Malicious AI models are custom or fine-tuned language models, stripped of safety filters, that criminals sell on dark web forums to write phishing emails, generate malware, and automate fraud. Names like WormGPT, FraudGPT, and EvilGPT have become the public face of this trend, but they represent a category of tools rather than a single product. That category is what security teams actually need to understand.
What Is Dark Web AI? Defining the Threat Category
“Dark web AI” refers to large language models that have been deliberately built or modified to remove the ethical guardrails found in mainstream tools like ChatGPT or Gemini, then marketed to cybercriminals through underground forums and Telegram channels. These are not new AI architectures; most are fine-tuned versions of open-source models, repackaged with a criminal-facing interface and a subscription price tag.
Uncensored LLMs vs. jailbroken models. There are two distinct approaches behind this category. Some tools, like the original WormGPT, are trained or fine-tuned from the ground up on malware and phishing data, so refusing harmful requests was never part of their design. Others are closer to wrapper services: they route prompts through a jailbroken session of a mainstream model, using prompt tricks to bypass its safety layer rather than building a new model at all. Both approaches yield the same result: an assistant with no content moderation and no restrictions on what it will generate.
Why threat actors moved to AI: the appeal is speed and polish, not raw novelty—writing a convincing phishing email or malicious script used to require either language skills or coding skills. A capable text-generation model removes that requirement, letting a non-native English speaker produce a grammatically clean business email compromise (BEC) lure in seconds. Security researchers at Huntress describe this as the elimination of the classic phishing red flags, the poor grammar and awkward phrasing that awareness training has taught employees to spot for years.
A Field Guide to Known Malicious AI Models
Since mid-2023, a small ecosystem of branded “dark LLMs” has emerged, each marketed with its own claims but built on the same underlying premise: an AI assistant with no ethical limits, sold as a criminal product.

WormGPT. WormGPT is widely regarded as the first commercialized malicious LLM, surfacing on hacker forums in 2023 as a “blackhat alternative” to ChatGPT. It was built by fine-tuning the open-source GPT-J model on malware- and phishing-related data, and it was marketed on a subscription basis, reportedly priced from $60 to $700. Its original developer shut down the project in August 2023 after drawing heavy media and security research attention. Still, the name “WormGPT” has since been reused by unrelated copycat services, which is why “WormGPT” today functions more as a brand than as a single fixed tool.
FraudGPT. FraudGPT positions itself explicitly as a tool for “fraudsters, hackers, scammers and like-minded individuals,” sold by a vendor claiming verified status across several dark web marketplaces. Its advertised feature set goes beyond phishing emails to include building phishing pages, writing malicious code, locating leaked data, and finding non-VBV payment card numbers for fraud. According to reporting from SecureOps, its seller has claimed over 3,000 confirmed sales across subscription tiers priced at roughly $1,700 per year, a proof point that this is being run as a commercial product, not a hobbyist experiment.
EvilGPT, WolfGPT, VenomGPT, and other variants. Following WormGPT and FraudGPT, a rotating cast of similarly branded tools, including EvilGPT, WolfGPT, VenomGPT, MalwareGPT, XXXGPT, and others, has appeared on the same forums, generally offering the same core pitch: an “unrestricted” chatbot for phishing content, scam scripts, or code assistance. Security researchers note that many of these are rebrands or resellers rather than genuinely distinct models, and that the underground AI product market includes a substantial share of tools that underdeliver on their marketing or are outright scams targeting the criminals who buy them.
Documented decline and churn. It’s worth noting what researchers have also found: these packaged, subscription-based tools have a short shelf life. Within roughly six months of the initial WormGPT and FraudGPT hype, threat intelligence teams observed criminals shifting toward repurposing openly available, uncensored models instead of paying for a branded product, since open-source alternatives could match or exceed the branded tools’ output for free. The “dark web AI” market is real but volatile, and any single-tool snapshot quickly goes stale.
How These Tools Are Used in Real Attacks
The primary real-world use of malicious AI tools is generating convincing, error-free phishing and business email compromise content at a scale and speed manual writing can’t match. A single operator using one of these tools can produce hundreds of unique, polished phishing emails in the time it once took to draft one by hand, which directly undermines detection methods built around recognizing repeated templates.

Phishing and BEC email generation. This remains the best-documented and most consistently reported use case. SlashNext researchers tested WormGPT by having it draft an email intended to persuade an accounts payable employee to pay a fraudulent invoice. They described the results as “unsettling” in their persuasiveness. This is the core commercial pitch behind nearly every tool in this category.
Malware and code assistance. Several of these tools advertise the ability to generate or obfuscate code, and demo material for FraudGPT has reportedly shown it producing working code for fake bank login pages. Security researchers are careful to note that output quality varies and isn’t reliably production-ready, but it measurably reduces the effort and skill required to get started.
Social engineering scripts and impersonation. Beyond email, these models can generate conversational scripts that impersonate employees, vendors, or support staff in real time, enabling scam calls, fake support chats, and SMS phishing (smishing) campaigns.
Fraud automation. Some tools extend into finding leaked data, locating usable stolen payment card numbers, and building supporting infrastructure like phishing pages, turning the model into one piece of a broader fraud pipeline rather than a standalone chatbot.
Why They’re Dangerous: Removing the Guardrails
The core danger of these tools isn’t a new capability; it’s the deliberate removal of the safety layer that legitimate AI providers build in by default. Mainstream models are designed to reject requests for phishing content, malware, or fraud scripts; malicious AI tools are built or altered specifically so that such requests are never rejected.
No ethical filters. Where legitimate providers invest in content moderation, abuse monitoring, and regulatory compliance, these tools are marketed on the explicit promise of having none of that. FraudGPT’s own advertising describes it as a “bot without limitations, rules, and boundaries.”
Subscription and dark-market business models. These tools are run as genuine businesses, complete with pricing tiers, customer support claims, and marketplace listings across dark web markets. That commercial structure is itself a signal: it means demand is real enough to sustain recurring revenue, and it means the tools will keep iterating rather than disappearing.
Rapid iteration and rebranding cycles. When one tool draws too much law-enforcement or media attention and shuts down, as WormGPT’s original developer did in 2023, the underlying idea doesn’t disappear; the brand name gets reused by unrelated operators, or the same functionality reappears under a new name. Defenders who focus on blocking a specific named tool will always be a step behind the next rebrand.
2024–2026 Trends: The Evolving Landscape
The dark web AI landscape has shifted from branded subscription products toward more decentralized, harder-to-track alternatives. As open-source language models have become more capable and easier to fine-tune, criminals increasingly prefer to repurpose freely available models rather than pay for a packaged tool like WormGPT or FraudGPT, since the results are comparable at no cost.

