Mister Spy’s Origin

Mister Spy started out with defacing websites in the late 2010s and between 2019-2022 they’ve claimed an impressive ~19,000 defacements as seen on their Zone-H profile.

Their associated GitHub profile, MisterSpyX, even boasts their high ranking on Zone-H:

Often times when such a large number of defacements is attained - it is done through the use of hacking tools to help automate the discovery and exploit process.

Mister Spy Bot

Mister Spy Bot is a website exploitation attack tool created by Mister Spy and written in Python.

Mister-Spy-V7 is the last known version of this attack tool and is available on MisterSpyX’s own Github repository.

How It Works

Mister Spy Bot provides automation to malicious users when they are trying to obtain unauthorized access on target websites by automating the exploitation of known CMS (mostly Joomla and WP) theme or plugin vulnerabilities.

The tool locally stores exploits and other code in multiple subdirectories that are called by the main.py script. In total there are over 25 separate Python files that can be run by main.py depending on what function the user selects. These allow for modularity and make it easier for additional functions to be added to the tool.

We can also see functions dedicated to providing data to the Olux marketplace which sells access to hacked websites, email accounts, and other compromised resources.

A successor to this style of attack tool, FoxAuto by Anonymous Fox, improves upon it by consolidating the code into one Python file and utilizies heavy obfuscation of its Python code.

Mister Spy = Moetaz Brayek

How do we know that Moetaz Brayek is Mister Spy?

Well, surprisingly, Moetaz Brayek does nothing to hide the fact that they are linked to the Mister Spy alias.

We can see it clearly on his personal Facebook page:

And for some reason, he even puts the MisterSpyx GitHub on his resume.

Oftem times I see malicious hackers that will claim one, or more, of the following as their job roles:

  • full stack developer
  • security researcher
  • pen tester
  • programmer

Moetaz Brayek has all four of these roles mentioned across his personal GitHub and resume 😂😂😂

Additionally Moetaz Brayek likes to use this specific quote on profile pages:

“I’m currently learning how to earn money by sleeping”

This, of course, makes it easy to find his other GitHub profiles that are using the same quote and are involved with similar Python and PHP malware.

During my writing of this post, Moetaz Brayek seems to have gone into damage control and has taken down his own Facebook page and also scrubbed the social media links from his GitHub profile: