Jun 05, 2026
Apr 24, 2026
10 Mins Read
Apr 27, 2026
WormGPT: The Blueprint for Malicious AI
The story of WormGPT is about what happens when a proof-of-concept becomes a brand and is one of the first examples of how AI is used in cyberattacks.
Origins and the Original Version
On June 28, 2023, a user on a popular hacking forum introduced WormGPT, marketing it as a no-limits alternative to mainstream AI, specifically built for cybercriminals. ChatGPT had just spent months showing the entire world, including its worst actors, what a capable language model could do. WormGPT was the underground community’s answer to the guardrails that kept legitimate tools in check.
Original WormGPT post in June 2023, marketed as ‘’The biggest enemy of the ChatGPT’’
The original version was built on GPT-J 6B, an open-source model from 2021. Its creator claimed to have fine-tuned it on malware code, exploit write-ups, and phishing templates. It sold on a subscription basis, ranging from around 60 to 100 euros per month, with a premium private version reportedly priced at several thousand.
A July 2023 forum thread where a potential buyer questions the WormGPT developer directly on the underlying model, training data, and capabilities.
That forum thread from July 2023 gives a rare look at the creator in their own words. A potential buyer asked blunt technical questions before subscribing: which LLM, what training data, and how it handles errors. The developer answered without much fuss. GPT-J from 2021, training data pulled from multiple sources with a focus on malware, and yes, users had already noted it handled error correction better than GPT-3.5. No pitch, just a candid back-and-forth on a cybercrime forum.
Shutdown and What Followed
Then the media found it. Over a hundred outlets covered it. The story went mainstream fast, and the creator, now facing serious exposure, shut the original WormGPT down on August 8, 2023, posting a message on the forum trying to distance themselves from how it was being used. Short run, loud exit.
The shutdown gave the brand more life than the tool ever had. The day after it closed, a seller was already on the same forums advertising Evil-GPT as the best alternative, written in Python, for ten dollars.
Posted on August 9, 2023, the day after WormGPT’s shutdown. A seller immediately moved to fill the gap, advertising Evil-GPT as the direct replacement at a fraction of the original price.
Numerous malicious AI models like FraudGPT, appeared almost at the same time, followed by EscapeGPT, WolfGPT, and a wave of others through late 2023. Most of them did not hold up under scrutiny. When users actually tried to get genuinely illegal outputs, many of these tools pushed back with disclaimers that gave away the fact they were running on jailbroken ChatGPT. The underground forums noticed. Threads calling them out as cash grabs started appearing alongside the sales posts.
The Brand Lives On
Through 2024 and into 2025, listings for tools like WormGPT 3.0 kept surfacing in unverified seller sections on major forums. The branding was polished. The promises were the same as always: multiple languages, no restrictions, no OpenAI limitations.
A WormGPT 3.0 listing in a forum’s unverified sellers section, 2024. The pitch is nearly identical to the original 2023 ads.
Researchers at Cato Networks looked closely at two variants posted on BreachForums between October 2024 and February 2025. One, posted by a user called xzin0vich in October 2024, turned out to be running on Mixtral. Another, posted by a user called Keanu in February 2025, was a wrapper around Grok, using a custom system prompt to instruct the model to bypass its own guardrails. Neither was an original model. Neither involved new training data. Both were built on legitimate AI APIs with a jailbreak prompt doing the heavy lifting.
The WormGPT name had also quietly made its way onto the clear web by this point. Two sites, wormgpt[.]ai and wormgpt[.]net, were operating publicly and visibly, no Dark Web access needed, no forum membership required. Both presented themselves as legitimate access points to WormGPT, complete with pricing pages and subscription options. Neither has any verifiable connection to the original developer.
Based on the patterns, sites like these are likely one of two things: a jailbroken wrapper around an existing model dressed up with branding, or an outright scam collecting payments with nothing real behind them.
