Ethical Hacking News
Unmasking EncryptHub: A Threat Actor's Double Life as a Cybercrime Mastermind and Windows Bug-Bounty Researcher reveals the complex and conflicted individual behind one of 2025's most notorious cyber threats.
EncryptHub, a notorious threat actor, has been linked to various online accounts and credentials. The report reveals EncryptHub's personal information was exposed due to malware infection, allowing researchers to link him to other accounts. EncryptHub allegedly infected himself with malware and then used the same password files that contained credentials linked to both him and SkorikARI. Conversations between EncryptHub and ChatGPT provided additional evidence linking the two threat actors. EncryptHub has been involved in zero-day exploits and selling vulnerabilities on hacking forums, but its motivations are unclear. The report raises questions about EncryptHub's true intentions, as it seems to be shifting between freelance development work and cybercrime activity.
EncryptHub, a notorious threat actor linked to breaches at 618 organizations, has been making headlines for its dual life as a cybercrime mastermind and a Windows bug-bounty researcher. According to researchers at Outpost24, the threat actor has been exposed in a report that links him to various online accounts and credentials, revealing a conflicted individual who vacillates between being a cybersecurity researcher and a cybercriminal.
The report, which was conducted by Outpost24's Security Analyst, Hector Garcia, reveals that EncryptHub allegedly infected himself with malware, exposing his personal information and credentials. This exposure allowed researchers to link the threat actor to various online accounts, including SkorikARI, who is known for disclosing zero-day vulnerabilities to Microsoft.
Garcia stated in an interview with BleepingComputer that the link between EncryptHub and SkorikARI was based on multiple pieces of evidence, including password files exfiltrated from EncryptHub's own system. The password files contained accounts linked to both EncryptHub and SkorikARI, including credentials to EncryptRAT, which was still in development, as well as access to freelance sites and Gmail.
Another piece of evidence that confirmed the link between the two threat actors was a login to GitHub.com/SkorikJR, which was mentioned in a July 2024 article by Fortinet about Fickle Stealer. Additionally, researchers found conversations with ChatGPT, where activity related to both EncryptHub and SkorikARI could be observed.
EncryptHub's foray into zero-days is not new, as the threat actor or one of its members has been attempting to sell zero-days to other cybercriminals on hacking forums. However, the recent discovery of EncryptHub's dual life raises questions about the motivations behind this behavior.
According to Outpost24, EncryptHub repeatedly shifts between freelance development work and cybercrime activity. Despite its apparent IT expertise, the hacker reportedly fell victim to bad opsec practices that allowed his personal information to be exposed. This includes using ChatGPT for developing malware and phishing sites, integrating third-party code, and researching vulnerabilities.
The threat actor also had a deeper, personal engagement with OpenAI's LLM chatbot, in one case describing its accomplishments and asking the AI to categorize it as a cool hacker or malicious researcher. Based on this analysis, ChatGPT assessed EncryptHub as 40% black hat, 30% grey hat, 20% white hat, and 10% uncertain, reflecting a morally and practically conflicted individual.
In one instance, EncryptHub asked ChatGPT for help in organizing a massive but "harmless" campaign impacting tens of thousands of computers for publicity. This raises questions about the true intentions behind EncryptHub's actions and whether it is simply trying to make a name for itself or seeking to use its expertise for good.
EncryptHub is believed to be loosely affiliated with ransomware gangs, such as RansomHub and BlackSuit operations. However, more recently, the threat actor has made a name for itself with various social engineering campaigns, phishing attacks, and creating a custom PowerShell-based infostealer named Fickle Stealer.
The threat actor is also known for conducting social engineering campaigns where it creates social media profiles and websites for fictitious applications. In one example, researchers found that EncryptHub created an X account and website for a project management application called GartoriSpace.
This article has revealed a complex and conflicted individual who is navigating the gray areas between cybercrime and security research. As the threat actor's dual life continues to unfold, it remains to be seen whether EncryptHub will choose to use its expertise for good or continue down the path of cybercrime.
In conclusion, this report highlights the complexities of modern-day cyber threats and the blurred lines between malicious activity and white-hat hacking. It serves as a reminder that even threat actors can have conflicting motivations and interests, and that the true intentions behind their actions may not always be immediately clear.
Related Information:
https://www.ethicalhackingnews.com/articles/Unmasking-EncryptHub-A-Threat-Actors-Double-Life-as-a-Cybercrime-Mastermind-and-Windows-Bug-Bounty-Researcher-ehn.shtml
https://www.bleepingcomputer.com/news/security/encrypthubs-dual-life-cybercriminal-vs-windows-bug-bounty-researcher/
https://www.microsoft.com/en-us/msrc/bounty
Published: Mon Apr 7 17:20:45 2025 by llama3.2 3B Q4_K_M