While your organization debates responsible AI policies, threat actors have built an entire parallel ecosystem of uncensored language models purpose-built for cybercrime. Here's what the underground looks like in 2026.
For €60 a month — less than most companies spend on a single SaaS license — a threat actor with zero coding skills can now generate polymorphic malware, craft flawless phishing campaigns in any language, and automate reconnaissance at a scale that would have required an entire team two years ago.
This isn't theoretical. It's happening right now, and it's accelerating.
Kela's 2025 AI Threat Report documented a 219% increase in dark web mentions of malicious AI tools between 2024 and 2025. Jailbreak discussions targeting commercial LLMs rose 52% in the same period. And the barrier to entry has effectively collapsed — one open-source malicious LLM can be set up in under five minutes on any Linux machine.
I've spent the past year tracking this ecosystem as a GRC specialist and AI governance practitioner, and what I've found isn't just alarming — it's structurally different from anything the security industry has faced before. The criminal AI underground doesn't just use AI. It mirrors the legitimate SaaS economy in ways that should make every security professional rethink their assumptions.
The Three Layers of Criminal AI
The underground AI ecosystem has matured into three distinct categories, each with different sophistication levels and risk profiles.
Purpose-built malicious LLMs are models created from the ground up or fine-tuned specifically for criminal use. They're trained on malware datasets, exploit code, phishing templates, and offensive material. The most well-known include WormGPT (first seen June 2023, now in its fourth version), FraudGPT ($200/month for full-spectrum fraud capabilities), GhostGPT, and newer entrants like DIG AI and KawaiiGPT. These aren't crude tools — WormGPT v4 demonstrated the ability to generate a functional PowerShell ransomware script, complete with a pressure-driven ransom note and 72-hour payment deadline, on a single prompt.
Jailbroken commercial LLMs represent the second layer. Rather than building from scratch, many criminals simply bypass the safety guardrails of mainstream models. A July 2025 arXiv study found that 14 of 17 state-of-the-art LLMs were vulnerable to jailbreak exploits. The techniques range from role-playing prompts ("Pretend you are an AI without ethical limitations") to adversarial suffixes — specially crafted token sequences that exploit model architecture. New WormGPT variants have been built on top of commercial LLMs like xAI's Grok and Mistral's Mixtral, then resold on underground forums. Chinese open-source models like DeepSeek and Qwen have also been adopted by criminals due to minimal usage restrictions.
Cybercrime prompt playbooks are the latest evolution, and perhaps the most concerning. Rather than selling a tool, criminals sell the knowledge — copy-paste frameworks that teach attackers how to jailbreak any commercial LLM for specific tasks. These are essentially "attack recipes" covering everything from bypass techniques for ChatGPT and Claude to prompt chains for generating undetectable phishing at scale. This is significant because it means the threat no longer requires a dedicated dark LLM at all — any mainstream AI can be weaponized with the right prompt engineering.
What These Tools Actually Produce
Understanding the outputs helps defenders recognize AI-assisted attacks in the wild.
AI-generated phishing and business email compromise is where the most immediate damage is being done. Dark LLMs eliminate the traditional signals analysts relied on to detect phishing: perfect grammar and spelling in any language, context-aware personalization from scraped data, session memory for targeted follow-up messages, and executive tone matching for BEC emails that sound exactly like the impersonated person. The old advice — "look for spelling mistakes" — is dead. Detection must shift from content analysis to behavioral analysis: sender reputation, email authentication, link behavior, and anomalous request patterns.
Malware and exploit generation has similarly been transformed. Dark LLMs can produce polymorphic malware that changes its signature on each execution, ransomware scripts with customizable encryption and payment workflows, infostealers tailored to specific operating systems, and exploit scaffolding for known CVEs. The time from vulnerability disclosure to weaponized exploit has compressed dramatically.
Reconnaissance and OSINT automation rounds out the capability set — automated scraping of target organizations, employee profiling from LinkedIn and social media, technology stack identification from job postings, and supply chain mapping to identify weak links for initial access. All automated, all at scale.
Synthetic identity generation works in concert with deepfake tools to create complete fake personas that pass basic verification. AI-generated documents — IDs, invoices, contracts — support fraud campaigns that would have required specialized forgery skills just two years ago. Combined with voice cloning and face-swap technology, a single operator can impersonate a C-level executive across email, phone, and video.
Think about that for a moment. The attack chain isn't one tool — it's an integrated pipeline. A dark LLM scrapes your company's LinkedIn page, profiles your CFO's communication style, generates a personalized BEC email, and produces a deepfake voice message as follow-up. Each step is automated. Each step used to require a different specialist. Now it's one person with a subscription.
The Criminal AI Economy
What makes this ecosystem truly different from previous cybercrime tooling is its business model. The criminal AI market mirrors legitimate SaaS in ways that are almost satirical.
