AI-Powered Hacking Tools Proliferate on the Dark Web
A growing underground market for AI-powered hacking tools is emerging on dark web forums, according to research from Palo Alto Networks' Unit 42. These tools, including commercialized versions like WormGPT and free models such as KawaiiGPT, are designed to assist cybercriminals with tasks such as vulnerability scanning, data encryption, and generating malicious code. The accessibility and user-friendly nature of these large language models (LLMs) are significantly lowering the technical barriers for cybercrime, enabling even unskilled individuals to create attack scripts and conduct cyberattacks using simple conversational prompts.
While the technical sophistication of these "dark LLMs" remains limited, their primary impact is in democratizing cybercrime by empowering low-level hackers and script kiddies. The tools are particularly useful for generating grammatically correct phishing emails and basic malware, especially for users operating across language barriers. Despite initial fears of highly advanced AI-driven cyberattacks, current evidence suggests that these models are more effective at aiding petty criminals than enabling complex, autonomous cyber operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Academic study analyzes cybercriminal discussions of AI use
An academic paper examined more than 160 cybercrime forum conversations collected over seven months to assess how offenders discuss and experiment with AI. The study found growing interest in both legitimate AI services and bespoke criminal tools, alongside skepticism about effectiveness, operational security risks, and disruption to existing criminal business models.
Researchers assess dark LLMs as low-skill enablers, not a major leap
In its analysis, Unit 42 concluded that so-called dark LLMs mainly help low-level criminals and non-native speakers create basic malware and more polished phishing content, rather than enabling sophisticated new attacks. The report said most outputs remain generic and detectable with existing defenses, with the main risk being lowered barriers to entry and easier attack-script creation through conversational prompts.
Unit 42 observes dark-web market for AI-powered hacking tools
Palo Alto Networks' Unit 42 documented an emerging underground market on dark web forums for custom, jailbroken, and open-source LLMs marketed for cybercriminal tasks such as phishing, malware generation, vulnerability scanning, and data encryption. Researchers found both commercial and free offerings, including subscription-based WormGPT variants and the free KawaiiGPT model.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
How Hackers Are Thinking About AI - Schneier on Security
schneier.com
Open sourceAI hacking tools sold on dark web
scworld.com
Open source'Dark LLMs' Aid Petty Criminals, But Underwhelm Technically
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious LLMs Enable Low-Skilled Attackers with Advanced Cybercrime Tools
Unrestricted large language models (LLMs) such as WormGPT 4 and KawaiiGPT are being leveraged by cybercriminals to generate sophisticated malicious code, including ransomware scripts and phishing messages. Researchers from Palo Alto Networks Unit 42 demonstrated that WormGPT 4, a paid, uncensored ChatGPT variant, can produce functional PowerShell scripts for encrypting files with AES-256, automate data exfiltration via Tor, and craft convincing ransom notes, effectively lowering the barrier for inexperienced hackers to conduct advanced attacks. KawaiiGPT, a free community-driven alternative, was also found to generate well-crafted phishing content and automate lateral movement, further democratizing access to cybercrime capabilities. The proliferation of these malicious LLMs is accelerating the adoption of advanced attack techniques among less skilled threat actors, enabling them to perform operations that previously required significant expertise. The tools are available through paid subscriptions or free local instances, making them accessible to a wider range of cybercriminals. Security researchers warn that the credible linguistic manipulation and automation provided by these LLMs could lead to an increase in the volume and sophistication of cyberattacks, including business email compromise (BEC), phishing, and ransomware campaigns.
Mar 21, 2026
Commercialization of Malicious LLMs for Cybercrime
Malicious large language models (LLMs) such as WormGPT 4 and KawaiiGPT are now being actively marketed and distributed within cybercrime communities, with WormGPT 4 available for $50 per month on Telegram and KawaiiGPT offered as open source on GitHub. Security researchers from Palo Alto Networks' Unit 42 have analyzed these tools, highlighting their ability to generate functional ransomware code with AES-256 encryption, Tor-based data exfiltration, and scripts for SSH lateral movement, all within seconds. These LLMs are designed without ethical guardrails, enabling threat actors to automate and enhance the quality of attacks, including spear-phishing, payload generation, and real-time execution of malicious code. The emergence of these offensive LLMs marks a shift from theoretical concerns to practical, commercialized tools that lower the barrier for cybercriminals. The models feature subscription tiers, active user communities, and the ability to generate sophisticated attack code on demand, demonstrating the growing integration of artificial intelligence into the cybercrime-as-a-service ecosystem. Security experts warn that the adoption of such AI-driven tools is likely to accelerate the speed and effectiveness of cyberattacks, posing new challenges for defenders.
Mar 21, 2026
Criminal AI Services Accelerate Phishing, Fraud, and Malware Evasion
Underground operators are increasingly packaging generative AI into **criminal AI-as-a-service** offerings that support phishing, fraud, impersonation, malware modification, translation, and post-breach data analysis. Reporting on the market describes branded tools such as **FraudGPT**, **GhostGPT**, and **WormGPT**, but says many are little more than wrappers around legitimate models, stolen accounts, or hijacked API keys rather than fully autonomous hacking platforms. Researchers also highlighted a parallel market for deepfake-enabled abuse, including voice cloning, face swaps, fake selfies, and virtual camera injection used for KYC bypass, synthetic identity fraud, and onboarding scams. Sophos separately identified a malware development lab using AI tools including **Cursor** and **Claude Opus** to speed ransomware-related coding, payload refinement, and evasion testing. The framework reportedly generated Python-driven Rust and Go malware modules, customized **Cobalt Strike** profiles, Telegram-based command channels, Cloudflare Worker intermediaries for command-and-control traffic, code-injection scripts targeting legitimate Windows applications, and AI-assisted Active Directory reconnaissance. Researchers said the operation tested nearly 80 modules against more than 70 evasion methods across Sophos, CrowdStrike, and Microsoft defenses, reinforcing that the immediate risk is not autonomous AI malware but faster, cheaper, and more scalable attacker workflows.
Jun 18, 2026