The Underground AI Boom
According to cybersecurity researchers at KELA, discussions around AI-powered hacking tools increased by over 200% in 2024 — and the momentum has only grown through 2025. The surge marks a major shift in how hackers operate, with underground markets offering AI services designed to automate phishing, malware development, and social engineering.
Among the most popular tools in circulation are WormGPT, FraudGPT, Evil-GPT, Xanthorox AI, and NYTHEON AI — each crafted for a specific purpose in the cyberattack chain.
WormGPT — The Blackhat Pioneer
Launched in mid-2023, WormGPT quickly became infamous for its ability to create realistic phishing and BEC (Business Email Compromise) emails. Built on the GPT-J model, the tool was marketed as a “blackhat alternative” to ChatGPT, capable of crafting convincing corporate messages that easily slip past spam filters.
Subscriptions range from $100 per month to $5,000 for private access, making it accessible to a wide range of attackers. In several documented cases, WormGPT was used to impersonate executives and trick employees into authorizing fraudulent transactions — a new low in digital deception.
FraudGPT — The AI-as-a-Service Model
Following closely was FraudGPT, launched in July 2023 by the underground seller “CanadianKingpin12.” This AI tool offered a subscription model similar to legitimate SaaS platforms — $200 per month or $1,700 annually complete with customer support, tutorials, and premium feature tiers.
FraudGPT could generate malicious code, identify vulnerabilities, and even teach hacking methods. At higher tiers, users gained access to API integrations, image generation, and Discord connectivity. Its success marked the moment when cybercrime adopted the polished professionalism of the tech industry.
Xanthorox AI — The “Killer of WormGPT”
By early 2025, new entrants like Xanthorox AI appeared, boasting modular design and enhanced stealth. Marketed as the “Killer of WormGPT,” Xanthorox runs entirely on private, self-hosted servers, making detection nearly impossible.
The platform offers a full range of capabilities, from phishing and deepfake generation to malware creation and vulnerability scanning. Its developers claim it delivers an all-in-one AI hacking environment — and unfortunately, that claim seems accurate.
NYTHEON AI — The Rise of GenAI-as-a-Service
NYTHEON AI represents another step forward — or backward, depending on perspective. Operated through the dark web and Telegram channels, NYTHEON combines several legitimate open-source AI models into a unified malicious framework.
It includes six specialized modules: Nytheon Coder (for generating malicious code), Nytheon Vision (for image recognition), and Nytheon R1 (for reasoning tasks). This modular structure offers hackers unprecedented flexibility and efficiency, resembling the AI capabilities used by ethical developers — but with criminal intent.
AI-Powered Phishing and Malware Development
Phishing remains the top weapon of choice among cybercriminals. Security analysts report a 1,265% surge in AI-generated phishing attacks, with many proving just as effective as those written by humans — but produced in seconds.
Tools such as WormGPT and MalwareGPT are also enabling polymorphic malware that continuously changes its code to evade detection. Google’s research identified five new malware families in 2025 using AI to rewrite their own code, rendering traditional antivirus systems less effective.
The Subscription Economy of Cybercrime
Underground AI developers are now copying the business strategies of legitimate software firms. They offer tiered pricing, free trials, customer support, and regular updates — transforming cybercrime into a fully operational economy.
Tools like Evil-GPT are sold for as little as $10, proving that advanced attack capabilities are now accessible to almost anyone with malicious intent.
A Dangerous Future
Authorities such as the FBI warn that AI has dramatically accelerated the pace and sophistication of cyberattacks. In early 2025, AI-assisted phishing made up more than 80% of global social engineering campaigns, a staggering indication of how deeply AI has infiltrated cybercrime.
Final thoughts
The rise of WormGPT, FraudGPT, Xanthorox AI, and NYTHEON AI signals a pivotal shift in cybersecurity. Artificial intelligence, once used to defend networks, is now equally effective in breaching them. As these underground markets mature, defenders must adapt quickly — deploying AI-driven defense strategies and real-time threat intelligence to stay ahead of this growing menace.
Follow Cyberinfos for daily updates on AI-driven threats, vulnerability reports, and digital defense strategies.
