CybersecurityHacking

Cybercriminals Worry AI Tools Will Disrupt Their Illicit Trade

Analyst 207||Source: InfoSecMag
Dimly lit underground market scene with old and new tech, hooded figures in background.

“As AI tooling and capabilities evolve, organizations should continue to prioritize strong cyber hygiene such as timely patching, multifactor authentication (MFA), and passkey use to reduce exposure to established tradecraft and future AI-assisted acceleration,” Sophos CTU said.

Sophos CTU analysis of underground chatter

Sophos Counter Threat Unit (CTU) reported that analysis of discussion boards, dark web marketplaces and messaging apps shows cybercriminal communities are debating the arrival of AI tools the same way many legitimate workforces have: with a mixture of optimism, skepticism and anxiety. The firm says vendors on underground markets increasingly advertise "AI-powered kits" to assist in phishing, social engineering, malware development and activity inside compromised networks, while forum users trade views on how these tools will reshape roles, pricing and competitive advantage.

AI toolkits now for sale — and what sellers claim they do

Sophos documented concrete vendor claims and user examples. Sellers, both established and newly appearing, advertise toolkits that they say use generative AI to overcome language barriers, distribute content at scale and quickly respond to victims who engage with a lure. Other postings describe AI-generated deepfake audio and video used to build realistic profiles for romance fraud, and some listings claim to automate malware coding with AI. Those are seller claims and user reports captured by Sophos in its blog post.

Claude Mythos Preview sparked a spike in discussion

The research notes a clear uptick in forum conversation after the launch of Claude Mythos Preview, a frontier AI tool from Anthropic that its developers say can rapidly identify security vulnerabilities. Forum reactions were mixed: some users expressed cynicism, calling corporate concern an "overreaction," while others voiced real worry that AI could erode manual malware developers’ livelihoods or reduce product quality if authors outsource coding to models. One user warned that the rise of AI-powered offerings could “take money away from manual malware developers” and that 'products' might worsen when creators rely on AI.

Advocates, opponents — and silent experimenters

Sophos observed that the loudest voices on underground forums drive much of the visible debate, but they also cautioned the picture is incomplete because many threat actors may not publicly participate. While advocates tout speed, language assistance and automation, opponents question accuracy and impact on their tradecraft. Meanwhile, Sophos highlighted a cohort of operators who may be quietly testing AI’s practical limits rather than posting about their experiments.

What this means for technologists, enterprises, and threat actors

  • Technologists and security teams: Sophos CTU's explicit guidance is to prioritize timely patching, multifactor authentication (MFA) and passkey adoption, and to maintain environment-wide visibility to spot anomalous activity before attacks escalate.
  • Enterprises and procurement leaders: Sophos’ findings suggest organizations should watch how underground markets evolve — both the appearance of AI toolkits and potential shifts in pricing or offensive tradecraft — since those market dynamics can alter the scale and style of attacks they will face.
  • Adversaries and threat actors: According to Sophos, the underground is split — some will adopt advertised AI toolkits for phishing, deepfakes and code automation; others fear AI will displace manual developers or degrade product quality; and a portion will quietly probe where AI actually helps or fails.

The central fact is straightforward: AI is now a visible line item in the criminal economy, and it is already changing how some attackers advertise and plan operations. Sophos CTU’s practical prescription — patch, enable MFA and passkeys, and keep visibility — is likewise simple but specific. What remains to be seen, and what Sophos’ review leaves as an open question, is whether this wave of AI-enabled tooling will concentrate capability in the hands of a few sellers, erode the livelihoods of manual operators, or produce a new equilibrium of hybrid human-plus-AI tradecraft.

https://www.infosecurity-magazine.com/news/cybercriminals-worried-ai-take/

Cyber HygieneDark WebEmerging ThreatsPhishingSocial EngineeringMalware OperationsMFAUnderground MarketsAI Cyber Threats
Related Intelligence

Continue Reading

Dusty computer servers and tangled cables in a dimly lit, abandoned server room.

Hidden AI Agents Expose Access Risks in Corporate Networks

Can your security team instantly identify who authorized an autonomous AI agent to access your company's core intellectual property? The uncomfortable truth is that most enterprises have no clear answer, leaving them vulnerable to hidden AI access risks.

Analyst 207
Wireless earbuds sit on a neutral surface, one bud slightly askew, in a blurred tech lab setting.

Apple patches Beats Studio Buds flaw that allowed eavesdropping via Bluetooth

Apple just patched a major flaw in its Beats Studio Buds that allowed hackers within Bluetooth range to eavesdrop on conversations through the earbuds' microphone, even if they weren't paired with the device. The company has released a security update, Beats Firmware Update 1B211, to fix the issue.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit data center with technicians working in the background.

F5 Dispatched Patches for Critical NGINX Flaws

F5 has urgently released patches to fix two critical vulnerabilities in NGINX modules that can be exploited by remote attackers to cause denial-of-service or even execute remote code. Admins are advised to install the updates ASAP to protect NGINX Plus, Open Source, Gateway Fabric, and Instance Manager from potential attacks.

Analyst 207
Server equipment in a data center with a patch cord plugged in.

Microsoft Resolves Windows Server 2016 Security Update Installation Failures

Microsoft has fixed a frustrating issue that caused June's security update to fail installation on some Windows Server 2016 devices, resolving the error code 0x80070002 (ERROR_FILE_NOT_FOUND) problem that had administrators scratching their heads. The update should now install smoothly on affected servers.

Analyst 207