underground_llm_account_sellers

Also known asUnderground LLM Account Sellers

Underground LLM account sellers are cybercriminal actors operating in underground markets who sell or rent access to AI and large language model accounts, including ChatGPT, Perplexity, and Gemini subscriptions. Observed activity includes renting shared ChatGPT Plus access, with one ad offering one-month access for $6.99, three months for $14.99, six months for $24.99, and one year for $34.99. Supporting reporting describes both shared and private access models for ChatGPT Plus and Pro accounts, as well as discounted Perplexity Pro subscriptions and stolen credentials sold on criminal markets. Their activity relies on compromised or fraudulently obtained accounts, including subscriptions purchased with stolen credit cards and credentials harvested through infostealer malware logs. Available reporting also notes the sale of stealer logs containing LLM account credentials, stolen session cookies that can bypass MFA by hijacking active sessions, and lists of free OpenAI credentials posted on underground forums. These accounts are resold for profit and can be used by buyers for phishing, malware development, social engineering, reconnaissance, data theft, and other cybercriminal operations. No specific nation-state attribution is provided for this actor grouping. The only known alias directly provided in the content is underground_llm_account_sellers.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

esentire blogNews

Dec 10, 2025

Hackers are Celebrating the Holidays Big this Year Selling ChatGPT, Perplexity and Gemini Subscriptions for 40% to 75% Off!

Cybercriminals operating on underground markets are selling access to LLM (Large Language Model) accounts such as ChatGPT Plus, ChatGPT Pro, Perplexity AI Pro, and Google AI Pro. They offer both shared and private access, often leveraging stolen credit cards or credentials obtained from infostealer malware. These accounts are used to facilitate cybercrime operations, including phishing, malware development, and data theft.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.