the suspect’s Darkforum account and computer equipment for forensic analysis. Authorities said the broader investigation remains ongoing, including suspected links to other government-system breaches.
Apr 22, 2026
French police arrest suspected hacker 'HexDex' in Vendée
On April 22, 2026, French police arrested a 20-year-old suspect in western France in connection with the breach campaign. Prosecutors said he admitted using the HexDex alias to claim responsibility for stolen data leaks posted on BreachForum and Darkforum.
Apr 20, 2026
HexDex detained while allegedly preparing new data leak
French authorities reportedly detained the suspect known as HexDex on 2026-04-20 as he was allegedly preparing to publish additional stolen data online. The detention preceded his formal arrest announcement and later indictment in the broader French data-theft investigation.
Apr 15, 2026
France Titres detects separate cyberattack
French authorities said France Titres detected a cyberattack on April 15, 2026. Officials stated that this incident is not currently being linked to the HexDex suspect.
Mar 1, 2026
March breach exposes data from Education Ministry Compas database
In March 2026, an attack on the French Ministry of National Education’s Compas database exposed personal data belonging to about 243,000 employees. Authorities later linked this breach to the broader HexDex investigation.
Dec 19, 2025
Wave of French data-exfiltration incidents begins
French investigators said they received about 100 reports of data exfiltration incidents tied to the case starting on December 19, 2025. The breaches affected a range of French organizations, including public institutions, sports federations, hotel groups, and cultural entities.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
4 more from sources like leparisien.fr, the record media, zataz.com and bitdefender blog
Related Stories
HexDex Lists Stolen Customer and Operational Data From French Retailers
Threat actor **HexDex** has claimed breaches at two French e-commerce companies and is offering the allegedly stolen data for sale. One listing targets **Airsoft-Entrepot**, where the actor says it obtained more than 10 database files covering 2013 to 2026, including roughly **383,000 customer profiles**, **328,000 email addresses**, **243,000 phone numbers**, and **333,000 full address records**. The exposed material reportedly goes beyond customer PII to include **orders, invoices, supplier data, delivery history, accounting records, B2B orders, and warehouse or inventory information**, suggesting compromise of both customer-facing and back-office systems. A second listing targets **Allopneus**, a major French online tire retailer, with HexDex claiming to hold data spanning 2014 to 2026 for **453,299 customers** across **739,316 records**, including **513,089 phone numbers** and **453,299 email addresses**. The actor reportedly published proof links, sample records, and 1,000-line excerpts for both datasets while soliciting offers through underground channels. If authentic, the disclosures would expose large volumes of customer contact data and purchase-related information, while the Airsoft-Entrepot cache could also reveal sensitive supplier, financial, and logistics details that increase fraud, phishing, and business intelligence risks.
1 months ago
French Education Breaches Expose Data on 1.7 Million People
French education authorities disclosed two significant breaches affecting both public and Catholic school administration systems. The Ministry of National Education said its `Compass` platform, used to manage trainee teachers in primary and secondary education, was compromised after a user reportedly opened a fraudulent email attachment and had credentials stolen. The incident exposed data on about **243,000 people**, including identity and contact details, absence periods, and the identities and professional phone numbers of tutors, though the ministry said no health data was involved. ANSSI was brought in, a crisis cell was opened, and the ministry announced a security plan centered on **multi-factor authentication**, stronger data segmentation, and reduced application exposure. Separately, the Secrétariat général de l’enseignement catholique reported a cyberattack on its management application for nursery and elementary schools that affected about **1.5 million people**. Unauthorized access exposed identification data for application users and contact information for students, families, and teachers, including names, postal and email addresses, phone numbers, and dates of birth, increasing the risk of phishing. The organization said it secured access, suspended affected services, notified authorities including the French Ministry of Education, and engaged specialist responders, while a forum user calling themselves **"Ryolait"** allegedly offered the stolen database for sale starting at **$2,000**. The incidents add to mounting concern over weak security in the education sector, which ANSSI has described as a frequent target of opportunistic attacks.
1 months ago
French Football Federation Data Breach via Compromised Account
The French Football Federation (FFF) suffered a significant cyberattack in which threat actors exploited a compromised user account to access the federation’s administrative management software. This breach resulted in the theft of sensitive personal data belonging to over two million registered amateur football players and club members, including names, dates and places of birth, nationalities, postal and email addresses, phone numbers, and football license numbers. Financial data and passwords were reportedly not affected. Upon discovering the breach on November 20, 2025, the FFF immediately deactivated the compromised account, reset all user passwords, and secured its systems. The FFF has filed a formal complaint with French authorities and notified both the National Cybersecurity Agency (ANSSI) and the National Commission on Informatics and Liberty (CNIL). Affected individuals whose email addresses were exposed are being contacted directly, and the federation has urged all members to be vigilant against potential phishing attempts and scams leveraging the stolen data. This incident highlights the growing cyber risks faced by sports organizations and underscores the need for robust cybersecurity measures to protect large volumes of personal information managed by such entities.
1 months ago