What Is WormGPT? AI Ransomware Now on Dark Web
Criminal AI tools like WormGPT are being sold openly on dark web ransomware markets, and the numbers jumped 3,800% in just 90 days. This is not a future threat. It is happening right now, and the people buying these tools are coming for your inbox, your bank, and your employer.
AI-powered attack tools like WormGPT are sold openly on dark web ransomware markets. Listings jumped from 38 in December 2025 to 1,486 in February 2026. For a few hundred dollars, anyone with zero coding skills can buy AI that writes targeted phishing emails, automates social engineering, and deploys ransomware.
The Real Case: A 3,800% Spike in 90 Days
Halcyon, an anti-ransomware firm, spent months monitoring Telegram channels, 20 dark web forums, and five underground markets. What they found wasn't gradual. It was a vertical spike.
In December 2025, they counted 38 posts advertising AI-based attack tools. By February 2026, that number had climbed to 1,486. That's a 3,800% increase in roughly 90 days.
WormGPT is the market leader, though calling it a single product misses the picture. WormGPT is now a brand name used by multiple criminal operators selling competing versions, like how 'Kleenex' became the word for any tissue. Some versions cost as little as $60 per month. Others run subscription tiers with customer support, update logs, and refund policies.
The buyers aren't elite hackers. That's the whole point. These tools exist specifically to hand serious attack capability to people who couldn't build it themselves. A motivated 19-year-old with a prepaid card and a grudge against their former employer now has access to AI that can craft a convincing, personalized phishing email in seconds.
How These AI Attack Tools Actually Work
Standard AI tools like ChatGPT have guardrails. Ask them to write a malware delivery email and they refuse. Criminal AI tools have those guardrails removed entirely.
A typical attack using a tool like WormGPT unfolds like this:
1. The attacker buys access to the AI through a dark web marketplace, usually via cryptocurrency. 2. They feed the AI personal information about the target: their name, employer, job title, and sometimes recent social media posts scraped automatically. 3. The AI generates a hyper-personalized phishing email that references real details from the target's life. No generic 'Dear Valued Customer' language. 4. The email contains a link or attachment that, when clicked, either installs ransomware or harvests login credentials. 5. If the target is a business, the attacker moves laterally through the network, escalating privileges until they can encrypt critical files and demand payment.
Some of the more advanced tools on these markets do far more than write emails. They automate multi-step conversations, responding to replies in real time to keep the victim engaged. One tool category, sometimes listed as 'AI social engineering suites,' can simulate a full IT support conversation over email or chat.
The scariest part: the AI gets the tone right. It sounds like a tired colleague sending a quick note at 6pm, not a scammer.
Why Smart People Are Still Getting Fooled
Most guides tell you to look for bad grammar and suspicious links. That advice is nearly useless now.
The old phishing email had typos. It called you 'Dear Friend.' It came from a Nigerian prince. You spotted it and felt smart. That era is gone.
AI-written phishing emails score higher on readability tests than average corporate communications. They match the writing style of whoever they're impersonating. They arrive at psychologically optimized times, late afternoon on a Friday when cognitive load is highest.
There's also a volume problem. Because these tools automate everything, a single attacker can run hundreds of simultaneous campaigns. The old model was one hacker sending thousands of identical emails hoping someone bites. The new model is one hacker sending thousands of uniquely personalized emails, each one tailored to a specific person's context.
One detail genuinely unsettles me: these AI tools can ingest a person's LinkedIn profile, their public tweets, and any press mentions, then synthesize a message that references their actual recent work. A victim who just closed a deal or attended a conference might get an email referencing that exact event. The psychological response is trust, not suspicion. I've seen this work on security-conscious people.
That's the trap. Familiarity reads as safety.
Your Defense Checklist: Do These Today
If you're relying on 'I'll just spot the bad emails,' you're wasting time. That strategy doesn't hold up against AI that writes better than most humans.
Do these things instead:
1. Set a family safe word right now. Pick a random word or short phrase that only your household knows. If someone calls or messages claiming to be you in an emergency, the safe word proves it. Write it down offline. Don't text it.
2. Call back on a known number. If you get an urgent email or message from your bank, your boss, or a family member asking you to act fast, hang up or close the message. Call them back using a number you already have saved, not one provided in the message.
3. Turn on hardware security keys for critical accounts. An app-based authenticator can be socially engineered around. A physical key like a YubiKey cannot be phished remotely. Use one for email and banking at minimum.
4. Never click links in emails to log in. Go directly to the website by typing the address yourself. Every time.
5. Tell your parents about WormGPT by name. Not a vague warning about scams. Show them this article. The specificity matters because it makes the threat feel real instead of abstract.
6. Ask your employer about email authentication standards. SPF, DKIM, and DMARC are technical protocols that make it harder to spoof a company email address. If your IT team hasn't deployed all three, that's a problem worth raising.
Key Takeaways
FAQ
Q: How do I know if a message from my coworker or boss is actually from them?
A: If the message asks you to do something financial or urgent, verify it through a separate channel you already use, like calling their known mobile number directly. AI tools can mimic writing style perfectly, but they cannot answer a question only your real colleague would know.
Q: Can't spam filters or email providers just block AI-generated phishing?
A: Honestly, not reliably yet. Because AI-written phishing emails read as normal English with no suspicious patterns, content-based filters frequently miss them. Detection research is advancing but it is running behind the attack tools right now, which is a genuinely uncomfortable fact.
Q: What should I do if I already clicked a suspicious link?
A: Disconnect the device from the internet immediately, then call your IT department or a trusted tech person before touching anything else. If credentials were entered, change those passwords from a different, clean device within the next 10 minutes.
Conclusion
The 90-day jump from 38 listings to 1,486 is a warning signal that the barrier to running sophisticated ransomware campaigns has effectively collapsed. You don't need to become a cybersecurity expert to protect yourself, but you do need to stop assuming you can eyeball your way past these attacks. Start with one thing today: set that family safe word and text the concept to anyone in your household who might receive a spoofed call pretending to be you in an emergency. That single habit could be the difference between a close call and a $10,000 wire transfer you can't get back.
Related Posts
- How Does AI Help Cybersecurity Teams — And How Do Attackers Abuse the Same Tools?
The same AI tools that help security teams detect threats in milliseconds are being weaponized to clone voices, generate perfect phishing emails, and impersonate executives on live video calls. This isn't a future risk — it already cost one company $25 million in a single afternoon. Here's exactly w - How Is AI Creating Never-Seen Cyberattacks?
AI systems are now generating cyberattacks automatically, faster than any human security team can track. The same technology defending your bank is being weaponized against you. Knowing how it works is the only real protection you have. - How Do AI-Generated Phishing Emails Bypass Corporate Filters?
In 2026, AI-crafted phishing emails started sailing past enterprise security filters that had caught similar attacks for years. The emails were grammatically perfect, contextually aware, and personalized down to the recipient's recent Slack messages. Corporate IT teams were not ready for this.