The Double Life Of EncryptHub Revealed

A new report published by Outpost24 and written by Kraken Labs unveils the double life lived by up-and-coming threat actor EncryptHub, who has been linked to the breaching of 618 organizations to deploy ransomware and info stealers. The part-time threat actor is believed to have also reported two vulnerabilities to Microsoft as part of their other job as a bug hunter that collects on bug bounty programs.

The two vulnerabilities attributed to EncryptHub are CVE-2025-24061, known as Mark of the Web bypass, and CVE-2025-24071, known as a File Explorer spoofing vulnerability. Microsoft addressed these vulnerabilities during the March 2025 Patch Tuesday updates, acknowledging the bug reporter as "SkorikARI with SkorikARI."

Outpost24's report provides sufficient evidence that links the online personas of EncryptHub and SkorikARI to the same individual. Much of the evidence uncovered resulted from the individual's poor operational security, which gave security researchers an unprecedented look into the individual's double life.

Initially, the individual in question began their development career, as do many others, self-studying aspects of computer science. From there, they began to freelance as an app and web developer.

Possibly looking for a steadier income, the individual tried to gain some traction in bug bounty programs but was unsuccessful. It was from this point that he likely turned to cybercrime in 2024.

Security researchers present a conflicted individual, noting,

Despite his descent into a life of cybercrime, he didn't abandon his aspirations as a legitimate security researcher and his efforts eventually paid off. While writing this report, SkorikARI, another username used by EncryptHub, was acknowledged by MSRC (Microsoft Security Response Center) for the findings of CVE-2025-24071 and CVE-2025-24061, both very likely exploited in some of his campaigns

While indeed interesting, the peak into the individual's life is nothing compared to the evidence linking the bug hunter with the cybercriminal. One of the biggest mistakes made by EncryptHub was the reuse of passwords.

Researchers discovered a file exfiltrated by his malware showing 82 out of 200 accounts shared nearly identical passwords, with slight variations like a single character change or an extra letter at the end. To make matters worse, many of these passwords lacked complexity.

The reused passwords allowed access to EncryptRAT command-and-control domains, bulletproof hosting, registrars, SSL certificate providers, and cryptocurrency exchanges, among other things.

Besides reusing passwords, researchers also noted a significant overlap between the individual's home life and his "secret" hacking life.

It was pointed out that the individual:

• Mixed usernames and access credentials used for personal or private matters with those tied to criminal endeavors
• Used his personal emails to manage and create accounts related to his cybercriminal activity
• Logged into personal accounts from the same system he used to develop and test his malware
• Reused infrastructure and domains related to his legitimate jobs for his criminal endeavors

EncryptHub and ChatGPT

The most damning evidence linking EncryptHub and SkorikARI to the same individual is the chats the individual had with their faithful servant and accomplice ChatGPT. Due to the individual's poor operational security, researchers uncovered their ChatGPT chat history. Researchers discovered that ChatGPT suggested, evaluated, created, or improved almost every piece of code, configuration, and even some procedures and ideas.

In summary, it has assisted him with:

• Creation and configuration of Telegram Bots, C2 servers, Phishing sites, Mail Servers, and .onion services
• Learning how to create macOS apps, how to properly use a REST API, and how to call PowerShell scripts from Go
• Write malware, such as clippers and cookie stealers
• Understand and improve scripts and code from other sources and how to better integrate it with his current malware

One of ChatGPT's favored uses among threat actors is crafting more convincing phishing lures; a task also used to great effect by EncryptHub. The individual even used ChatGPT to answer more philosophical questions, such as whether they can be considered more of a white hat or black hat actor.

The individual would rant on ChatGPT as to the perceived state of the cybersecurity industry and share their displeasure with the LLM that the previous work of Outpost24, Trellix, and Fortinet to unmask who is behind EncryptHub was unfair. Sensing that their time in the cybercrime underground might be ending, ChatGPT was asked to help formulate a plan to go from a cyber criminal to a legitimate cybersecurity company.

In conclusion, security researchers remarked,

EncryptHub's case is a prime example of how it does not matter how good you are at what you do, you still need to know the basics. He has shown and proven a lot of talent finding vulnerabilities and will be a force to be reckoned with if he keeps improving and solving his most glaring weaknesses. That said, his malware, like most throughout history, is not invincible, and cautious users who follow basic security measures are unlikely to fall victim to it...The most complex 0-day exploit is useless against a user that knows better than download a suspicious executable from a shady site. Conversely, the most hardened infrastructure with the latest up-to-date antivirus software will be useless if you expose your access credentials for the world to see.