Previous to taking over the position of senior vice-president of Halcyon’s Ransomware Analysis Centre, Cynthia Kaiser labored for the Federal Bureau of Investigations (FBI) for 20 years, changing into the deputy assistant director of cyber division for the company.
At this yr’s Infosecurity Europe on the Excel London, Kaiser gave a keynote speech concerning the evolving nature of ransomware. The image she painted concerning the present capabilities of menace actors on the darkish internet was a bleak one.
Setting the scene, it’s well-known now that with expertise’s elevated connectivity, there are extra alternatives than ever for hackers to take advantage of vulnerabilities and trigger real-world harm. Kaiser mentioned cyber threats have grow to be the important thing nationwide safety menace. Cyber assaults are now not the area of expertise columns, however at the moment are front-page information. Kaiser cited the occasion through which North Korean menace actors are believed to have hacked Sony in response to the discharge of The Interview, in addition to Russian hacking to disrupt elections and affect geopolitics.
She noticed that since 2023, there was a 20% rise in cyber assaults on small and medium-sized enterprises (SMEs), which at the moment are 4 instances extra prone to be attacked than bigger organisations. The expertise underpinning cyber assaults has improved, with a typical cyber assault now taking solely 4 hours.
In accordance with Kaiser, some hacking teams now function like standard companies, with customer support strains and their very own manufacturers. Equally, underground boards are nearer to client platforms, with credentials on the market that provide entry to compromised networks. These boards comprise 60% of all darkish internet exercise. As such, hacking teams now not want to begin constructing their companies from nothing, as infrastructure is in the stores from darkish internet boards.
Explosion of AI instruments
The latest vital change in darkish internet exercise has been in using AI. Till this yr, Kaiser famous there was just about no point out of AI hacking instruments on darkish internet boards. Then there was an explosion of AI instruments. The variety of posts about AI on darkish internet boards went from 38 in December 2025 to just about 1,500 in February 2026.
Kaiser defined these AI hacking instruments are weaponised massive language fashions (LLMs) – AI instruments which have had their security limits eliminated, thereby enabling hackers to make use of them for malicious functions. The weaponised LLMs usually seem as assault variations of AI programs to assist criminals.
The market chief of weaponised LLMs is WormGPT, which first got here to the fore in 2023. Though the unique was shut down just a few weeks after the creators have been recognized, the identify has now grow to be a model, with a number of suppliers working completely different variations of the WormGPT code. The “official” Telegram channel for WormGPT, which now has greater than 15,000 members, lately introduced that the newest model (Kriminal.AI) shall be free.
It was famous by Kaiser that id fraud is without doubt one of the core makes use of for weaponised AI instruments, as social engineering methods might be enabled by AI-cloned voices. The success charge for these deepfakes is over 90% and they are often generated from as little as three seconds of audio. AI-enabled id fraud may embody doc forgery and deepfake movies. A typical deepfake video can now value roughly $800 (round £600), with suppliers additionally providing seasonal promotional reductions.
AI can be utilized to reinforce malware to assault infrastructure. AI instruments have been in a position to simulate phone calls from name centres, with the related background chatter and typing on keyboards. These AI-simulated name centres have been educated on greater than 150,000 buyer calls and may use over 25 languages. They cost as much as $7 (simply over £5.00) per thousand calls and declare they’ll help as much as 120 simultaneous calls.
Kaiser famous that jailbroken and stolen AI companies are additionally out there to buy on-line, with lively threads throughout a number of hacker boards, which act as residing repositories.
Identification fraud is without doubt one of the core makes use of for weaponised AI instruments, as social engineering methods might be enabled by AI-cloned voices
The widespread choices out there on darkish internet boards, along with their aggressive pricing, means there isn’t a monetary barrier to entry. Kaiser highlighted how WormGPT makes use of the freemium enterprise mannequin: the core expertise is free to make use of, however superior capabilities have to be paid for.
