Find notable cyber news and cases, enriched with sources, timelines, and signals.

Dark LLM-WormGPT ecosystem shift changes threat-actor operations

Threat Actor Meta
First reported
Last updated
Happening score
H score 22
1 unique sources, 2 articles

Summary

Hide ▲

Dark web vendors are commoditizing AI-enabled cybercrime services into scalable subscriptions, lowering the cost and skill needed for phishing, fraud, malware, and identity abuse. Recent reporting shows the market includes weaponized LLMs, deepfake identity fraud, AI-augmented malware and infrastructure, and stolen/jailbroken AI services, with distribution via Telegram bots, freemium tiers, and tiered pricing. That shift expands abuse at scale by making advanced criminal workflows faster, cheaper, and easier to buy.

Related Happenings

Phantom Project's subscription-based cybercrime toolkit model

Threat Actor Meta
H score37 First: 31.03.2026 17:00 Last: 31.03.2026 17:00 Sources 1

About this happening: **Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...

Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score31 First: 25.03.2026 16:02 Last: 25.03.2026 16:02 Sources 1

About this happening: A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...

Underground AI services emerge with jailbroken APIs and MCP servers

Threat Actor Meta
H score11 First: 12.02.2026 14:45 Last: 12.02.2026 14:45 Sources 1

About this happening: **Underground AI services** are emerging on **marketplaces** with a model that hides **jailbroken commercial APIs** and **open-source MCP servers**, expanding access to **malware*...

ShadowSyndicate infrastructure expansion suggests IAB or bulletproof hosting operations

Threat Actor Meta
H score16 First: 04.02.2026 17:00 Last: 04.02.2026 17:00 Sources 1

About this happening: **ShadowSyndicate** has expanded its attributed infrastructure through **new SSH fingerprint markers** and server overlaps, strengthening the case that it operates as an **initial...

Peru loan phishing campaign impersonating financial institutions across Latin America

Campaign
H score37 First: 21.01.2026 17:00 Last: 21.01.2026 17:00 Sources 1

About this happening: A **Peru-focused loan phishing campaign** has expanded across **Latin America**, putting users' **card numbers**, **PIN codes**, and **banking credentials** at risk. The operation...

Timeline

  1. 20.01.2026 14:15 3 articles · 5mo ago

    Group-IB reports AI-driven cybercrime commoditization

    Technical Analysis Update

    Group-IB reported that dark web cybercrime vendors are commoditizing AI-enabled services, including synthetic identity kits, deepfake-as-a-service offerings, phishing kits, and custom self-hosted dark large language models. The report said synthetic identity kits can cost as little as $5, deepfake subscriptions start at $10 per month, phishing kits can reach $200 per month, and at least three active dark LLM vendors serve more than 1000 users.

    Show sources