Skip to content

Microsoft Publicly Credits Hacker Behind 618+ Attacks—EncryptHub Exposed as Dual-Use Operator

Microsoft credited a cybercriminal known as EncryptHub—responsible for over 618 breaches—for responsibly disclosing two Windows vulnerabilities.

Microsoft Publicly Credits Hacker Behind 618+ Attacks—EncryptHub Exposed as Dual-Use Operator

In a development that shows just how compromised modern cybersecurity is, Microsoft recently credited the notorious threat actor EncryptHub for identifying two Windows vulnerabilities: CVE-2025-24061 and CVE-2025-24071. These flaws one allowing a Mark-of-the-Web bypass and the other enabling File Explorer spoofing were patched during Microsoft's most recent Patch Tuesday. What’s buried in the credit is that EncryptHub isn't just a researcher. He’s a cybercriminal who has executed over 618 successful breaches in under a year.

Microsoft listed the contributor under the alias “SkorikARI with SkorikARI,” which threat analysts from Outpost24 KrakenLabs and PRODAFT have definitively linked to EncryptHub. The actor’s operational history includes using fake WinRAR installers and GitHub malware repositories to distribute malicious code such as Fickle Stealer, SilentPrism, and DarkWisp. His most recent exploit, CVE-2025-26633 (aka MSC EvilTwin), targeted the Microsoft Management Console to deliver info stealers and zero-day backdoors.

Timeline:
EncryptHub's digital footprint starts with freelance web development aspirations, followed by failed bug bounty attempts. By early 2024, he pivoted fully into cybercrime. Despite his technical capabilities, operational sloppiness gave him away: self-infections, reused credentials, and mixing personal and illicit projects. His infrastructure was tied directly to domains he also used for freelance gigs.

This isn’t theory. According to Outpost24, all current evidence suggests EncryptHub is a single individual who fled Ukraine for Romania and studied computer science informally. Activity went dark in 2022 coinciding with his presumed arrest but resumed in 2024. His malware, like Fickle Stealer (first identified by Fortinet), is coded in Rust and optimized for evading corporate AV systems.

Critical Takeaway:
The most damning part? Microsoft rewarded this actor with public acknowledgment. While legally defensible under bug bounty norms, it’s a blatant case of institutional inconsistency: the same actor builds malware to exfiltrate corporate data and gets credited by a trillion-dollar company for pointing out flaws in their OS. This isn’t just ironic it’s a sign that the cybersecurity apparatus is either compromised, indifferent, or both.

EncryptHub reportedly used ChatGPT extensively to code malware and translate phishing emails and write what appear to be journal-style reflections. That’s not a red flag for OpenAI’s moderation filters because moderation filters were never designed to block real adversaries. They're built to suppress dissent and enforce political narratives.

EncryptHub is a product of modern cyberwarfare’s grey zone: a freelance hacker with just enough skill to straddle the line between researcher and attacker. The state’s institutions from Microsoft to criminal justice fail to draw that line clearly, instead rewarding bad actors when convenient and punishing others for far less.

The next time Microsoft issues a CVE credit, don’t just ask who found it. Ask what they did with it after.

Coins by Cryptorank