The story of EncryptHub, who breached 600 companies but slipped up in chats with ChatGPT.
Swedish cybersecurity experts have uncovered an unusual case of a hacker leading a double life—balancing a legitimate tech career with cybercrime. Just last month, he received official recognition from Microsoft for discovering two critical vulnerabilities in Windows. However, as revealed by Outpost24's KrakenLabs, he was also secretly developing malicious software.
The discovered vulnerabilities turned out to be truly dangerous. The first one (CVE-2025-24061) allowed bypassing the crucial Mark-of-the-Web security mechanism and received a high CVSS score of 7.8. The second one (CVE-2025-24071), rated at 6.5, enabled interface spoofing attacks in Windows Explorer. In Microsoft’s vulnerability database, the researcher is listed under the name "SkorikARI with SkorikARI", but he is better known online as EncryptHub.
Ten years ago, he left his native Kharkiv and settled on the Romanian coast. There, the future hacker taught himself computer science through online courses, hoping to land a job in IT. After several failed attempts to profit from bug bounty programs, he turned to creating malware.
His first major project was Fickle Stealer—an info-stealer written in Rust, discovered by Fortinet FortiGuard in June 2024. In a recent interview with researcher g0njxa, the author proudly described his creation: the program successfully bypasses corporate security systems and works even in environments where other tools like StealC or Rhadamantys fail. This malware is distributed to a select group of clients and is now embedded in the author's new tool—EncryptRAT.
By mid-2024, the hacker launched another large-scale campaign. He created a fake website mimicking the popular archiving software WinRAR to distribute malware through a GitHub repository. In recent weeks, researchers found that he’s exploiting a new zero-day vulnerability in Microsoft Management Console (CVE-2025-26633). This flaw, rated 7.0 and dubbed MSC EvilTwin, is used to deploy info-stealers and previously unknown backdoors SilentPrism and DarkWisp.
The scale of his attacks is impressive. According to PRODAFT, within nine months, he compromised over 618 high-value targets across various industries. Lopez notes:
EncryptHub's own mistakes helped track him down. He occasionally infected himself by accident, revealing more details about his infrastructure and tools. He heavily relied on ChatGPT—not just for writing code, but also to translate messages and emails. He even had confessional-style conversations with the AI, openly sharing details of his activities.
The story of EncryptHub illustrates that even highly skilled cybercriminals often make basic mistakes. Reusing passwords, unsecured infrastructure, and mixing personal and criminal activities ultimately led to his exposure. What happens next remains to be seen.
