Between June 2022 and May 2023, over 100,000 compromised OpenAI ChatGPT account credentials were leaked to illegal dark web marketplaces, with 12,632 credentials stolen in India alone.
Group-IB said in a report shared with The Hacker News that the credentials were found in the logs of information thieves being sold on the cybercrime underground.
“The number of available logs containing compromised ChatGPT accounts peaked at 26,802 in May 2023,” the Singapore-based company said. “Asia Pacific had the highest concentration of ChatGPT credentials for sale over the past year.”
Countries with the most ChatGPT credential compromises include Pakistan, Brazil, Vietnam, Egypt, the United States, France, Morocco, Indonesia, and Bangladesh.
Further analysis revealed that the majority of logs containing ChatGPT accounts were compromised by notorious information thieves Raccoon, followed by Vidar and RedLine.
Information stealers are gaining popularity among cybercriminals because they can hijack passwords, cookies, credit cards, and other information from browsers and cryptocurrency wallet extensions.
Group-IB said that “logs containing compromised information collected by information thieves are actively traded on dark web markets.”
“Additional information about logs available in such markets includes a list of domains found in the logs and information about IP addresses of compromised hosts.”
Typically offered under a subscription-based pricing model, it not only lowers the bar for cybercrime, but also acts as a conduit for subsequent attacks to be launched using siphoned credentials.
“Many companies are integrating ChatGPT into their operational flows,” said Dmitry Shestakov, Head of Threat Intelligence at Group-IB.
“Employees enter sensitive communications or use bots to optimize their own code. If so, it could unintentionally provide an attacker with a treasure trove of sensitive information.”
To mitigate such risks, we encourage users to follow good password hygiene practices and protect their accounts with two-factor authentication (2FA) to prevent account takeover attacks.
This development is ongoing malware that uses the lure of fake OnlyFans pages and adult content to distribute a remote access Trojan and an information stealer called DCRat (or DarkCrystal RAT), a modified version of AsyncRAT. It took place during the campaign.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
“In observed cases, victims were lured to download a ZIP file containing a manually-run VBScript loader,” eSentire researchers said, with the activity ongoing since January 2023. pointed out that there is
“The file naming convention suggests that the victims were lured in using explicit photos and OnlyFans content of various adult film actresses.”
It also follows the discovery of a new VBScript variant of malware called GuLoader (aka CloudEyE). This variant uses a tax-themed decoy to launch a PowerShell script that can retrieve the Remcos RAT and inject it into legitimate Windows processes.
“GuLoader is a highly evasive malware loader commonly used to steal information and deliver remote administration tools (RATs),” said the Canadian cybersecurity firm in a report released earlier this month.
“GuLoader leverages user-initiated scripts and shortcut files to execute highly obfuscated commands and encrypted shellcode multiple times. A resident malware payload will be generated.”
