The MFA Killer: How One Programmer’s Tool Became a $100M Cybercrime Weapon

Kuba Gretzky originally sought to make the internet a safer place — yet his creation achieved the opposite. In 2017, the Polish programmer developed Evilginx, a tool designed to help Red Team professionals study phishing techniques and understand how attackers steal credentials. The idea was simple: to demonstrate how easily even multi-factor authentication could be bypassed, encouraging companies to fortify their defenses before real adversaries exploited the same weaknesses. However, once the source code was released publicly, it quickly escaped his control.

Evilginx functioned as a transparent proxy server, intercepting network traffic between a user and a targeted website. Through this mechanism, it could capture an active session token — the very element that allows one to bypass authentication codes. In effect, anyone operating such a proxy could gain unauthorized access to another person’s account, even if the victim had two-factor protection enabled. For Gretzky, it was an educational project; for criminals, it was a ready-made weapon.

Over time, the tool became precisely that — a weapon. By 2023, it had been adopted by cybercriminal groups, including Scattered Spider — the same collective responsible for the MGM Resorts breach, which disrupted casino key cards and slot machines and caused more than $100 million in damages. Analysts have also documented Evilginx’s use in attacks against non-governmental organizations and defense contractors connected to Ukraine.

Recognizing the scale of the problem, Gretzky released a stripped-down public version of Evilginx on GitHub, removing its most dangerous features and embedding digital watermarks that allow researchers to identify its presence across the web. The full edition, now called Evilginx Pro, is sold only to vetted companies, with the developer personally reviewing each buyer. Still, the free version remains accessible — and Gretzky himself admits to feeling torn between a desire to aid the security community and the knowledge that his code is being misused by malicious actors.

Paradoxically, Evilginx’s existence helped strengthen the cybersecurity industry. After the source code’s release, engineers from Google reached out to Gretzky to discuss improvements to authentication mechanisms. He remains convinced that the openness of such tools fosters greater awareness of real-world threats — for hidden dangers will always find a way to surface. To him, security is not the burden of a single individual but a chain of shared responsibility, stretching from developers to the everyday user who clicks a link.

Evilginx endures as a living paradox — proof of how thin the line between research and exploitation can be, and how noble intentions may inadvertently spawn new perils. Seven years later, the project continues to balance precariously between innovation and threat, reminding us that in the digital realm, any knowledge can fall into the wrong hands.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy