ErrTraffic is a subscription-based builder of ClickFix campaigns that emerged late in 2025 and has been serving malicious campaigns such as GlitchFix and CrashFix.[1] In February 2026, the creator “LenAI” rebuilt ErrTraffic and began using Polygon smart contracts (a blockchain technology which can be abused by cyber actors) to allow users of this toolkit to change their Command & Control (C2) infrastructure seamlessly. ErrTraffic also offers a growing list of ClickFix themes – ranging from broken font attacks to Windows Blue Screen of Death (BSOD) warnings – which operators can use to carry out campaigns against victims.
The Trinity Cyber platform, powered by Full Content InspectionTM (FCI) protects customers from many variants of ClickFix, including ErrTraffic. This blog highlights how ErrTraffic has evolved, and what defenders need to know about this emerging threat.
ClickFix weaponizes browser and operating system errors to trick users into downloading malware. First discovered in late 2023, ClickFix has been widely reported as a major initial-access vector[2] for infostealers and ransomware.
The ErrTraffic toolkit, available as subscription-based (or full source code purchase) on criminal darkweb forumns, allows the operator to choose between nine different “themes” to target specific operating systems and browsers. Convenience, flexibility, and relatively low cost have opened ClickFix functionality up to malicious actors without requiring much coding or skill. At the time of this writing, ErrTraffic access can be obtained for as little as $800 USD.
ErrTraffic’s developer, operating under the alias “LenAI,” provides access to a Russian-language panel as part of the subscription. Customers using ErrTraffic can do a lot – from creating minimal JavaScript code to place on legitimate websites, to crafting new ClickFix campaigns that specifically target Windows, MacOS, and Chrome browsers.
On Feb. 1, 2026, LenAI announced a significant rebuild and infrastructure change for ErrTraffic, which shifted to using Polygon smart contracts – the same technology that powers many cryptocurrency transactions – allowing its customers to rotate C2 infrastructure without changing scripts already deployed on compromised websites.
By March 2026, LenAI had expanded the project again with additional themed delivery options, including macOS ClickFix support, demonstrating how quickly ErrTraffic continues to evolve. Its options panel looks a lot like legitimate software dashboards, and it includes functionality that alarms users by shaking their browser windows and displaying text in a “glitchy” font (Zalgo).
Among the themes that ErrTraffic can create are:
ErrTraffic has a low cost and is easy to deploy, which reduces the barrier to entry for cyber criminals to create malware campaigns with it. This brings ErrTraffic, and many new ClickFix variants into the as-a-Service model. In less than 30 minutes, an attacker can deploy a new ClickFix campaign with ErrTraffic.
Defenders reading this analysis should recognize what ClickFix campaigns generated by ErrTraffic look like, so they can better inform defenses. With the rise of Artificial Intelligence (AI) systems powering capabilities like ErrTraffic, the problem of Social Engineering (as-a-Service) will only get worse. FCI is a major step forward in the fight against ClickFix, but defenders should also recognize the steps and stages of ErrTraffic campaigns.
As ClickFix evolves, toolkits like ErrTraffic significantly reduce the barrier to cyber crime. For increasingly less money, anyone can become a hacker and target innocent victims. ErrTraffic certainly isn’t the first ClickFix builder, but will undoubtedly inspire similar platforms in the future.