A 22-year-old man suspected of operating under the handle "Hexdex" has been taken into custody in Vendée, France, following roughly one hundred complaints tied to mass data exfiltration incidents. The Paris prosecutor's office confirmed the arrest on Wednesday, linking the suspect to breaches at the Ministry of Sports, the Ministry of National Education, sporting federations, major trade unions, and a national firearms registry database.
What Happened
French investigators placed the suspect, born in 2004, in garde à vue after a cascade of signalements that began arriving at the Paris prosecutor's office on December 19, 2025. The investigation was opened under statutes covering "atteintes à un système de traitement automatisé de données" (offenses against automated data processing systems). The suspect reportedly acknowledged use of the Hexdex pseudonym during questioning. Prosecutors stated that Hexdex is affiliated with BreachForums, the successor marketplace for trafficking stolen datasets. Notably, authorities have ruled Hexdex out as the perpetrator of the separate April 15, 2026 ANTS (Agence nationale des titres sécurisés) breach, indicating the French threat landscape currently hosts multiple concurrent actors targeting state systems.
What Was Taken
Across the hundred-plus reported incidents, the exfiltrations span several high-sensitivity datasets:
- Records from the Ministry of Sports information systems, tied to a December 2025 incident that reportedly touched millions of households.
- Licensee data from French sporting federations, including the Fédération Française de Rugby, which confirmed a cyberattack in March 2026 exposing registered members.
- Data from the national firearms information system (système d'information sur les armes), a registry of private firearm holders.
- Credentials and records from e-campus, the Ministry of National Education's digital platform for staff.
- Data belonging to members of major French trade unions, including CFDT and FO.
Volumes on each individual leak have not been fully disclosed, but the breadth across government, education, union, and federation datasets points to both personal identifiers and sensitive membership information being funneled toward resale markets.
Why It Matters
Hexdex represents a recurring archetype defenders are now confronting at scale: the young, solo, forum-embedded operator who sustains a high-cadence breach pipeline across weakly hardened public-sector targets. The dataset mix is particularly concerning, a firearms registry combined with union membership lists and education staff records gives downstream buyers material for targeted phishing, doxxing, extortion, and physical-world social engineering. The December 2025 to April 2026 timeline also shows how a single actor can accumulate a national-scale victim portfolio within four months when public-sector hardening lags. The arrest removes one node, but the BreachForums resale ecosystem that monetized the stolen data remains intact.
The Attack Technique
French authorities have not publicly disclosed the intrusion vectors used across the Hexdex incidents. The diversity of victims (ministries, federations, unions, a firearms registry, and an education platform) suggests opportunistic targeting rather than a single supply-chain pivot, consistent with patterns seen from BreachForums-aligned actors who typically rely on exposed credentials, misconfigured web applications, SQL injection against public portals, and credential stuffing against staff authentication endpoints. Attribution was reportedly supported by the suspect's own operational links to the BreachForums listing infrastructure where the data was advertised for sale.
What Organizations Should Do
- Audit any public-facing staff or member portals (e-campus-style platforms, federation licensee systems, union member areas) for authentication weaknesses, exposed admin endpoints, and injection vulnerabilities.
- Enforce MFA on all staff and administrative accounts, particularly for systems storing membership rosters or regulated registries such as firearms records.
- Monitor BreachForums and adjacent leak markets for listings referencing your organization, sector, or domain, and feed indicators into takedown and notification workflows.
- Segment high-sensitivity registries (firearms, education staff, union membership) from general-purpose web applications, and treat them as crown-jewel datasets requiring separate access controls and logging.
- Run credential-exposure checks against staff email domains and rotate any credentials that appear in third-party leak corpora.
- Prepare breach notification templates and regulator contact workflows in advance, French CNIL timelines leave little room for improvisation once exfiltration is confirmed.