FraudGPT
FraudGPT is a malicious or purportedly malicious GPT-branded large language model service marketed on dark web sites, underground forums, and Telegram as an AI assistant for cybercrime. Across the provided reporting, it is consistently described as one of the first widely publicized “dark LLMs” alongside WormGPT and as a tool advertised for phishing, fraud, malware development, and other offensive tasks.
Advertised capabilities directly mentioned in the content include writing malicious code, creating undetectable malware, generating phishing pages, scam pages, SMS, emails, and phishing panels, creating hacking tools, scanning websites for vulnerabilities across a CVE database, code obfuscation, bot creation, automatic scripts for replicating logs/cookies, page hosting, sending mail from webshells, and support for card-fraud workflows such as non-VBV BIN discovery, CVV checking, GoldCheck API integration, OTP bot functionality, and creation of username:password website configs and remote OpenBullet configs. The content also notes claims of millions of phishing email samples and thousands of malware source-code references.
FraudGPT is associated in the content with the actor name CanadianKingpin12, who advertised it on the dark web and via Telegram. Cisco Talos reported that when attempting to obtain access, the supplied credentials did not work and the seller requested cryptocurrency for a crack to the login page; Talos concluded the operator did not have a working product and was scamming prospective buyers, with other victims reportedly confirming they were also scammed. Sophos X-Ops likewise found forum skepticism around FraudGPT and noted that some users accused it of being a scam and questioned its malware-generation claims. Multiple sources in the content therefore characterize FraudGPT as promising phishing and malware capabilities but being largely fraudulent.
The content places FraudGPT in the broader ecosystem of criminal LLM abuse rather than tying it to a specific intrusion set. It is discussed as being available through dark web markets, Tor, Telegram channels, and cybercrime forums, and as lowering the barrier for fraud automation and social-engineering content generation. Reported use cases include phishing, scam-document generation, malware-related coding assistance, vulnerability research, and payment-card fraud support. Several articles also note that threat actors increasingly prefer jailbroken mainstream models or uncensored open-source models because dedicated criminal LLM offerings such as FraudGPT are often unreliable or fraudulent.
High-confidence contextual associations in the content include repeated pairing with WormGPT, GhostGPT, DarkGPT, DarkestGPT, BlackHatGPT, and similar GPT-branded underground tools. No specific malware-family IOCs, hashes, domains, or technical artifacts attributable to a functioning FraudGPT backend are provided in the content beyond the actor alias CanadianKingpin12 and the fact that the service was marketed on dark web pages and Telegram.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
4 techniques
Reconnaissance
Drafting phishing lures, profiling targets... Threat actors use it to systematically design lookalike phishing pages, scrape target data...
key capabilities have been segmented into phishing automation, malware development, reconnaissance, brute force, vulnerability exploitation, and social engineering.
Advertised features of malicious LLMs indicate that cybercriminals are connecting these systems to various external tools for... scanning sites for vulnerabilities... Scan websites for vulnerabilities across a massive CVE database... users were discussing connecting LLMs to external tools like Nmap, and using the LLM to summarize the Nmap output.
Resource Development
3 techniques
Resource Development
Deepfake voice and video tools have advanced to the point where live video verification, once the victim’s last defense, no longer disqualifies the scammer. The Arup engineering firm deepfake in early 2024, in which a finance employee was tricked into wiring $25 million by AI-rendered “executives” on a Zoom call, is no longer an outlier.
Initial Access
3 techniques
Initial Access
FraudGPT is described as a great tool for creating undetectable malware, writing malicious code, finding leaks and vulnerabilities, creating phishing pages, and for learning hacking.
Execution
1 technique
Execution
Stealth
1 technique
Stealth
Recent activity
17 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An illicit large language model variant referenced as being used in scam operations to generate convincing social-engineering content at scale.
AI-powered cybercrime tool focused on automating phishing, fraud, and related criminal content generation.
AI-based hacking tool referenced as part of the ecosystem of offensive AI tools distributed on dark web and other platforms.
FraudGPT is described as a criminal-use tool sold on dark web markets to automate and enhance fraud activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.