Dark LLM-WormGPT ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
Dark web vendors are commoditizing AI-enabled cybercrime services into scalable subscriptions, lowering the cost and skill needed for phishing, fraud, malware, and identity abuse. Recent reporting shows the market includes weaponized LLMs, deepfake identity fraud, AI-augmented malware and infrastructure, and stolen/jailbroken AI services, with distribution via Telegram bots, freemium tiers, and tiered pricing. That shift expands abuse at scale by making advanced criminal workflows faster, cheaper, and easier to buy.
Related Happenings
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor Meta
H score37
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
About this happening:
**Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor MetaAbout this happening: **Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score31
First: 25.03.2026 16:02
Last: 25.03.2026 16:02
Sources 1
About this happening:
A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Underground AI services emerge with jailbroken APIs and MCP servers
Threat Actor Meta
H score11
First: 12.02.2026 14:45
Last: 12.02.2026 14:45
Sources 1
About this happening:
**Underground AI services** are emerging on **marketplaces** with a model that hides **jailbroken commercial APIs** and **open-source MCP servers**, expanding access to **malware*...
Underground AI services emerge with jailbroken APIs and MCP servers
Threat Actor MetaAbout this happening: **Underground AI services** are emerging on **marketplaces** with a model that hides **jailbroken commercial APIs** and **open-source MCP servers**, expanding access to **malware*...
ShadowSyndicate infrastructure expansion suggests IAB or bulletproof hosting operations
Threat Actor Meta
H score16
First: 04.02.2026 17:00
Last: 04.02.2026 17:00
Sources 1
About this happening:
**ShadowSyndicate** has expanded its attributed infrastructure through **new SSH fingerprint markers** and server overlaps, strengthening the case that it operates as an **initial...
ShadowSyndicate infrastructure expansion suggests IAB or bulletproof hosting operations
Threat Actor MetaAbout this happening: **ShadowSyndicate** has expanded its attributed infrastructure through **new SSH fingerprint markers** and server overlaps, strengthening the case that it operates as an **initial...
Peru loan phishing campaign impersonating financial institutions across Latin America
Campaign
H score37
First: 21.01.2026 17:00
Last: 21.01.2026 17:00
Sources 1
About this happening:
A **Peru-focused loan phishing campaign** has expanded across **Latin America**, putting users' **card numbers**, **PIN codes**, and **banking credentials** at risk. The operation...
Peru loan phishing campaign impersonating financial institutions across Latin America
CampaignAbout this happening: A **Peru-focused loan phishing campaign** has expanded across **Latin America**, putting users' **card numbers**, **PIN codes**, and **banking credentials** at risk. The operation...
Timeline
-
20.01.2026 14:15 3 articles · 5mo ago
Group-IB reports AI-driven cybercrime commoditization
Technical Analysis UpdateGroup-IB reported that dark web cybercrime vendors are commoditizing AI-enabled services, including synthetic identity kits, deepfake-as-a-service offerings, phishing kits, and custom self-hosted dark large language models. The report said synthetic identity kits can cost as little as $5, deepfake subscriptions start at $10 per month, phishing kits can reach $200 per month, and at least three active dark LLM vendors serve more than 1000 users.
Show sources
- AI Supercharges Attacks in Cybercrime's New 'Fifth Wave' — www.infosecurity-magazine.com — 20.01.2026 14:15
- AI Supercharges Attacks in Cybercrime's New 'Fifth Wave' — www.infosecurity-magazine.com — 20.01.2026 14:15
- Infosecurity Europe: AI-Powered Cybercrime Tools Surge on Dark Web — www.infosecurity-magazine.com — 03.06.2026 10:30