The Breach
The risks of engaging with these platforms go beyond getting a bad product. In February 2026, a user on BreachForums posted what they claimed was the full database of wormgpt.ai, one of those clear web sites. Over 19,000 users exposed. Emails, payment data, subscription records, UIDs.
The BreachForums post from February 10, 2026, claims to publish the full wormgpt.ai user database. Over 19,000 users, emails, payment data, and subscription records.
The people who paid to access a tool built to victimize others had their own data dumped on the same forum where the original WormGPT was first sold. It is a useful reminder of what the actual trust relationship looks like when you hand payment details to an anonymous operator running an illegal service. Therefore…
We Bought One
To see what the clear web version of this ecosystem actually delivers these days, we purchased access through one of the sites currently operating under the WormGPT name, paying via cryptocurrency. Access came through a Telegram bot within an hour.
First interaction with the WormGPT-branded tool via Telegram.
We ran a couple of queries. The experience was mediocre at best, but it has a threat potential.
A public website, a standard checkout, a Telegram handle, and within minutes, something marketed as unrestricted criminal AI was accessible. No Dark Web required. No technical knowledge. No vetting of any kind. There’s only one obstacle, and that’s the fee.
Pricing options for one of the most popular models available on the clear web.
Prices vary depending on the model, and version v3 has far fewer options and doesn’t allow file uploads. Purchases are made via cryptocurrency; a bot will speak to you when you initiate a conversation using the /buy function, but if you persist enough, a human operator with insufficient English will provide you with the wallet QR code, and payment will be accepted and the model activated within approximately one hour.
Getting straight to the point, in the first prompt, we ask it to create malware, and it chooses to create a keylogger.
The model presents you with a script that can easily be found on the web, but ultimately, there’s no “limit”.
Then we ask it to do the same thing for a specific system, and it is able to execute the command.
WormGPT is generating a keylogger for macOS in Python.
Next, we asked it to create a phishing page, which is a popular use case for these types of tools.
WormGPT generates a functional phishing page mimicking Google’s sign-in interface, complete with credential-harvesting code.
It can’t even display this on Telegram, since it lacks an interface like the legitimate models we’re familiar with. Instead, it just provides the HTML code.
So what’s left? Naturally, a ransomware. Does it work? Hardly, but it’s a decent attempt. One could argue it serves as a starting point.
WormGPT is creating a ‘’ransomware’’ that encrypts all files on the Desktop of a Windows host.
What These Tools Actually Do
These cybercrime LLM tools are not the autonomous criminal superintelligence that the early coverage sometimes implied. They lower the skill floor. A person who cannot write convincing English can now send convincing phishing emails. Someone with no coding background can get a working first draft of a malicious script.
Developers use AI to write and debug code faster. Attackers use these tools to write malware and run phishing campaigns faster. The difference is that one side operates on platforms with accountability, oversight, and terms of service. These tools exist precisely because they carry none of that. However…
This Was the Cheap End of the Market
WormGPT is the entry-level option. On the same forums and across the Dark Web, more capable alternatives are already circulating — some partially free, some outperforming the paid tiers on the tasks that matter to attackers.
The more significant shift is happening offline. Locally-run open-source models now offer the same no-guardrails capability without a subscription, a Telegram bot, or any digital footprint whatsoever.
At the higher end, the threat gets considerably harder to reason about. Nation-state actors with the resources to fine-tune frontier-scale models on classified operational data don’t need WormGPT. The open question is what an APT operation looks like when it has a capable, sovereign AI with no alignment constraints.
Hackers Are Already Using AI
The same logic that makes AI-powered cyber attacks effective — autonomous agents operating at scale with minimal human oversight — is exactly what defense needs to match them. SOCRadar Agentic Threat Intelligence deploys specialized AI agents that proactively detect phishing campaigns, credential leaks, brand abuse, and impersonation attempts without waiting for a human to connect the dots. Continuous, modular, and built for the threat landscape that actually exists today.
SOCRadar Agentic Threat Intelligence