Kaiser defined how the bigger darkish internet suppliers are automating storefronts and automating the distribution of their companies. Platforms are additionally changing into more and more superior, with redundancy measures in place to outlive disruption.
In accordance with Kaiser, darkish internet operators appear to have a two-phase sample. New darkish internet applied sciences are developed and examined, and as soon as a software has been validated, it’s shared to Telegram channels for wider distribution. These boards feed the service and every channel is designed to help the opposite.
The best vulnerability dealing with darkish internet operators just isn’t regulation enforcement, however one another, as AI instruments at the moment are focusing on market rivals. Therefore, individuals who pay for cyber crime are susceptible to having their very own particulars shared on-line. Basically, the felony AI market has an inside menace drawback.
Efficient defence continues to be potential
Kaiser pressured that regardless of the numerous threat posed by hacker teams, we are able to nonetheless defend in opposition to these instruments, however we have to quickly adapt to protect in opposition to the danger from these in search of to take advantage of applied sciences.
She defined some methods which were the simplest. Stopping preliminary entry stays a core defence in opposition to cyber assaults – if hackers can not get in, then the info stays safe. Kaiser recommends phishing resistant multi-factor authentication (MFA) and accelerated patching, in addition to making ready employees for AI-generated voice calls impersonating companions, executives and staff.
Nonetheless, given the multifarious cyber threats dealing with organisations, it’s a case of when, not if, an cyber assault happens. With that in thoughts, Kaiser famous that detecting lateral motion in a community, reminiscent of through the use of community monitoring instruments and setting behavioural baselines of anticipated person behaviour, is important for alerting safety groups to potential threats within the networks, with a specific give attention to endpoint and community telemetry. Setting minimal person privileges and guaranteeing person credentials solely have entry to the areas they want (particularly when customers change roles in an organisation) additionally helps.
Disrupting the exfiltration and encryption of knowledge can also be very important, based on Kaiser, which might be completed by detecting anomalous person behaviour and unauthorised encryption makes an attempt, in addition to monitoring outbound site visitors for delicate data. Immutable knowledge backups may even be sure that ought to the worst occur and the info is compromised, the system might be restored from a safe standpoint. All these applied sciences construct resilience right into a community to disrupt malicious menace actors and forestall the info from being compromised.
Kaiser additionally highlighted how tabletop workouts can be utilized to simulate a wide range of worst-case eventualities, enabling organisations to place insurance policies in place for such incidents. This helps employees to know what must be completed – or no less than know the place to look. In essence, there must be an in-depth defence strategy to cyber safety, with a number of, overlapping layers of safety controls throughout a community. As such, even when one mechanism is compromised or is breached, there are redundancy measures in place to delay attackers, comprise the menace and shield helpful knowledge.
Given the latest developments in AI-powered voice cloning, Kaiser really useful that safety groups have to reorient to telephone calls as a main menace vector. AI has made voice-calls more and more scalable, with them in a position to automate calling a whole lot of individuals with no need a name centre.
Though malicious actors are adopting AI instruments, cyber safety groups can reply by automating detection and identification programs, such that networks can reply sooner and extra successfully to intruders.
Kaiser additionally recommends that we, as a society, have to work higher collectively to counter the rise of cyber crime. This final level just isn’t a technical drawback, however certainly one of coverage and partnership, as governments have to allow data sharing between organisations and safety companies about rising cyber threats for safety groups to arrange efficient defences in opposition to them.
In the end, the proliferation of AI instruments throughout darkish internet boards has made hacking simpler and extra accessible. It’s now now not the remit for large-scale felony operations or state-sponsored hacking teams, however anybody with an inexpensive price range.
Nonetheless, intelligence of the darkish internet demonstrates that cyber criminals are susceptible to their very own applied sciences getting used in opposition to them. Moreover, regulation enforcement raids and monetary disruption can work properly, however darkish internet platforms’ innate redundancy measures imply they’ve some resistance to this. As such, there must be extra collaboration between safety companies and organisations in order that rising threats might be countered.
