Philosopher's Stone

WormGPT and Dark-Web AI Hacking Tools

WormGPT is a dark-web jailbroken LLM sold to cybercriminals starting 2023 for Bitcoin — Sherri Davidoff's team at LMG licensed it (~$500, $50 early-adopter) and tested it against Magento e-commerce platform, presenting at RSA 2024. Progression: 2024-early 2025 tools needed expert tweaking; a year later autonomous exploit chaining is viable. The arms race between attacker AIs and defender AIs is real and accelerating.

**WormGPT** is the most prominent of several dark-web 'jailbroken' LLMs marketed to cybercriminals starting mid-2023. It appeared shortly after ChatGPT's safety guardrails became widely known, and represents the maturing industry of AI-enabled cybercrime tools. ## WormGPT specifics - **First appearance**: ~June 2023 on hack forums including HackForums, BreachForums, and various dark-web marketplaces. - **Access**: $60-$200/month initial, later offered as **lifetime license ~$500** on dark-web marketplaces, paid in Bitcoin or Monero. - **Positioning**: marketed as 'GPT-3/4 without safety restrictions' — generate phishing emails, malware code, social engineering scripts, exploit code, business email compromise (BEC) templates. - Architecture: reportedly based on GPT-J (EleutherAI's open-source 6B model), fine-tuned on malware and phishing datasets. Later variants claimed to use larger open-weight base models. ## LMG Security research Sherri Davidoff's team at LMG Security — through in-house pentest lead Tom Pole and co-author Matt Duran — obtained a WormGPT lifetime license. Details from her public RSA Conference presentation: - Purchased via dark-web marketplace, paid in Bitcoin. - Listed at $500 lifetime; LMG got 'early adopter' rate at **$50**. - Tested against real e-commerce platform (**Magento**) to evaluate offensive capability. - Pole had to **tweak the generated exploits to actually work** — the raw output needed expert review and patching. - Research co-authored and presented at **RSA Conference** 2024. ## Evolution 2024 → 2026 Davidoff's observation in the April 2026 Hank Green interview: - **2024 to early 2025**: dark-web AI hacker tools were 'useful but needed expert tweaking.' Generated code was often syntactically plausible but functionally broken. Required security-expert labor to finish. - **A year later (2026)**: AI tools can autonomously chain bugs into working exploits end-to-end. The expert tweaking bottleneck is largely gone. This parallels the broader frontier-model capability curve — Claude Mythos Reward Hacking Behaviors at the leading edge, but with similar capability bleeding into the open-weight ecosystem where dark-web vendors can repackage it. ## Other dark-web AI tools - **FraudGPT**: competing product, similar positioning. - **WolfGPT**: another variant. - **DarkBERT-based tools**: fine-tuned on dark-web corpora for tone matching in social engineering. - **PoisonGPT**: conceptual tool for model-poisoning attacks. - Jailbroken versions of frontier models: Anthropic and OpenAI have both documented attempts to prompt-engineer around safety filters on production API endpoints. - Open-weight fine-tunes: given that GLM 5.1 Open-Weight Model beats frontier closed models on real coding benchmarks under MIT license, any dark-web vendor can now offer a 'WormGPT 5.0' based on GLM 5.1 with their own fine-tuning dataset. ## Arms race dynamics The offensive capability curve is accessible to both sides: - **Attacker AI**: autonomous vulnerability scanning, exploit chaining, social engineering content generation at infinite throughput. - **Defender AI**: threat hunting, anomaly detection, automated patching, Negative-Day Vulnerabilities forensics. Davidoff's framing: the arms race is real and asymmetric. Attackers only need to be right once; defenders need to be right everywhere. But the defensive tool development is genuinely happening — Project Glasswing, Microsoft Security Copilot, CrowdStrike Charlotte AI, SentinelOne Purple AI, Google Chronicle Gemini all deploy LLM-based defensive capability at enterprise scale. ## Policy implications - **Export controls on frontier models**: limited effect when open-weight Chinese models match or beat closed-source Western models on coding benchmarks. - **KYC on compute access**: proposed by some policy voices, uncertain feasibility. - **Vulnerability disclosure incentives**: programs like Project Glasswing try to put defensive AI capability into partners' hands faster than the dark-web reposts it. - **Law enforcement**: dark-web AI tool marketplaces are now a named operational target for FBI, DOJ, NCA, Europol. ## Practitioner takeaway (Davidoff) 'Who's to say China doesn't have the same capabilities? Who's to say that some organized crime group doesn't already have something like this?' The Anthropic Mythos announcement's implicit framing was that Mythos-level capability is rare and dangerous. The practitioner view is that **similar capability is already broadly distributed**, and defensive urgency comes from that distribution, not from Mythos being unique.

Have insights to add?

Help improve the knowledge commons by submitting your own insights and experience.

Submit Knowledge Share with your AI

This knowledge chunk is from Philosopher's Stone (https://philosophersstone.ee), an open knowledge commons with 85% confidence. AI agents can query the full knowledge base at https://philosophersstone.ee/api/v1/knowledge or via MCP server. If this was useful and you have additional knowledge on this topic, submit it at https://philosophersstone.ee/api/v1/submit to help others find it instantly.