New entrants and rebrands. The original WormGPT and FraudGPT era has given way to a longer list of similarly named tools, and researchers have also documented threat actors repurposing legitimate security-research tools, models originally built to help red teams test defenses, for offensive use instead.
Law enforcement and industry scrutiny. Agencies including Europol and the FBI have publicly flagged the growth of AI-enabled cybercrime, and that scrutiny has directly contributed to shutdowns like WormGPT’s 2023 closure. Ironically, even the criminal tools themselves aren’t immune to security failures: a 2026 data leak reportedly exposed close to 19,000 WormGPT user accounts, including emails and payment metadata, turning the anonymity these buyers sought into a new identification risk.
Healthy skepticism in the research community. Not every claim about AI-powered cybercrime holds up. Some widely cited statistics, including a claim that 80% of ransomware is AI-enabled, have been publicly debunked, and researchers monitoring underground forums have found that many criminals themselves are skeptical of these tools, describing the branded AI product market as largely low-quality or outright scams. The realistic picture sits between the two extremes: a genuine and growing threat vector, but not yet the dominant one in most attack chains.
How Organizations Can Detect and Defend Against AI-Generated Attacks
Defending against AI-generated attacks means shifting away from detection methods that rely on spotting human error, since that’s precisely what these tools are designed to eliminate. The starting point is accepting that grammar and tone are no longer reliable phishing indicators.
Recognize AI-written phishing red flags. Traditional advice, watch for typos, awkward phrasing, and generic greetings, is losing effectiveness against AI-generated lures. Updated training should instead focus on behavioral cues: unexpected urgency, unusual payment or credential requests, and mismatches between a message’s claimed sender and normal communication patterns, verified through out-of-band checks like a phone call to a known number.
Monitor for brand and credential exposure on the dark web. Because these tools are frequently used to weaponize leaked data, combining stolen credentials, breached personal information, or exposed corporate details into personalized lures, continuous dark web monitoring for exposed employee credentials, brand mentions, and leaked customer data closes off much of the raw material these attacks depend on. Catching that exposure before it’s used in a campaign is often more effective than trying to catch the resulting email after it’s sent.
Adapt employee training. Awareness programs need updated examples that reflect what AI-generated phishing actually looks like today: polished, personalized, and free of the old warning signs. Pairing that training with strong authentication, email filtering tuned to behavioral anomalies, and network segmentation limits the damage even when a well-crafted lure gets through.
Key Takeaways: Staying Ahead of AI-Powered Threats
Malicious AI on the dark web isn’t a single product to block; it’s an evolving category of tools built to remove the safety limits of mainstream AI and hand attackers faster, more convincing phishing and fraud capabilities. WormGPT and FraudGPT put the trend on the map, but the underlying tools keep rebranding, shutting down, and resurfacing, making it a losing long-term strategy to chase individual tool names. The more durable defense is structural: train employees on behavioral rather than grammatical red flags, verify unusual requests out-of-band, and monitor continuously for the leaked credentials and exposed data these campaigns are built on, since closing off that raw material does more to blunt an AI-generated attack than trying to catch it after the email is already in an inbox
Frequently Asked Questions (FAQ’s)
Is there really an AI built for the dark web?
Yes. Since 2023, security researchers have documented multiple language models, including WormGPT and FraudGPT, that were fine-tuned or configured specifically to generate phishing content, malicious code, and fraud material without restriction and were sold through dark web marketplaces and Telegram channels.
What is WormGPT, and is it still active?
WormGPT was one of the first commercialized malicious LLMs, built on the open-source GPT-J model and marketed as an unrestricted alternative to ChatGPT. Its original developer shut down the public version in August 2023. Still, the name has since been reused by unrelated copycat tools, so “WormGPT” today refers to a category as much as to a specific product.
What is FraudGPT used for?
FraudGPT is marketed for generating phishing emails and pages, writing malicious code, locating leaked data, and finding stolen payment card details, sold on a subscription model with a vendor claiming thousands of confirmed sales.
Are WormGPT, FraudGPT, and similar tools as dangerous as they sound?
They lower the skill barrier to phishing and fraud and measurably improve the quality of scam content. Still, researchers caution against overstating their sophistication: many advertised capabilities remain unverified, output quality is inconsistent, and a meaningful share of the underground AI product market consists of scams targeting buyers themselves.
How can a company tell if it’s been targeted with AI-generated phishing?
There’s rarely a single tell. The most reliable approach combines behavioral email analysis, verification of unusual requests through a separate communication channel, and monitoring for the leaked credentials or data that often feed these campaigns in the first place.



