Hackers are selling stolen GenAI accounts on the Dark Web

Victim devices infected with infostealers and the credentials sold for just $15

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers have been found selling stolen Generative AI data and account credentials on the dark web, exploiting the technology’s  growing popularity to net big rewards.

New research from eSentire’s Threat Response Unit (TRU) has identified over 400 account credentials are sold by cybercriminals every day. Primarily obtained from corporate end users’ computers that are infected with infostealermalwarewhich retrieves anything the user has entered into their internet browser. This could include sensitive information such as bank details, financial records, customer data, and log-in information.

Additionally, if end-users are subscribed to a GenAI service or model, then these credentials are stolen. When an infostealer is used to capture information, the ‘Stealer log’ of stolen data is then sold for around $10.OpenAIcredentials are reported to be the most commonly stolen, with an average of 200 daily listings.

LLM Jacking

Elsewhere, findings from security research organisation Sysdig also showed threat actors are also gaining control of extensive numbers of LLMs (Large Language Models) in a process dubbed ‘LLM Jacking’. TRU warns that hacker’s aims are to acquire, resell, and abuse access to LLMs.

Sysdig has confirmed LLM Jacking often uses a reverse proxy to resell and monetize their LLM access, and haswarnedan attack of this kind could cost the victim up to $46,000 per day in consumption costs.

Underground stores likeLLM Paradiseused this tactic to obtain and sell stolen GenAI credentials, even brazenly advertising on sites like TikTok. Whilst this site has since been closed down, a healthy market ensures many others remain in its place.

As the use of AI has grown, so too has the threat of cybercriminals discovering new ways to profit from stolen data. Companies are advised to maintain rigorous security measures, such as establishing robust vulnerability management processes, monitoring for suspicious activity, and multi-factor authentication.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

Windows PCs targeted by new malware hitting a vulnerable driver

Outlook users warned not to open more than 60 emails — otherwise their software will crash

Latest Google Pixel update includes surprise launch of Android 15’s best battery feature