Pierluigi Paganini
April 07, 2025
Microsoft credited the likely lone actor behind the EncryptHub alias (also known as SkorikARI) for reporting two Windows security flaws, highlighting a “conflicted” figure balancing ethical cybersecurity work with cybercriminal activity.
Outpost24 KrakenLabs published a detailed analysis of the threat actor that was born in Ukraine. The man fled his hometown a decade ago and resettled near Romania. After years of low-profile IT work and self-study, his activity paused in 2022, likely due to jail time. Post-release, he resumed freelance development but struggled financially. In 2024, he shifted to cybercrime, starting with low-level roles in vishing and ransomware, later moving into malware and vulnerability research that drew wide attention.
Although involved in cybercrime, EncryptHub also pursued legitimate security research. Microsoft acknowledged him for reporting two CVEs, likely tied to his own hacking campaigns. His story reveals a conflicted individual, torn between building a lawful career and engaging in cybercrime, driven by ambition and a strong desire to learn despite a difficult past.
The expert reported the following vulnerabilities to Microsoft:
Microsoft addressed the two vulnerabilities with the release of Patch Tuesday security updates for March 2025.
EncryptHub made major OPSEC mistakes that exposed his cybercrime operations. He reused weak passwords across accounts, failed to enable or secure 2FA, mixed personal and criminal activity, and left critical files exposed on poorly secured servers. Telegram bot misconfigurations allowed investigators to infiltrate his groups. He also tested malware on his own systems, leaking personal data and credentials, ultimately leading to unmask hi.
The threat actor recently exploited a Microsoft Management Console zero-day, tracked as CVE-2025-26633, to deploy info stealers and new backdoors, SilentPrism and DarkWisp.
“Another more traditional task EncryptHub has given ChatGPT is as a writing assistant. As mentioned in the previous section, he has used it to translate emails and messages, as well as whole conversations and negotiations with other TAs and potential clients and employers. He has also used it to write forum posts and statements.” reads the post published by Outpost24 KrakenLabs. “On March 11th, 2025, the same day that the MSRC released the two CVEs he was acknowledged with, EncryptHub decided to start selling some of his exploits on the Russian speaking forum xss[.]is. To do so, first he asked ChatGPT which CVEs were related to EncryptHub, getting CVE-2025-26633 and CVE-2025-24983 as a response.”
EncryptHub often spoke to ChatGPT as a partner, even confessing key cyber exploits and seeking career advice. In one exchange, he detailed hacking feats (VPN cracking, 0-day CVEs, RCEs) all done via mobile and RDP. Though conflicted between white and black hat paths, he ultimately leaned toward cybercrime. He now plans to weaponize his notoriety to launch a ‘security’ brand through provocative, aggressive campaigns.
EncryptHub’s story proves that even skilled hackers are vulnerable if they ignore cybersecurity basics. Despite his talent with 0-days, his mistakes made him easy to track. His malware isn’t unstoppable and cautious users who follow simple safety rules can avoid infection. Outpost24 KrakenLabs concludes that threat intelligence is about empowering people with the knowledge to stay ahead of evolving cyber threats.
“EncryptHub’s case is a prime example of how it does not matter how good you are at what you do, you still need to know the basics. He has shown and proven a lot of talent finding vulnerabilities and will be a force to be reckoned with if he keeps improving and solving his most glaring weaknesses.” concludes the post. “That said, his malware, like most throughout history, is not invincible, and cautious users who follow basic security measures are unlikely to fall victim to it.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
