More than 225,000 Hacked ChatGPT Passwords Are Available for Purchase on Dark Web Marketplaces

More than 225,000 Hacked ChatGPT Passwords Are Available for Purchase on Dark Web Marketplaces

Between January and October 2023, more than 225,000 logs with hacked OpenAI ChatGPT credentials were put up for sale on dark web marketplaces, according to recent research by Group-IB.

These login credentials were discovered in information theft records connected to the Raccoon, RedLine, and LummaC2 malware.

“The number of infected devices grew significantly between August and September but decreased slightly in mid- and late summer,” the cybersecurity business with its headquarters in Singapore said in its Hi-Tech Crime Trends 2023/2024 study that was released last week.

More than 130,000 distinct hosts with access to OpenAI ChatGPT were compromised between June and October 2023—a 36% increase over the same period in 2022. Below is a breakdown of the top three stealer families:

LummaC2 – 70,484 hosts
Raccoon – 22,468 hosts
RedLine – 15,970 hosts

“The sharp increase in the number of ChatGPT credentials for sale is due to the overall rise in the number of hosts infected with information stealers, data from which is then put up for sale on markets or in UCLs,” said Group-IB.

This breakthrough coincides with revelations from Microsoft and OpenAI that nation-state actors in China, North Korea, Iran, and Russia are experimenting with AI and large language models (LLMs) as a means of enhancing their ongoing cyberattack operations.

Group-IB said that in addition to improving operational efficiency and helping attackers create convincing scam and phishing assaults, LLMs may also be used to expedite reconnaissance, manufacture scammer robocalls, and execute hacking toolkits.

“In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network,” it said. These days, they also concentrate on gadgets that have access to open AI systems.

“This gives them access to logs with the communication history between employees and systems, which they can use to search for confidential information (for espionage purposes), details about internal infrastructure, authentication data (for conducting even more damaging attacks), and information about application source code.”

Threat actors now exploit legitimate account credentials as one of their primary access methods, mostly because stealer software makes this information easily accessible.

“The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges,” warned IBM X-Force.

“Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores, or accessing enterprise accounts directly from personal devices.”


Scroll to Top