Kuba Gretzky wanted to make the internet safer. Instead, he helped make it more dangerous.

In 2017, from his home in Poland, the coder released a hacking tool called Evilginx – a program designed to help cybersecurity teams understand and defend against phishing attacks. It was meant as a teaching device, a way for companies to see how easily credentials could be stolen and to shore up their defenses before someone else did it for real.But once Evilginx went public, the line between defense and offense blurred. Hackers began using it to break into networks, steal passwords and sell access. Before long, even nation-state actors were folding Gretzky’s code into their operations. 

At the center of the story is one of cybersecurity’s oldest paradoxes: The same code that helps protect systems can also be turned against them. It’s the open-source dilemma at internet scale, where “ethical” and “criminal” hacking are separated not by the software itself, but by whoever’s sitting at the keyboard. 

When asked if he ever feels like Dr. Frankenstein, Gretzky chuckles. The comparison fits. Frankenstein created a monster he couldn’t control; Gretzky created code that escaped its laboratory.

“The bad guys started using it,” Gretzky says, “to do evil.”

From gamer to red teamer

Long before Evilginx, Gretzky spent long nights in front of his computer, playing massively multiplayer online games — the kind where strangers from around the world battle in virtual forests. 

The problem, he came to believe, was that when he logged off, his character stopped accumulating points; and he wondered whether he could find a way to have the game just keep playing without him. 

So he reverse-engineered its code and built a bot that could do the work automatically — slaying monsters, gathering loot, leveling up while he slept. And all these years later he says it was never about money — it was about curiosity.

That impulse — to take things apart and see how they worked — eventually led him into cybersecurity. He became an offensive-security developer, building tools for “red teams,” the ethical hackers hired to break into systems before criminals do so companies can patch their network vulnerabilities.

Kuba Gretzky speaks with the Click Here podcast team. Image: Recorded Future News

It turns out Evilginx was his most ambitious creation. It could quietly intercept the text messages or app notifications that make up multi-factor authentication — that extra step protecting online accounts. The software acted as a kind of digital pickpocket, grabbing a user’s session token mid-air and handing it to whoever controlled the proxy.

To Gretzky, it was a teaching tool. 

If he could build something that bypassed multi-factor authentication, he reasoned, so could someone else. By showing how easy it was, companies would be forced to strengthen their systems. So in 2017, he made Evilginx open-source. Anyone could download it. Within weeks, attackers did.

Unintended consequences

By late 2023, the tool was everywhere. A hacking collective called Scattered Spider had used it.  The group is known for breaching MGM Resorts, making hotel keycards fail and freezing up slot machines. Guests couldn’t check in or cash out. The company reported losses of more than $100 million. Investigators linked Scattered Spider to Russian ransomware gangs. 

Another group — a Russian espionage gang known as Void Blizzard or Laundry Bear — used Evilginx to target NGOs and defense contractors supporting Ukraine. “That was a pretty … not fun … thing to read,” Gretzky admitted.

For a Polish coder whose country still bears the scars of Russian occupation, the revelation cut deep. “I would never want to aid this country,” he says. “We have a bad history with what Russia is capable of.”

To blunt the damage, Gretzky offered a scaled-back public version of Evilginx available on GitHub. He removed its most dangerous features and inserted digital “Easter eggs” — bits of code that allow researchers to spot when Evilginx is being used in the wild. The public release, he said, was like a family recipe with one ingredient missing.

The full version, called Evilginx Pro, is sold privately to vetted security firms. Gretzky personally screens buyers to confirm they work for legitimate companies.

Still, the free version remains online, and the decision to put it there continues to weigh on him.

“I know that I’m basically, by proxy, aiding the bad guys,” he says. “But I also want to support people who can’t afford the private version, to help them strengthen their defenses.”

Ironically, Evilginx has also driven improvements across the industry. Engineers at Google contacted Gretzky after his release, seeking advice on hardening their authentication systems. He believes the openness of tools like his ultimately makes the internet safer.

“Otherwise,” he says, “people would just be sitting in the dark, waiting for attacks to happen without anyone knowing the technique is out there.”

Seven years later, Evilginx still straddles the line between innovation and threat — a living example of what happens when transparency collides with opportunism. Gretzky remains convinced that shining a light on flaws is better than pretending they don’t exist, even if that light sometimes spills into the wrong places.

Security, he says, isn’t one person’s responsibility. It’s a chain — from the coder to the company to the person who clicks the link.

And every link in that chain has to hold.