The AI tools for sale divided into four categories:
- Weaponized LLMs: Sometimes called dark LLMs, these tools omit the safety guardrails and rules present in legitimate large language models (LLMs). “WormGPT” is the market leader in this category of cybercrime-focused AI tooling but only as a brand used by multiple operators, some of which are straightforward scams that collect payments without offering any service.
- AI-enabled identity fraud: Tools in this category include voice and video-enabled deepfakes, created using AI, that are used to fool selfie-based recognition systems and other know your customer (KYC) security controls, among other fraudulent applications. The same tools can also be used as part of business email compromise scams.
- AI-augmented malware and attack infrastructure: AI-driven infrastructure is being used to aggregate, process, and exfiltrate stolen data more efficiently.
- Jailbroken and stolen AI services: Hacked AI accounts are the largest category of services offered and the cheapest.
Halcyon estimates that ransomware attacks have grown in volume by 20% since 2023 with an increased focus on targeting smaller enterprises, which now comprise 80% of attacks.
During a keynote presentation at Infosecurity Europe, Cynthia Kaiser, SVP of Halcyon’s Ransomware Research Center, told delegates that the largest ransomware operators — such as Akira — are increasingly operating the same business models as legitimate vendors by selling services and infrastructure to their clients and affiliates. The main difference is that the goods on offer are exploits and stolen credentials rather than the legitimate goods sold through legitimate marketplaces.
Ransomware groups sell routinely through multiple channels, thereby creating redundancy in the event that any channel is taken down. Their services are often offered with tiered pricing, and are commonly available with a freemium model popularised by legitimate web services. Telegram bot-driven channels are automating the process of sales and marketing, while AI-based utilities are being applied by cybercriminals to offer customer service.
