Logo
FrontierNews.ai

The Underground AI Crime Market Is Exploding: What Attackers Are Actually Buying

The criminal AI market is industrializing at an alarming pace, transforming decades-old attack methods into automated, low-skill operations that require nothing more than a Telegram subscription. An analysis of underground cybercrime forums reveals that the barrier to entry for AI-powered attacks has collapsed. In just two months, dark web posts about AI hacking tools exploded from 38 in December 2025 to nearly 1,500 by February 2026, signaling the formation of a functioning criminal marketplace.

What makes this surge particularly dangerous is not technical sophistication, but accessibility. The tools criminals are buying are not custom-built models trained on malware databases. Instead, they are jailbroken wrappers around commercial AI systems like OpenAI's GPT, Anthropic's Claude, and Elon Musk's Grok. By overriding safety guardrails with custom system prompts, criminals have created entry-level gateways that allow novices to execute professional-grade attacks without any technical expertise.

What Are Criminals Actually Buying in This Underground Market?

The criminal AI marketplace has developed a clear product hierarchy, each tool designed to automate a specific stage of the attack chain. Understanding what these tools do reveals why defenders face an accelerating threat.

  • WormGPT and Its Variants: Originally built on GPT-J, an open-source model fine-tuned on malware and phishing material, WormGPT has evolved into an entire category of tools. The original creator shut it down after media exposure in 2023, but the brand escaped into the criminal underground. By June 2026, the official WormGPT Telegram channel had over 15,000 members, and researchers found two new variants running on Grok and Mistral's Mixtral model, both sold through Telegram bots with subscription plans. The latest version, branded Kriminal.AI, is free, with a leaked user database containing records of 19,000 subscribers.
  • FraudGPT: Launched in July 2023, FraudGPT positions itself as an all-in-one operational assistant for the entire fraud chain, including phishing page design, target data scraping, spear-phishing lure drafting, and scam script generation. All delivered through a Telegram bot at $200 per month or $1,700 per year. The tool's longevity comes from its positioning as a productivity engine rather than a simple code generator, allowing fraud operators to scale content production without ethical friction.
  • BruteForceAI: Unlike chatbot-based tools, BruteForceAI is an attack execution layer that uses language models for intelligent form analysis, then executes multi-threaded brute force attacks against identified targets. Fortinet's Global Threat Landscape Report highlighted BruteForceAI as a contributor to a 22% decline in brute force attempts alongside a 25% increase in successful exploitation, meaning attackers are making fewer guesses and landing more hits.
  • HexStrike AI: Originally released on GitHub in July 2025 as a legitimate penetration testing framework, HexStrike integrates 150-plus cybersecurity tools into an autonomous agent architecture. A user gives a natural language instruction like "scan this network for vulnerabilities," and HexStrike manages tool selection, execution, and result correlation. In April 2026, a Russian hacker used HexStrike combined with Claude to breach hotel booking platforms, stealing over 2 million guest records. The tool has over 1,800 GitHub stars and 400 forks.
  • ATHR Voice Phishing Platform: Documented by the Cloud Security Alliance in April 2026, ATHR is a fully automated vishing (voice phishing) platform with a "Sonic 3" text-to-speech engine that oversees multi-step social engineering calls without human involvement. It adapts scripts dynamically based on victim responses and runs dozens of concurrent calls. Open-source voice cloning models like XTTS-v2 and OpenVoice produce convincing voice clones from just three seconds of audio.

How Are These Tools Enabling Unprecedented Attack Scale?

The impact of these tools is quantifiable and staggering. Vishing surged 442% in the second half of 2025, with over 100,000 voice deepfake attacks recorded in the US in 2025 alone. The FBI logged $893 million in confirmed AI fraud losses, though analysts estimate the real figure exceeds $18 billion. One particularly expensive case involved a finance employee who joined a video call where the CFO and several colleagues all looked and sounded correct. Every participant was an AI deepfake. The company lost $25.6 million.

Machine-written phishing has become the dominant attack vector. FBI IC3 data shows a 37% jump in AI-assisted business email compromise (BEC), while Proofpoint observed over 3 million messages attributable to Tycoon 2FA in a single month before its March 2026 disruption. Machine-written phishing now accounts for 82.6% of all phishing emails.

The critical insight is that AI did not create new threats; it removed the skill barrier from existing ones. A copycat WormGPT on a Telegram channel does not represent a technical breakthrough. It represents the industrialization of the oldest attack in the book. A novice who has never drafted a phishing email can open a Telegram chat, describe their target, and receive a grammatically perfect, contextually relevant business email compromise lure in seconds.

How to Defend Against AI-Powered Criminal Tools?

Defenders must shift their strategy away from content analysis and toward behavioral detection and out-of-band verification. The following approaches address the specific threat patterns these tools enable:

  • Treat the Phone Channel as a Primary Attack Surface: Voice cloning is cheap, effective, and widely available. Implement out-of-band verification for any phone-initiated transaction by calling the requester back on a known number. Do not trust an incoming call because the voice sounds right, as deepfake audio is now indistinguishable from authentic voices.
  • Deploy Behavioral Detection Over Content Analysis: AI-generated phishing has no grammatical tells. Detection must shift to behavioral signals such as unusual login times, inbox rule creation after credential entry, and bulk mailbox access from unfamiliar IP addresses. Content-based filters are obsolete against machine-written attacks.
  • Prepare for Autonomous Agents in the Kill Chain: HexStrike and ATHR demonstrate that attackers are building AI agents capable of executing entire attack stages without human intervention. Defensive automation must anticipate multi-stage autonomous attacks that adapt in real time based on target responses.
  • Disrupt the Criminal Infrastructure, Not the Models: The underlying models are not the attack surface; the orchestrator is. Disrupting the criminal AI supply chain means targeting the infrastructure that connects the models to crime: Telegram bots, payment channels, API key resellers, and forum marketplaces.

Why Is Executive PII Exposure Becoming a Multiplier for These Attacks?

The threat landscape extends beyond technical attacks. Exposed executive personally identifiable information (PII) fuels spear phishing and business email compromise campaigns that defeat technical controls. The average executive carries roughly 95 PII instances spread across approximately 200 data broker sites, creating a persistent reconnaissance advantage for attackers.

Data brokers continuously re-aggregate and republish information through automated scraping, meaning that even after successful removal, the same information reappears within 30 to 90 days. Home addresses, personal phone numbers, family member names, and property records form a pre-assembled targeting kit that cyberattackers use to threaten, defraud, or impersonate leaders with precision.

The consequences cascade across four distinct threat categories. Physical safety risks are immediate, as address exposure directly enables stalking and home invasions. Financial fraud follows closely, with the FTC Consumer Sentinel Network reporting that consumers lost $3.5 billion to imposter scams in 2025, the highest figure on record. Impersonation attacks have surged as cyberattackers weaponize exposed PII to create synthetic personas indistinguishable from real leaders, ranging from fake social media profiles to full deepfake-enabled video calls. Social engineering becomes the force multiplier, as PII transforms generic phishing into hyper-targeted spear phishing where attackers reference details only an insider should know.

The market for AI-powered criminal tools is not a temporary phenomenon. It is a structural shift in how attacks are industrialized and distributed. The barrier to entry has collapsed, the tools are affordable and accessible, and the underlying models are continuously improving. Defenders who focus only on technical controls while ignoring behavioral signals, phone-based verification, and executive PII exposure will find themselves outpaced by an adversary ecosystem that operates at machine speed.