CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

AI-Driven 'Fifth Wave' of Cybercrime Expands with Dark LLMs and Deepfake Kits

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Group-IB's report identifies a new 'fifth wave' of cybercrime, characterized by the widespread adoption of AI and generative AI (GenAI) tools. This wave, termed 'weaponized AI,' enables cheaper, faster, and more scalable cybercrime. Key developments include the proliferation of deepfake kits, AI-powered phishing kits, and proprietary 'dark LLMs' used for various malicious activities. The report highlights the increasing sophistication and accessibility of these tools, which are fueling a surge in cybercrime activities.

Timeline

  1. 20.01.2026 14:15 1 articles · 23h ago

    AI-Driven Cybercrime Tools Become Widely Available and Sophisticated

    Since 2022, the cybercrime landscape has entered a fifth wave characterized by the widespread adoption of AI and GenAI tools. These tools enable cheaper, faster, and more scalable cybercrime activities. Deepfake kits and AI-powered phishing kits are now available for as little as $5 and $200 per month, respectively. Additionally, proprietary 'dark LLMs' are being developed and sold, with subscriptions ranging from $30 to $200 per month and a customer base exceeding 1000 users.

    Show sources
    Open in new tab

Information Snippets

  • Group-IB's report categorizes cybercrime evolution into five waves, with the fifth wave marked by AI and GenAI tools.

    First reported: 20.01.2026 14:15
    1 source, 1 article
    Show sources

  • Deepfake kits and AI video actors are available for as little as $5 on dark web marketplaces.

    First reported: 20.01.2026 14:15
    1 source, 1 article
    Show sources

  • Discussions about AI-powered tools for criminal purposes spiked from below 50,000 messages annually (2020-2022) to approximately 300,000 messages yearly since 2023.

    First reported: 20.01.2026 14:15
    1 source, 1 article
    Show sources

  • AI-powered phishing kits are now available for as little as a Netflix subscription to $200 per month.

    First reported: 20.01.2026 14:15
    1 source, 1 article
    Show sources

  • AI agents are being used to automate and scale phishing campaigns, making them more personalized and adaptive.

    First reported: 20.01.2026 14:15
    1 source, 1 article
    Show sources

  • Proprietary 'dark LLMs' are being developed and sold, with subscriptions ranging from $30 to $200 per month and a customer base exceeding 1000 users.

    First reported: 20.01.2026 14:15
    1 source, 1 article
    Show sources

Similar Happenings

VoidLink Malware Framework Targets Cloud and Container Environments

A new advanced Linux malware framework, codenamed VoidLink, has been discovered targeting cloud and container environments. Developed by a single person with the help of an artificial intelligence model, VoidLink is a highly modular and flexible framework designed for long-term, stealthy access to Linux-based systems. It includes custom loaders, implants, rootkits, and over 30 plugins, enabling operators to adapt its capabilities over time. The malware is engineered to detect major cloud environments and adapt its behavior when running within Docker containers or Kubernetes pods. It also gathers credentials associated with cloud environments and source code version control systems like Git. VoidLink's capabilities include anti-forensics, reconnaissance, credential harvesting, lateral movement, and persistence, making it a full-fledged post-exploitation framework. The framework is written primarily in the Zig programming language and includes plans to extend its detection capabilities to additional cloud environments such as Huawei, DigitalOcean, and Vultr. VoidLink's documentation suggests it is intended for commercial purposes, and its development environment includes debug symbols and other development artifacts, indicating in-progress builds. VoidLink uses a custom encrypted messaging layer called 'VoidStream' to camouflage traffic and includes 35 plugins in the default configuration. The framework employs rootkit modules to hide processes, files, network sockets, or the rootkit itself, and includes advanced anti-analysis mechanisms to detect debuggers, perform runtime code encryption, and integrity checks. VoidLink's anti-forensic modules erase logs, shell history, login records, and securely overwrite all files dropped on the host, minimizing exposure to forensic investigations. VoidLink was developed with the help of an artificial intelligence model, reaching a functional iteration in under a week. The developer used Spec-Driven Development (SDD) to define the project's goals and set constraints, with the AI generating a multi-team development plan. VoidLink reached 88,000 lines of code by early December 2025, and researchers successfully reproduced the workflow, confirming that an AI agent can generate code similar to VoidLink's.

Open in new tab