PSA: thekreatively.com scam campaign targeting agencies

This week, a project enquiry came through the Hire Us form on our website from someone called Cole Ambrose, CEO of a company called Kreatively. Budget over 80.000 EUR, looking for a development partner to handle 700.000 USD in referred projects under a revenue-share model. So far, nothing weird: we often get contacted by marketing agencies that want to partner up with a dev shop to refer clients.

We get 2-3 of these a month. They never end up working for a variety of reasons, but I don’t want to derail the subject.

After my first reply, Cole responded the same day. Out on a business trip, back on the 14th, but in the meantime he'd set up a Google Workspace with all the project overviews and budgets. Several clients anonymous at this stage, eager to start ASAP (always ASAP, of course), normal enough for early conversations. Calendly link for a 30-minute call.

The combination of “confidential clients” and “but here are my credentials to access freely the database of clients and projects” raised an eyebrow. Especially considering that we didn’t even have a first introductory call.

I clicked the link, our of curiosity, not after carefully inspecting the URL: a Google sites, so should be safe. It looked exactly like a Google product because it was: a Google Sites page, hosted on google.com. The browser showed no warnings but then it hit a "Connection failed" error  WORKSPACE_AUTH_CERT_EXPIRED, 401 Unauthorized, session ID and everything, and offered to fix it by downloading a certificate installer in the shape of a .dmg file.

That's when I raised another eyebrow and ran a search on Google, where I quickly found a reddit thread of someone alerting of this scam.

A legitimate Google Workspace does not ask you to install a certificate from a random Sites page to access it. I didn’t care to check but that .dmg file is most likely malware.

The email domains cole@thekreatively.com and ambrose@thekreatively.com are blacklisted on 26 and 5 spam databases respectively, with activity traced to April 2026. This is an ongoing campaign targeting dev agencies and freelancers specifically. Find the references here and here.

The scam works because every individual element feels legitimate: a contact form enquiry, a real-sounding person with a title and a phone number (Frisco, TX), a proper company website and linkedin profiles of the founders, a Google domain and so on.  The red flags only emerge in combination or when you’ve been in business long enough that you know when something is a bit odd, especially if it requires to install something in your computer!

We haven’t been affected nor infected by this malware, but someone else will. I’m sharing this to spread this information further and to help people find it if they are in the same situation I was earlier this week: in time to stop it.

If you get an enquiry from anyone at thekreatively.com, do not click anything they send you. Forward this post to anyone running a dev shop or working as a freelancer. The campaign is active now and threatening innocent individuals and companies.