EncryptHub Lures Web3 Devs With Fake AI to Steal Data

The financially motivated threat group EncryptHub, also known as LARVA-208 or Water Gamayun, has launched a new campaign aimed at Web3 developers. In this latest operation, EncryptHub lures Web3 devs by posing as representatives of fake artificial intelligence platforms such as Norlax AI, a clone of the legitimate Teampilot service. The attackers contact potential victims with fabricated job offers or portfolio review requests as a means to establish trust.

Once contact is made, the threat actors deliver a malware payload known as Fickle Stealer. The malicious software is designed to extract sensitive information from infected systems, including credentials and digital assets. Security researchers have confirmed that EncryptHub lures Web3 devs with these impersonated platforms to increase the likelihood of successful infections.

The tactics highlight a growing trend in targeted attacks against the Web3 ecosystem. To learn more about this ongoing campaign, read the full report at the link below.

https://thehackernews.com/2025/07/encrypthub-targets-web3-developers.html