Between January and October 2023, more than 225,000 logs with compromised OpenAI ChatGPT credentials were put up for sale on dark web marketplaces, according to recent research from Group-IB.
These login credentials were discovered in information theft records connected to the Raccoon, RedLine, and LummaC2 malware.
“The number of infected devices grew significantly between August and September but decreased slightly in mid- and late summer,” the cybersecurity company with its headquarters in Singapore stated in its Hi-Tech Crime Trends 2023/2024 study that was released last week.
More than 130,000 distinct hosts with access to OpenAI ChatGPT were compromised between June and October 2023—a 36% rise over the same period in 2022. Below is a breakdown of the top three stealer families:
70,484 hosts (LummaC2)
22,468 (Raccoon hosts)
15,970 (RedLine)
“The sharp increase in the number of ChatGPT credentials for sale is due to the overall rise in the number of hosts infected with information stealers, data from which is then put up for sale on markets or in UCLs,” stated Group-IB.
This breakthrough coincides with revelations from Microsoft and OpenAI that nation-state actors in China, North Korea, Iran, and Russia are experimenting with AI and large language models (LLMs) as a means of enhancing their ongoing cyberattack operations.
Group-IB stated that in addition to improving operational productivity and helping adversaries create convincing scam and phishing attacks, LLMs may also be used to expedite reconnaissance, manufacture scammer robocalls, and execute hacking toolkits.
“In the past, [threat actors] were mainly interested in corporate computers and in systems with access that enabled movement across the network,” it stated. These days, they also concentrate on gadgets that have access to open AI systems.
“This gives them access to logs with the communication history between employees and systems, which they can use to search for confidential information (for espionage purposes), details about internal infrastructure, authentication data (for conducting even more damaging attacks), and information about application source code.”
Threat actors now exploit legitimate account credentials as one of their primary access methods, largely because stealer software makes this information easily accessible.
“The combination of a rise in infostealers and the abuse of valid account credentials to gain initial access has exacerbated defenders’ identity and access management challenges,” warned IBM X-Force.
“Enterprise credential data can be stolen from compromised devices through credential reuse, browser credential stores, or accessing enterprise accounts directly from personal devices.”