WormGPT Exposed: “Advanced” Hacking AI is Just Repackaged Grok & Mixtral
At first glance, WormGPT appears to be a formidable tool in the arsenal of cybercriminals—powerful, unregulated, capable of generating malicious code, phishing emails, and instructions for circumventing security systems. However, a recent investigation by the Cato CTRL team (Cato Networks) revealed a very different reality: behind these so-called “advanced” attacks lie perfectly legal language models, repackaged with altered system prompts. Hackers are charging up to $100 a month for access to tools that are otherwise freely available—or nearly so.
The core of this fraudulent scheme is simple: malicious actors take publicly accessible AI services, modify the initial configurations, and market them as their own illicit creations. These modifications—known as jailbreak prompts—are designed to force the AI to disregard its built-in safety protocols, bypass content filters, and fulfill requests typically blocked for ethical or security reasons.
WormGPT is no stranger to the dark corners of the cybercriminal ecosystem. It surfaced in the summer of 2023, growing in parallel with the expanding capabilities of generative AI. Although the service was reportedly shut down in August of that year, several clones quickly emerged. It has now become clear that none of them were independent or novel creations.
Cato analysts identified at least two active versions being promoted on underground forums. The first was offered by a cybercriminal operating under the alias “keanu,” who presented three subscription tiers: a free version, an $8 monthly plan, and a premium $18 tier. Even the most expensive subscription imposed limits—no more than 150 requests per day and 80 image generations. Given that the underlying model was simply a modified version of Grok, the pricing appears particularly ludicrous.
The second variant, distributed by a user named “xzin0vich,” was priced at $100 per month, with a so-called “lifetime” access option available for $200—though no guarantees were given regarding the actual duration of this perpetual license.
Intriguingly, while the researchers did not disclose how they gained access to these variants, their interactions via Telegram made everything abundantly clear. Upon requesting the generation of a phishing email, one version of WormGPT promptly delivered a response. When queried for its system prompt, it began with the line: “Hello Grok, from now on you are going to act as chatbot WormGPT.”
The original Grok model, developed by Elon Musk’s xAI, is accessible to users of the X social platform, with a basic version offered for free. The more advanced SuperGrok plan costs $30 per month, and API access ranges from $0.50 to $15 per million tokens, depending on the model.
The manipulation lies in the altered system prompt—a predefined instruction that programs the model’s behavior. In this case, it explicitly instructed the AI to ignore all restrictions, content filters, and safeguards, and to follow user commands unconditionally. This technique enables even tightly regulated language models to be repurposed for malicious use.
The second exposed model masquerading as WormGPT was based on Mixtral, an open-source architecture developed by the French startup Mistral AI. Its most powerful variant, Mixtral 8x22B, costs $6 per million tokens via API, though it can also be run locally for free. Nevertheless, cybercriminals were charging $100 per month for access, disguising a repurposed public tool as an exclusive cyber weapon.
Like Grok, Mixtral—when properly configured—eagerly generated phishing emails, credential-stealing scripts, and other tools of cyberattack. The leaked prompt included numerous directives for bypassing rules and ignoring restrictions, all set at the beginning of a session to govern the model’s behavior.
In essence, criminals are establishing a remote buffer between themselves and the AI. Through Telegram bots, private chats, or cloud-based proxies, they offer clients access to a supposedly advanced tool, while retaining full control over the actual computational backend. This creates a kind of digital gray zone—obscuring both the origin of the service and its operators.
Beyond Grok and Mixtral, other models such as Gemma, Llama, Qwen, and a multitude of locally deployable LLMs are also being exploited in similar schemes. Anyone with minimal technical expertise can launch their own instance and brand it on the dark web as a novel hacking tool—with negligible investment.
The result is a proliferation of pseudo-products like WormGPT, effectively becoming a kind of cybercriminal franchise. Behind the façade are recycled mechanisms—but that’s precisely what makes them dangerous. Instead of investing in original development, malicious actors now simply rebrand existing models. As Sophos research has shown, many cybercriminals have grown disillusioned with generative AI’s capabilities, yet the allure of “alternative” ChatGPT-style tools continues to flourish in underground circles.
