A Ukrainian cybercriminal known by the alias "EncryptHub" has been unmasked following a string of operational security blunders
and an unusual reliance on AI tools to facilitate his malicious operations. Despite a background marked by failed attempts at legitimate employment and brief stints in bug bounty programs, EncryptHub pivoted into the cybercrime space, launching increasingly sophisticated ransomware campaigns beginning in early 2024. These campaigns targeted global organizations and focused on custom-built malware designed to steal cryptocurrency and sensitive data.
What makes this case particularly unique is the duality of EncryptHub's activities. While he orchestrated cyberattacks, he also contributed to legitimate security research, even receiving recognition from Microsoft Security Response Center for discovering vulnerabilities like CVE-2025-24071 and CVE-2025-24061.
The unraveling of EncryptHub’s anonymity stemmed from critical security missteps, such as reusing passwords across his criminal infrastructure, neglecting to implement two-factor authentication, and leaving sensitive directories publicly accessible on his servers. Most damningly, he tested his malware on his own development systems, which led to unintentional leaks of his personal data and login credentials.
Researchers at Outpost24’s KrakenLabs initiated their investigation after stumbling upon an exposed JSON configuration file on EncryptHub’s command-and-control (C2) server. This file contained information about Telegram bots he had configured, creating a digital breadcrumb trail that eventually linked the threat actor to his activities.
A particularly fascinating facet of this investigation is EncryptHub’s heavy use of ChatGPT. The AI tool was instrumental in building nearly every component of his attack infrastructure—including malware code, Telegram bots, C2 servers, phishing sites, and even dark web onion services. In one revealing interaction, EncryptHub even asked ChatGPT whether he was more suited to be a "black hat or white hat" hacker, casually admitting to the crimes and exploits he had developed.
The PowerShell-based clipper malware he created with AI assistance was one of his main weapons. It monitored the clipboard for cryptocurrency wallet addresses and silently replaced them with addresses controlled by the attacker. This case serves as a stark example of how threat actors are beginning to integrate AI into their operations—yet still fall prey to basic security errors.
EncryptHub’s exposed infrastructure has revealed several Indicators of Compromise (IOCs) that organizations should now be vigilant about. These include PowerShell scripts, executable files, and suspicious domains like vexio[.]io and echonex[.]ai, which may be linked to ongoing or future attacks.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
