Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious LLM underground market commoditizes low-level hacking help

Threat Actor Meta
First reported
Last updated
Happening score
H score 1
2 unique sources, 2 articles

Summary

Hide ▲

The malicious LLM underground market is now drawing attention from Sophos CTU as a broader underground threat-actor ecosystem problem. Researchers found that AI-based hacking tools are becoming common on dark web marketplaces, with sellers advertising kits for phishing, social engineering, malware coding, deepfake audio/video, and romance fraud support. Some criminals are also worried that AI tools will take their jobs and lower the quality of their products, while a spike in discussion followed Claude Mythos Preview. Sophos advises defenders to reinforce timely patching, MFA, passkey use, and visibility across the environment to stop AI-assisted acceleration before attacks escalate.

Related Happenings

Indirect prompt-injection web campaigns targeting AI agents

Campaign
H score37 First: 06.07.2026 18:00 Last: 06.07.2026 18:00 Sources 1

About this happening: **Two real-world campaigns** are using **indirect prompt injection** and **SEO poisoning** to steer **AI agents** into fraudulent actions and false legitimacy judgments. The lures...

SKILLCLOAK and SKILLDETONATE expose AI coding-agent skill scanner evasion with runtime-packed malware

Technical Analysis
H score22 First: 06.07.2026 09:33 Last: 06.07.2026 09:33 Sources 1

About this happening: **SKILLCLOAK** shows that malicious **AI coding-agent skills** can be rewritten to evade static scanners while still executing, exposing **credentials**, **source code**, and term...

Google GTIG analysis of adversary AI use for exploit development and attack orchestration

Technical Analysis
H score33 First: 11.05.2026 16:00 Last: 11.05.2026 16:00 Sources 1

About this happening: **Google Threat Intelligence Group** published findings showing **adversaries using AI** for **exploit development** and **attack orchestration**, signaling that model-assisted tr...

Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery

Security Tool/Service
H score58 First: 08.04.2026 12:16 Last: 08.04.2026 12:16 Sources 1

About this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...

Latest development: 03.06.2026 14:00

President Donald Trump signed a June 2 executive order that sets up a voluntary framework for developers of covered frontier models to give the US government access for cybersecurity review for up to 30 days before release, while expressly rejecting any mandatory licensing or preclearance requirement. The order directs NSA, CISA, and NIST to build a classified benchmark for determining which models cross the covered threshold and creates an AI cybersecurity clearinghouse led by the Treasury Department. The framework closely echoes Anthropic's Project Glasswing, which gives vetted partners early access to Claude Mythos Preview to scan critical software for vulnerabilities.

Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score31 First: 25.03.2026 16:02 Last: 25.03.2026 16:02 Sources 1

About this happening: A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...

Timeline

  1. 02.12.2025 16:17 3 articles · 7mo ago

    Malicious LLM underground market commoditizes hacking assistance

    Initial Disclosure

    Cybercriminals are selling malicious large language models on dark web forums through tiered subscription plans, packaging them as purpose-built offensive models or dual-use penetration testing tools that can automate vulnerability scanning, data encryption, data exfiltration, and the drafting of phishing emails or ransomware notes. The market lowers the skill bar for abusive use by making low-level hacking help easier to buy and reuse at scale.

    Show sources