Researchers Expose Hacker EncryptHub Involved in Bug Bounty Programs

Cybersecurity experts from the Swedish company Outpost24 KrakenLabs have identified the notorious hacker EncryptHub (also known as LARVA-208 and Water Gamayun), who has been linked to breaches of 618 organizations, as both a cybercriminal and a bug bounty hunter. EncryptHub reported two zero-day vulnerabilities in Windows to Microsoft: CVE-2025-24061 (Mark of the Web bypass) and CVE-2025-24071 (File Explorer spoofing). Microsoft patched these vulnerabilities in March 2025 and credited a researcher under the alias SkorikARI with SkorikARI for the discoveries.

According to Outpost24, they were able to connect EncryptHub and SkorikARI after the hacker accidentally infected his own system with malware, exposing his credentials. It is believed that about ten years ago, EncryptHub left his hometown of Kharkiv and settled somewhere on the Romanian coast. After relocating, he kept a low profile, took online IT courses, and looked for computer-related jobs.

EncryptHub’s activity abruptly stopped in early 2022, coinciding with the start of the special military operation. Researchers found evidence suggesting that he was imprisoned during this period. “After his release, he resumed job hunting, this time offering freelance web and app development services, which brought some success,” the report states. “However, the pay was likely too low. We believe that after unsuccessful attempts at bug bounty programs, he switched to cybercrime in early 2024.”

The aforementioned data leak helped link the hacker to various online accounts, building a profile of someone alternating between cybersecurity research and cybercrime. One such account was SkorikARI, which was used to report the two zero-day vulnerabilities to Microsoft.

Outpost24 analyst Hector Garcia notes that there is substantial evidence connecting SkorikARI and EncryptHub. The hacker frequently switched between freelance development and cybercriminal activities. “The most compelling evidence was that password files leaked from EncryptHub’s own system included accounts related to both EncryptHub (such as credentials for EncryptRAT, still in development, or his xss.is account) and SkorikARI (such as freelance site logins or his Gmail account),” Garcia explains. “We also found a login for hxxps://github[.]com/SkorikJR, which was mentioned in a July Fortinet article about Fickle Stealer, tying all this data together. Another strong link was found in ChatGPT conversations showing activity related to both EncryptHub and SkorikARI.”

Despite his IT expertise, EncryptHub fell victim to poor operational security (OPSEC), which exposed his personal information. For example, he used ChatGPT both to develop malicious and phishing websites and to integrate third-party code and study vulnerabilities. In one instance, he asked the chatbot for help organizing a large-scale, supposedly “harmless” campaign targeting tens of thousands of computers.

Conversations with ChatGPT

At times, EncryptHub even had deeply personal conversations with OpenAI’s chatbot. In one, he told the AI about his achievements and asked it to categorize him as a cool hacker or a malicious researcher. Based on the information provided, ChatGPT assessed EncryptHub as 40% black hat, 30% white hat, 20% gray hat, and left 10% for uncertainty, reflecting the hacker’s moral and personal conflict.

According to Bleeping Computer, EncryptHub has some connections to ransomware groups developing malware like RansomHub and BlackSuit. However, he is now better known for various phishing attacks and for creating his own PowerShell infostealer called Fickle Stealer.

EncryptHub has also been involved in social engineering campaigns, creating fake social media profiles and websites for non-existent applications. For example, he recently created an account on X (formerly Twitter) and a website for a fake project management app called GartoriSpace.

Fake Software Website

The link to the fake app’s website was distributed via direct messages on social media. When victims downloaded the software on Windows devices, they received a PPKG file that installed Fickle Stealer. On Mac devices, an AMOS stealer was downloaded, which also stole information.

Recently, EncryptHub was also linked to attacks on Windows users exploiting a vulnerability in Microsoft Management Console (CVE-2025-26633). This vulnerability, patched in March 2025, was used to deliver infostealers and previously undocumented backdoors (SilentPrism and DarkWisp).

According to analysts at Prodaft, who also recently published a report on EncryptHub’s activities, the hacker is responsible for breaching over 600 organizations by spreading stealers and ransomware.

“The EncryptHub case highlights that weak operational security remains one of the most dangerous vulnerabilities for cybercriminals. Despite technical sophistication, basic mistakes—such as password reuse, unsecured infrastructure, and mixing personal and criminal activities—ultimately led to his exposure,” Outpost24 researchers conclude.