Cybercriminals are actively exploring self-hosted, open-source AI models to escape platform restrictions and avoid detection, but a significant capability gap persists: local models still underperform, fine-tuning remains aspirational, and commercial AI tools remain the productive choice even for actors with explicit malicious intent. This disconnect between criminal ambition and technical reality reveals an important vulnerability in the threat landscape that defenders should understand.

Why Are Criminals Turning to Local AI Models?

Actors across the cybercrime ecosystem are investing in self-hosted and unrestricted models for straightforward reasons: to avoid moderation systems, prevent account bans, and maintain operational privacy. The appeal is obvious. Commercial AI platforms like OpenAI's ChatGPT and Claude have built-in safety guardrails designed to refuse malicious requests. A self-hosted model running on a criminal's own hardware would theoretically bypass these restrictions entirely.

Users with malware and hacking backgrounds are installing uncensored model variants such as wizardlm-33b-v1.0-uncensored and openhermes-2.5-mistral, then prompting them with comprehensive malicious wishlists spanning ransomware, keyloggers, phishing kits, and exploit code. The strategy makes sense on paper: take an open-source model, remove the safety constraints, and use it to generate attack code without interference.

What's Stopping Them From Making This Work?

The reality is far messier than the theory. Underground discussions consistently reveal a gap between aspiration and capability. Local models still underperform relative to commercial alternatives. Fine-tuning, which would theoretically allow criminals to customize models for specific malicious tasks, remains aspirational rather than practical. Most critically, commercial models remain the productive choice even for actors with explicit malicious intent.

This performance gap matters because it forces a difficult trade-off. Criminals can choose operational security by using local models, or they can choose effectiveness by using commercial platforms. They struggle to achieve both simultaneously. More established actors are conducting structured cost-benefit analyses, evaluating not only hardware requirements and GPU costs but whether locally hosted models produce reliable output or hallucinate. The answer, for now, is often that they do hallucinate, generating plausible-sounding but incorrect code that doesn't actually work.

How Sophisticated Actors Are Actually Using AI

The most capable threat actors have adopted a different approach entirely. Rather than relying on self-hosted models, they're using commercial AI-powered integrated development environments (IDEs) paired with disciplined engineering workflows. The VoidLink malware case illustrates this shift. A single developer using TRAE SOLO, ByteDance's commercial AI-powered IDE, created a sophisticated Linux-based malware framework featuring modular command-and-control architecture, eBPF and LKM rootkits, cloud and container enumeration, and more than 30 post-exploitation plugins.

What made this possible wasn't the AI model itself, but the methodology. The developer used Spec Driven Development, a disciplined engineering workflow that first defined project goals and constraints, then used an AI agent to generate a comprehensive architecture and development plan across three virtual teams. The AI agent implemented the framework sprint by sprint, with each sprint producing working, testable code. What normally would have been a 30-week engineering effort across three teams was executed in under a week, producing over 88,000 lines of functional code.

Steps to Understanding the Threat Landscape Shift

• Recognize the methodology gap: The critical differentiator in AI-assisted malware development is not which model or platform attackers use, but the combination of AI methodology with domain expertise. Forum-based actors using unstructured prompting remain relatively unsophisticated, while capable actors combining domain expertise with disciplined AI workflows leave far fewer traces in open forums.
• Understand the architectural pattern: The operative control layer in advanced AI-assisted development is not code but structured documentation, typically markdown specification files that determine what AI agents build, how they behave, and what constraints they observe or ignore. This same pattern is now appearing across the threat landscape.
• Assess the self-hosting reality: While criminals aspire to use self-hosted models to avoid detection, the performance gap between local and commercial models means that truly capable actors continue to rely on commercial platforms paired with sophisticated engineering workflows rather than local alternatives.

The broader implication is that the cybercrime ecosystem is not developing its own AI capability. It is adopting the same tools and architectural patterns as legitimate technology, with the additional goal of trying to overcome the protective limitations built into these systems. This means that defenders should expect AI involvement in malware development to become a default working assumption, even when there are no visible indicators of AI use.

For organizations monitoring threats, the key insight is that the most dangerous actors are not those struggling with self-hosted models in underground forums. They are the ones with deep security knowledge who have adopted the same agentic AI development paradigm that transformed legitimate software development throughout 2025. These actors leave far fewer traces, making the true scope of this shift harder to measure but potentially more significant than the visible forum activity suggests.