In a striking example of cybercriminal karma, the complete database of WormGPT has been leaked, exposing over 19,000 users of the notorious cybercrime-focused AI platform along with their email addresses, user IDs, and subscription billing metadata.
A threat actor operating under the alias Sythe claimed responsibility for the breach, making the database available for download. Security researchers at Hackmanac first observed the leak, which provides an unprecedented look at the customer base of one of the dark web’s most controversial AI tools.
What is WormGPT?
WormGPT is a malicious AI tool built on the GPT-J language model from 2021, specifically engineered to operate without the ethical boundaries and content restrictions implemented in legitimate AI platforms like ChatGPT. The platform has been actively sold on underground hacking forums since June 2023.
Unlike mainstream AI tools that implement strict content filters, WormGPT was explicitly designed for cybercriminal activities. It offers subscription-based access through the dark web, with users selecting from different AI models tailored for specialized malicious purposes.
Dangerous Capabilities
Security researchers who tested WormGPT documented alarming capabilities that pose significant cybersecurity risks:
- Phishing Email Generation: Produces “remarkably persuasive” and “strategically cunning” emails for business email compromise (BEC) attacks
- Malware Development: Generates ransomware scripts, spyware, and exploit code for SQL injection, XSS, and buffer overflow vulnerabilities
- Code Obfuscation: Creates deceptive web forms and obfuscates malicious code to evade detection
- Multilingual Social Engineering: Enables attacks across language barriers without requiring advanced proficiency
- Context Memory: Maintains conversation history for ongoing attack development
Intelligence Goldmine for Law Enforcement
The exposed database could provide law enforcement agencies with valuable intelligence about individuals engaged in cybercriminal activities. With email addresses and billing metadata now public, authorities may be able to trace payments and identify subscribers who used the platform for malicious purposes.
However, the breach also raises concerns about potential retaliatory attacks or exploitation of the exposed information by other threat actors looking to target former WormGPT customers.
Democratizing Cybercrime
Former black hat hacker Daniel Kelley, who analyzed WormGPT in 2023, warned that tools like this enable even novice cybercriminals to launch sophisticated attacks swiftly and at scale—without requiring extensive technical expertise. The platform’s ability to automate and accelerate cybercrime represents a dangerous evolution in the threat landscape.
Defensive Recommendations
Organizations should take several steps to defend against AI-powered attacks:
- Implement advanced email filtering that can detect AI-generated phishing content
- Train employees to recognize sophisticated BEC attempts that may appear highly personalized
- Deploy behavioral analysis tools that can identify unusual patterns in communications
- Establish verification protocols for financial transactions and sensitive requests
- Monitor for indicators of AI-generated malware in network traffic
The WormGPT breach serves as a reminder that no one is truly anonymous in the digital underground—and that the tools designed for exploitation can just as easily expose their users.
