Threat Intelligence

The AI Copycat Economy: What Attackers Are Actually Buying 

The AI Copycat Economy: What Attackers Are Actually Buying 

I track underground cybercrime markets as an adversary operations group (AOG) analyst. In December 2025, I counted 38 dark web forum posts about AI hacking tools. In February 2026, I counted nearly 1,500. The explosion is not hype. It is a market forming in real time. 

Here is what criminals are buying, what each tool does, and what defenders need to understand about a threat landscape where the barrier to entry is a Telegram subscription. 

The Brand That Refuses to Die: WormGPT 

WormGPT first appeared on Hack Forums in June 2023. It was built on GPT-J, an open-source model fine-tuned on malware and phishing material. The original creator shut it down after media exposure, but the brand had already escaped. 

In 2026, “WormGPT” is not a single tool. It is a category. Cato CTRL researchers found two new variants in active circulation on BreachForums. One runs on xAI’s Grok, the other on Mistral’s Mixtral (Cato CTRL, Jun 2025). Both use custom system prompts to override the safety guardrails of commercial models. Both are sold through Telegram bots with subscription plans. 

The official WormGPT Telegram channel now has over 15,000 members (Computer Weekly, Jun 2026). The latest version, branded Kriminal.AI, is free. The leaked user database contained records of 19,000 subscribers (ASEC, May 2026). 

WormGPT’s longevity is not about technical sophistication. The underlying models are jailbroken wrappers around commercial APIs. The value is sociological. It is an entry-level gateway. A novice who has never drafted a phishing email can open a Telegram chat, describe their target, and receive a grammatically perfect, contextually relevant BEC lure in seconds. 

FraudGPT: The Productivity Suite 

FraudGPT launched in July 2023 from the same group behind the original WormGPT (Netenrich, Jul 2023). It is marketed as an all-in-one operational assistant for the fraud chain: phishing page design, target data scraping, spear-phishing lure drafting, and scam script generation. All delivered through a Telegram bot at $200 per month or $1,700 per year. 

Recent analysis posits that FraudGPT’s longevity comes from its positioning as a productivity engine rather than a simple code generator. The buyer is not a malware author. The buyer is a fraud operator who needs to scale content production. 

The underlying architecture has shifted. Early versions claimed to use proprietary uncensored models. Current variants are basic wrappers around jailbroken commercial APIs. The wrapper does not matter to the buyer. What matters is that a prompt like “write a professional urgent invoice notification for a UK construction firm” returns a usable output without ethical friction. 

BruteForceAI: Precision over Volume 

This one is different. BruteForceAI is not a chatbot. It is an LLM-integrated attack execution layer that prioritizes precision over volume (Fortinet, Jun 2026). It uses language models for intelligent form analysis, then executes multi-threaded brute force attacks against the targets it identifies. 

Fortinet’s Global Threat Landscape Report highlighted BruteForceAI as a contributor to a 22% decline in brute force attempts alongside a 25% increase in successful exploitation (FortiGuard Labs, Jun 2026). Attackers are making fewer guesses and landing more hits. BruteForceAI is the reason. 

HexStrike AI: The Autonomous Offensive Framework 

HexStrike AI was released on GitHub in July 2025 by a security researcher as a legitimate penetration testing framework. It integrates 150-plus cybersecurity tools into an autonomous agent architecture. A user gives a natural language instruction like “scan this network for vulnerabilities.” HexStrike manages tool selection, execution, and result correlation. 

The tool was hijacked by criminals within months. In April 2026, a Russian hacker used HexStrike combined with Anthropic’s Claude to breach hotel booking platforms, stealing over 2 million guest records (Cybernews, Jun 2026). The attacker used HexStrike AI to automate reconnaissance, generate penetration test reports as cover, and exfiltrate PII. 

HexStrike AI has over 1,800 GitHub stars and 400 forks. Version 7.0 promises 250 agents, Docker support, and a desktop client (GitHub, 2026). The tool’s existence is not a vulnerability. Its weaponization by threat actors is the predictable outcome of releasing an autonomous attack framework without deployment controls. 

ATHR: The AI Vishing Platform 

Voice phishing used to require human operators. That constraint is gone. 

ATHR, documented by the Cloud Security Alliance in April 2026, is a fully automated vishing platform (CSA, Apr 2026). Its “Sonic 3” text-to-speech engine oversees multi-step social engineering calls without human involvement. It adapts scripts dynamically based on victim responses. It runs dozens of concurrent calls. 

The technology behind it is not exotic. Open-source voice cloning models like XTTS-v2 and OpenVoice produce convincing voice clones from three seconds of audio (Lyrie Research, May 2026). Commercial APIs like ElevenLabs offer the same capability for cents per minute. Real-time inference services synthesise responses inside the call with latency low enough to feel natural. 

The result is predictable. Vishing surged 442% in the second half of 2025 (DeepStrike, cited by CSA, Apr 2026). Over 100,000 voice deepfake attacks were recorded in the US in 2025 (Lyrie Research, May 2026). The FBI logged $893 million in confirmed AI fraud losses, with analysts estimating the real figure exceeds $18 billion. 

The most expensive public case: a finance employee joined a video call where the CFO and several colleagues all looked and sounded correct. Every participant was an AI deepfake. The company lost $25.6 million (Polygraf AI, Jun 2026). 

The Common Architecture 

Every tool on this list shares a structural pattern. They are not custom models trained on criminal infrastructure. They are jailbreak wrappers around commercial or open-weight models (Trend Micro, Jan 2026). The criminal market has learned to extract value from the AI industry’s own R&D without bearing the cost of development. 

WormGPT and FraudGPT wrap Grok and Mixtral with custom system prompts. HexStrike connects Claude to 150 security tools through the MCP protocol. BruteForceAI uses LLMs for target selection and attack optimization. Even the deepfake tools rely on open-source models published on Hugging Face and GitHub. 

This is important for defenders. The underlying models are not the attack surface. The orchestrator is. Disrupting the criminal AI supply chain means targeting the infrastructure that connects the models to the crime: Telegram bots, payment channels, API key resellers, and forum marketplaces. 

What This Changes 

FBI IC3 data shows a 37% jump in AI-assisted BEC (cited by The AI Index, Jun 2026). Proofpoint observed over 3 million messages attributable to Tycoon 2FA in a single month before its March 2026 disruption. Machine-written phishing now accounts for 82.6% of all phishing emails (DeepStrike, cited by The AI Index, Jun 2026). 

The numbers tell a consistent story. AI did not create a new threat. It removed the skill barrier from existing ones. 

A copycat WormGPT on a Telegram channel does not represent a technical breakthrough. It represents the industrialisation of the oldest attack in the book. The tools change every quarter. The names rebrand. The mechanism stays the same. 

What Helps

Treat the phone channel as a primary attack surface. Voice cloning is cheap, effective, and widely available. Implement out-of-band verification for any phone-initiated transaction. Call the requester back on a known number. Do not trust an incoming call because the voice sounds right. 

Deploy behavioural detection, not content analysis. AI-generated phishing has no grammatical tells. Detection must shift to behavioural signals: unusual login times, inbox rule creation after credential entry, bulk mailbox access from unfamiliar IPs. 

Prepare for autonomous agents in the kill chain. HexStrike and ATHR demonstrate that attackers are building AI agents capable of executing entire attack stages without human intervention. Defensive automation must respond at the same speed. 

Assume every executive’s voice is already cloned. Earnings calls, conference keynotes, and podcast appearances provide training data. Three seconds is enough. Build process controls that do not depend on voice as a trusted signal. 

Sources