Weaponised AI Is Powering the Fifth Wave of Cybercrime, Group-IB WarnsDark web discussions mentioning AI-powered cybercrime have surged 371% in five years.Dark LLMs are selling for as little as $30 with a customer base exceeding over 1,000 users.The deepf
Since 5 Day - 08:13
GMT
Artificial Intelligence
Weaponised AI Is Powering the Fifth Wave of Cybercrime, Group-IB WarnsDark web discussions mentioning AI-powered cybercrime have surged 371% in five years.Dark LLMs are selling for as little as $30 with a customer base exceeding over 1,000 users.The deepfake market is booming, 2024 saw the greatest year-on-year spike of deepfake services for sale (233%) but the upward trend is unrelenting, with 2025 seeing a 52% increase.Dubai, United Arab Emirates – Jan. 20th, 2026 – Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has published its first Weaponized AI: Inside the criminal ecosystem fuelling the fifth wave of cybercrime whitepaper, uncovering how AI is changing the criminal ecosystem and fuelling the fifth wave of cybercrime. Over the past thirty years, cybercrime has evolved through successive waves, from manual phishing in the late 90s, industrialised ransomware, all the way to supply chain and ecosystem attacks that characterised the early 2020s. Group-IB has found there has been a 371% surge in dark web forum posts featuring AI keywords since 2019, and a ten-fold increase in replies (1199%). Now, adversaries are industrialising AI, turning once specialist skills such as persuasion, impersonation and malware development into on-demand services available to anyone with a credit card.The fifth wave of cybercrimeGroup-IB’s infiltration of dark web forums and underground marketplaces, found in 2025, AI abuse dominated dark web discussions with 23,621 first posts and 298,231 replies. Interest peaked in 2023 following the release of ChatGPT to the general public in late 2022 with over 300,000 replies on AI posts, coinciding with the release of GPT-4 and rising regulatory/societal concern. Unlike earlier waves of cybercrime, AI adoption by threat actors has been strikingly fast. AI is now firmly embedded as core infrastructure throughout the criminal ecosystem rather than an occasional exploit.Crimeware accessible for the cost of a monthly streaming subscriptionGroup-IB investigations suggest that a few distinct seller types are routinely marketing and packaging AI crimeware to lower-skill buyers on underground markets, making sophisticated attacks accessible to novices. Vendors are mimicking aspects of legitimate SaaS businesses, from pricing tiers and subscription models to customer service support.AI crimeware typically falls into three main categories: LLM exploitation, phishing and social engineering automation, and malware and tooling. These dark web offerings are affordable and often bundled together to make them more attractive to potential buyers. The operating systems of modern cybercrimeDark LLM’s: Threat actors are moving past chatbot misuse and are creating proprietary Dark LLMs that are more stable, capable, and have no ethical restrictions. Group-IB identifies at least three active vendors offering Dark LLMs with subscriptions ranging from $30 to $200 per month, and a customer base exceeding 1,000 users.Jailbreak framework services and instructions: Jailbreaking allows legitimate LLMs to output disallowed, unsafe, or malicious content through reusable templates or instructions to bypass guardrails. Group-IB found that by the