Flashpoint Research: Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime; Clop Claims To Post Victim Names on August 15

Here’s a couple of topics that Flashpoint’s research team has been keep tabs on this week. 

  1. Malicious Telegram-Based AI Chatbot “FraudGPT” Could Simplify Cybercrime


  • “FraudGPT,” likely also referred to as “ChatGPT Fraud Bot,” is a bot targeting online actors who want to commit illicit activity. 
  • This and similar tools, such as “WormGPT,” emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. 
  • Flashpoint procured access to this bot and determined that it appears to have similar functionality to WormGPT. FraudGPT provides answers to questions that could enable cybercrime and that other bots, such as ChatGPT, refuse to answer.
  • For example, unlike ChatGPT, FraudGPT is willing to provide malware samples. However, the malware sample it provided was not highly effective.
  • It also provided a list of Dark Web markets upon request, though the list was outdated.      
  • Ultimately, the threat posed by FraudGPT and other similar tools likely depends on how their operators use them.
  • The dual-edged nature of technology is evident; while advancements like ChatGPT can be created with ethical intentions, their underlying technology can easily be repurposed for malicious activities.

BACKGROUND: Threat actors are advertising AI chatbots that have allegedly been trained on illicit content from the cyber underground and can be leveraged to commit fraud and enable illegal activity. Sellers are advertising an increasing number of fraud-related chatbots. Observed subscription prices include US$100 a month or several hundred dollars a year.

Several of these tools emulate ChatGPT, but without ChatGPT’s safeguards, which generally prevent the tool from providing responses that may lead to unethical or illegal activity. However, researchers and malicious actors have found ways to work around some of ChatGPT’s restrictions, such as by using prompt injection attacks.

“FraudGPT,” also known as “Chat GPT Fraud Bot,” is a malicious Telegram-based chatbot that purportedly provides AI-generated content that can be used for a variety of fraud and cybercrime purposes. FraudGPT is similar to the malicious AI bot “WormGPT,” which Flashpoint profiled in July 2023. FraudGPT emerged on Dread shortly after WormGPT began making headlines. FraudGPT’s answers are often similar to those of WormGPT, but when asked identical prompts, it offers its own answers. While WormGPT uses a fingerprint login via a URL, FraudGPT is accessed via Telegram. FraudGPT’s responses incorporate rude commentary as well as disclaimers regarding the illegality of the advice.

Additional available tools, such as “WolfGPT” and “XXXGPT,” also advertise similar capabilities. However, it is unclear how effective these tools are in enabling malicious online actors. The proliferation of these types of tools will likely continue as members of illicit communities seek to use them to enhance their capabilities. However, as researchers test these bots, it appears that their answers have some limitations. In some cases, the malicious chatbots decline to answer questions, do not answer them in detail, or warn the user not to engage in illegal activity. The severity of the risks posed by these tools thus likely depends on the actors using them.

  1. Clop Claims To Post Victim Names on August 15

Clop posted the following message on their ransomware leak site, indicating that they will start publishing data from companies that are infected but have not contacted Clop: 

Now we post many company name and proof we have their secrets and data. Some company do not speed to us and decide to stay quiet. We are very reasonable operators and when right situation we offer deep discount to block you data from being sold and publish. Advice you to contact us and begin discussion on how to block publicate of data. On 15 August we start publishing of every company on list that do not contact. You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data. Also all data go on torrent and speed of download is very quick. YOU NOT HIDING MORE.

As of August 9, 2023, analysts have observed 659 victims that have appeared on the ransomware blog, or publicly disclosed or reported on the incident. For context, they have identified approximately 260 victims on Clop’s ransomware blog, and 486 on CRA through responsible disclosure or reporting. Several of these victims result from third-party compromise and may not be directly affected. They cannot accurately assess the total number of additional victims that may appear on the ransomware blog beginning on August 15. 

Leave a Reply

%d bloggers like this: