Dark LLM-WormGPT ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Dark web cybercrime vendors are commoditizing dark LLMs and other AI-enabled services, lowering the cost and skill needed for phishing, fraud, malware, and exploit support. That shift matters because it turns attack capability into a scalable subscription market, with vendors already serving 1000+ users and pricing as low as $30 per month. The ecosystem now makes advanced criminal workflows faster, cheaper, and easier to distribute across a wider pool of offenders.
Related Happenings
ShadowSyndicate infrastructure expansion suggests IAB or bulletproof hosting operations
Threat Actor Meta
First: 04.02.2026 17:00
Last: 04.02.2026 17:00
Sources 1
About this happening:
**ShadowSyndicate** has expanded its attributed infrastructure through **new SSH fingerprint markers** and server overlaps, strengthening the case that it operates as an **initial...
ShadowSyndicate infrastructure expansion suggests IAB or bulletproof hosting operations
Threat Actor MetaAbout this happening: **ShadowSyndicate** has expanded its attributed infrastructure through **new SSH fingerprint markers** and server overlaps, strengthening the case that it operates as an **initial...
Peru loan phishing campaign impersonating financial institutions across Latin America
Campaign
First: 21.01.2026 17:00
Last: 21.01.2026 17:00
Sources 1
About this happening:
A **Peru-focused loan phishing campaign** has expanded across **Latin America**, putting users' **card numbers**, **PIN codes**, and **banking credentials** at risk. The operation...
Peru loan phishing campaign impersonating financial institutions across Latin America
CampaignAbout this happening: A **Peru-focused loan phishing campaign** has expanded across **Latin America**, putting users' **card numbers**, **PIN codes**, and **banking credentials** at risk. The operation...
WEF Cybercrime Atlas analysis finds deepfake tools can bypass KYC verification
Technical Analysis
First: 09.01.2026 14:15
Last: 09.01.2026 14:15
Sources 1
How related:
This content can be used lure other trusting people to execute tasks or to bypass authentication processes and know your customer (KYC) systems to gain access to devices, steal money or steal data.
About this happening:
A **January 8** assessment of **17 face-swapping tools** and **8 camera injection tools** showed that some deepfake systems can defeat **KYC** and remote verification, increasing...
WEF Cybercrime Atlas analysis finds deepfake tools can bypass KYC verification
Technical AnalysisHow related: This content can be used lure other trusting people to execute tasks or to bypass authentication processes and know your customer (KYC) systems to gain access to devices, steal money or steal data.
About this happening: A **January 8** assessment of **17 face-swapping tools** and **8 camera injection tools** showed that some deepfake systems can defeat **KYC** and remote verification, increasing...
Timeline
-
20.01.2026 14:15 2 articles · 4mo ago
Group-IB reports AI-driven cybercrime commoditization
Technical Analysis UpdateGroup-IB reported that dark web cybercrime vendors are commoditizing AI-enabled services, including synthetic identity kits, deepfake-as-a-service offerings, phishing kits, and custom self-hosted dark large language models. The report said synthetic identity kits can cost as little as $5, deepfake subscriptions start at $10 per month, phishing kits can reach $200 per month, and at least three active dark LLM vendors serve more than 1000 users.
Show sources
- AI Supercharges Attacks in Cybercrime's New 'Fifth Wave' — www.infosecurity-magazine.com — 20.01.2026 14:15
- AI Supercharges Attacks in Cybercrime's New 'Fifth Wave' — www.infosecurity-magazine.com — 20.01.2026 14:15