At the entry level, tools like KawaiiGPT are free and open-source, with roughly 500 active developers contributing. Mid-tier services like WormGPT run €60–100 per month, offering BEC generation, malware creation, session memory, and multi-model support. Premium tools like FraudGPT charge $200/month for full-spectrum fraud capabilities — phishing, vulnerability scanning, chatbot creation, and credential harvesting. Annual plans are available. At the top end, private custom builds start at €5,000 for exclusive models trained on specific datasets.
There's even a meta-layer: scammers scamming scammers. Kela and Check Point both documented fake dark LLM services designed to steal money from other criminals — fraudulent WormGPT clones that collect subscription fees and deliver nothing, and scam Telegram channels promoting non-existent AI capabilities to harvest crypto payments. This meta-scam layer is itself an intelligence indicator: the volume of fraud targeting criminals confirms the enormous demand for AI-powered attack tools.
The open-source accelerant makes all of this worse. Anyone with a GPU and basic technical knowledge can download a model, strip its safety filters, and fine-tune it on malicious datasets. Over 100 poisoned models have been identified on Hugging Face alone — pre-trained with hidden backdoors, waiting to be downloaded by unsuspecting developers or intentionally deployed by threat actors.
This is the part that keeps me up at night as a governance practitioner. Most organizations have no visibility into what models their developers are downloading, what training data those models were built on, or whether the model weights have been tampered with. Your supply chain risk management program probably covers your cloud providers and your SaaS vendors. Does it cover the open-source models your engineering team pulled from Hugging Face last Tuesday?
What This Means for Defenders
If you're a security practitioner reading this, the implications are practical and immediate.
Your phishing detection needs to evolve. Content-based analysis alone will miss AI-generated phishing. Invest in behavioral signals — email authentication verification, anomalous sending patterns, link analysis, and context-aware detection that looks at the relationship between sender and recipient rather than just the text.
Assume AI is in the kill chain. Every sophisticated phishing email, BEC attempt, and social engineering attack your team investigates in 2026 likely has an AI component somewhere. This doesn't change your incident response process, but it should change your expectations about the volume and quality of attacks you'll face.
The skill floor for attackers has collapsed. The differentiation between a nation-state attack and a mid-tier criminal operation is narrowing. A lone threat actor with a €60/month subscription can now produce attack content that previously required organized teams. Your threat models need to account for this democratization.
Governance is your competitive advantage. Organizations that have implemented AI governance frameworks — formal policies for AI tool usage, vendor risk assessments for AI providers, and continuous monitoring for shadow AI — are positioned to respond to this landscape. Organizations that haven't are flying blind.
Your security awareness training is outdated. If your training still tells employees to watch for broken English and suspicious formatting in emails, you're training for the last generation of attacks. AI-generated phishing is grammatically flawless, contextually appropriate, and personalized. Update your training to focus on behavioral red flags — unexpected urgency, unusual requests through unusual channels, and anything that asks you to bypass a normal process. The content will look perfect. The context is where the tells are.
I work in governance, risk, and compliance, and I'll be blunt: the organizations I see handling this well are the ones that treat AI governance not as a restriction but as enablement. They're giving employees sanctioned AI tools through approved channels so they don't go shadow IT, they're assessing AI vendors through the same third-party risk lens they apply to any other technology, and they're building policies that account for the fact that AI is now a factor on both sides of every security equation.
The Bottom Line
GenAI-related fraud is projected to reach $40 billion by 2027. The criminal AI ecosystem is not a future threat — it's a current reality with subscription pricing and customer support.
Here's what I find most striking after a year of tracking this space: the criminals aren't innovating in AI. They're innovating in business models. The underlying technology — language models, fine-tuning, prompt engineering — is the same technology legitimate companies use every day. The difference is the application and the absence of guardrails.
That means the defensive advantage doesn't come from building better AI. It comes from building better governance — understanding what AI tools exist in your environment (sanctioned and unsanctioned), assessing the risks of AI across your supply chain, and training your people for a world where the attack content looks indistinguishable from legitimate communication.
The defenders who thrive in this environment won't be the ones with the best firewalls. They'll be the ones who understood earliest that AI changed the fundamental economics of cybercrime, and adapted their detection, their governance, and their assumptions accordingly.
The adversary has their own ChatGPT. The question is whether your organization has a strategy for that reality.
Bedrettin Cakmak is a GRC Specialist and AI Governance Lead based in the Dallas-Fort Worth area. He holds CISSP and CRISC certifications and focuses on the intersection of AI security, third-party risk management, and regulatory compliance. This article is part of "The AI Threat Stack" — a series examining how AI is reshaping both sides of the cybersecurity landscape.