Click Here: "Evilginx’s Good Intentions"
Host: Dina Temple-Raston, Recorded Future News
Guest: Kuba Gretzky
Date: October 17, 2025
Overview
This episode centers on Kuba Gretzky, an offensive security developer from Poland, and the unintended consequences of his widely used cybersecurity tool, Evilginx. Gretzky designed Evilginx to help security professionals mimic attackers and test defenses, but once released publicly, it became a weapon in the hands of hackers around the globe—including nation-state actors and ransomware gangs. The episode weaves Gretzky’s personal journey with the ethical complexities faced when protective tools are repurposed for malice, questioning responsibility in the interconnected world of cybersecurity.
Key Discussion Points and Insights
Early Curiosity & Path to Cybersecurity (02:41–05:29)
- Roots in Gaming:
- As a teenager in Poland, Kuba Gretzky reverse-engineered an MMO to automate gameplay, creating a bot that allowed his character to progress while he slept.
- “Like, all in all, it would allow to play the game on its own, like by itself, so that you can go to sleep, leave it on, and it would just run around killing different mobs...” (B, 03:51)
- This experiment was about curiosity, not profit:
- “I think it was more because I could.” (B, 05:01)
- His fascination with how systems work led him naturally into cybersecurity and tool development for ethical hackers.
- As a teenager in Poland, Kuba Gretzky reverse-engineered an MMO to automate gameplay, creating a bot that allowed his character to progress while he slept.
What is Evilginx? (05:51–07:40)
- Purpose & Design:
- Built to help white hat hackers (red teams) simulate attacks and identify flaws—especially bypassing multi-factor authentication (MFA).
- “Evil Jinx is a proxy that allows the attacker to bypass multi-factor authentication.” (B, 06:09)
- Evilginx can act as a man-in-the-middle on MFA sessions, intercepting sensitive authentication tokens and enabling even ordinary phishing attacks to bypass what many consider a gold standard of account security.
- “The attacker can grab the decision tokens from the captured cookie and import it into their own web browser and thus be signed in and authenticated as the user.” (B, 06:50)
- Built to help white hat hackers (red teams) simulate attacks and identify flaws—especially bypassing multi-factor authentication (MFA).
- Motivation for Open Release:
- Gretzky hoped that by sharing Evilginx with the community, even small teams could test their defenses and prepare for emerging threats.
- “I try to understand how red teams work, and I create tools for them to help them behave [like] an attacker and to simulate the attacks before the bad guys actually do it for real.” (B, 05:29)
- Gretzky hoped that by sharing Evilginx with the community, even small teams could test their defenses and prepare for emerging threats.
The Tool in the Wild: From Defense to Offense (07:40–11:09)
- Evilginx Misused:
- Soon after its 2017 GitHub release, hackers began weaponizing Evilginx.
- “When I released the first version of Evil Jinx in 2017, the bad guys started using it to do evil.” (B, 08:08)
- Soon after its 2017 GitHub release, hackers began weaponizing Evilginx.
- Real-World Attacks:
- Referenced by Microsoft and security firms, Evilginx was implicated in major cyber incidents:
- Scattered Spider & MGM Resorts (2023):
- Scattered Spider, a group tied to Russian ransomware operations, used Evilginx to compromise MGM’s systems—costing the company over $100 million and causing massive operational outages.
- Voltage Blizzard:
- Russian APT group targeted NGOs and defense organizations aiding Ukraine, using Evilginx to steal emails and sensitive data.
- Gretzky’s reaction mixes dismay and a personal sense of responsibility.
- “That was a pretty not fun thing to read. I felt especially bad that Russia is using it because I specifically would never want to aid this country because I live in Poland. We have the bad history about what Russia is capable of.” (B, 11:09)
- Scattered Spider & MGM Resorts (2023):
- Referenced by Microsoft and security firms, Evilginx was implicated in major cyber incidents:
Ethical Safeguards, Limitations & Responsibility (11:09–13:52)
- Intentional Limitations:
- Before public release, Gretzky deliberately stripped out advanced features and inserted “Easter eggs” in the code.
- “In the public version, I try to add this specific string of characters with every request made to the website... so they can block it.” (B, 11:52)
- He reserved the feature-complete “Evilginx Pro” for vetted red teams only.
- “The cake made with the full recipe is the one that is being sold privately to Red team companies.” (A, 12:17)
- “It is basically like a pro version of Eviljinx...which I also do all the vetting and verification.” (B, 12:31)
- Before public release, Gretzky deliberately stripped out advanced features and inserted “Easter eggs” in the code.
- Double-Edged Sword & Emotional Weight:
- Gretzky acknowledges the dilemma:
- “I know that I'm basically by proxy aiding the bad guys and giving them something to use as well. But on the other hand. I would like also to support the people who cannot use the private version of evil Jinx Pro to also make them able to strengthen their defenses...” (B, 12:58)
- Gretzky acknowledges the dilemma:
- Philosophy of Openness:
- Kuba argues that security is improved by exposing vulnerabilities—even if it means some misuse.
- “By actually being open about the methods that can be used. Attackers can hack people and steal information, because otherwise they would just be sitting in the dark and just waiting for the attacks to happen without anyone knowing the technique is actually up there.” (B, 13:31)
- Kuba argues that security is improved by exposing vulnerabilities—even if it means some misuse.
Notable Quotes & Memorable Moments
-
On unintended consequences:
- “Every time I go to conferences and give talks about reverse proxy phishing, I try to inform users, and I think I've been pretty, pretty vocal about it in the last couple of years.” (B, 07:40)
-
Personal reaction to cyberweaponization:
- “I felt especially bad that Russia is using it because I specifically would never want to aid this country because I live in Poland. We have the bad history...” (B, 11:09)
-
On balancing public good with risk:
- “I know that I'm basically by proxy aiding the bad guys... But on the other hand. I would like also to support the people who cannot use the private version of evil Jinx Pro...” (B, 12:58)
-
Host’s closing reflection:
- “…security, after all, isn't one person's responsibility...every link, from the coder to the company to the person who clicks the link has to hold fast. It's messy. It's human. And for now, that might be the most honest kind of security we've got.” (A, 13:52)
Important Segment Timestamps
- Frankenstein analogy, ethics preview: 00:58–01:07
- Gaming roots & early programming: 02:41–05:29
- Introduction & purpose of Evilginx: 05:51–07:40
- Release, weaponization, and real attacks: 07:40–11:09
- Public vs. private/pro versions—Easter eggs for defenders: 11:09–12:51
- Wrestling with responsibility and the necessity of openness: 12:58–13:52
- Closing perspective on security’s shared burden: 13:52
Tone and Language
The conversation is candid, thoughtful, and accessible, focusing on human motivations and ethical ambiguity over technical jargon. The host, Dina Temple-Raston, brings warmth and journalistic curiosity, while Gretzky is introspective—openly wrestling with his choices and their impact.
Summary
“Evilginx’s Good Intentions” traces a creator’s journey from curious gamer to a renowned (and conflicted) cybersecurity developer. The episode shines a light on the paradox at the heart of security: tools meant for protection can become potent weapons, and creators must weigh their hopes for a safer digital world against the reality of bad actors waiting in the wings. Gretsky’s story becomes a microcosm for the broader cybersecurity community—where transparency and responsibility are closely intertwined, and the best intentions sometimes pave the way for unintended harm.