Welcome to the Era of BadGPTs
The dark web is home to a growing array of artificial-intelligence chatbots similar to ChatGPT, but designed to help hackers. Businesses are on high alert for a glut of AI-generated email fraud and deepfakes.
The dark web is home to a growing array of artificial-intelligence chatbots similar to ChatGPT, but designed to help hackers. Businesses are on high alert for a glut of AI-generated email fraud and deepfakes.
A new crop of nefarious chatbots with names like “BadGPT” and “FraudGPT” are springing up on the darkest corners of the web, as cybercriminals look to tap the same artificial intelligence behind OpenAI’s ChatGPT.
Just as some office workers use ChatGPT to write better emails, hackers are using manipulated versions of AI chatbots to turbocharge their phishing emails. They can use chatbots—some also freely-available on the open internet—to create fake websites, write malware and tailor messages to better impersonate executives and other trusted entities.
Earlier this year, a Hong Kong multinational company employee handed over $25.5 million to an attacker who posed as the company’s chief financial officer on an AI-generated deepfake conference call, the South China Morning Post reported, citing Hong Kong police. Chief information officers and cybersecurity leaders, already accustomed to a growing spate of cyberattacks , say they are on high alert for an uptick in more sophisticated phishing emails and deepfakes.
Vish Narendra, CIO of Graphic Packaging International, said the Atlanta-based paper packing company has seen an increase in what are likely AI-generated email attacks called spear-phishing , where cyber attackers use information about a person to make an email seem more legitimate. Public companies in the spotlight are even more susceptible to contextualised spear-phishing, he said.
Researchers at Indiana University recently combed through over 200 large-language model hacking services being sold and populated on the dark web. The first service appeared in early 2023—a few months after the public release of OpenAI’s ChatGPT in November 2022.
Most dark web hacking tools use versions of open-source AI models like Meta ’s Llama 2, or “jailbroken” models from vendors like OpenAI and Anthropic to power their services, the researchers said. Jailbroken models have been hijacked by techniques like “ prompt injection ” to bypass their built-in safety controls.
Jason Clinton, chief information security officer of Anthropic, said the AI company eliminates jailbreak attacks as they find them, and has a team monitoring the outputs of its AI systems. Most model-makers also deploy two separate models to secure their primary AI model, making the likelihood that all three will fail the same way “a vanishingly small probability.”
Meta spokesperson Kevin McAlister said that openly releasing models shares the benefits of AI widely, and allows researchers to identify and help fix vulnerabilities in all AI models, “so companies can make models more secure.”
An OpenAI spokesperson said the company doesn’t want its tools to be used for malicious purposes, and that it is “always working on how we can make our systems more robust against this type of abuse.”
Malware and phishing emails written by generative AI are especially tricky to spot because they are crafted to evade detection. Attackers can teach a model to write stealthy malware by training it with detection techniques gleaned from cybersecurity defence software, said Avivah Litan, a generative AI and cybersecurity analyst at Gartner.
Phishing emails grew by 1,265% in the 12-month period starting when ChatGPT was publicly released, with an average of 31,000 phishing attacks sent every day, according to an October 2023 report by cybersecurity vendor SlashNext.
“The hacking community has been ahead of us,” said Brian Miller, CISO of New York-based not-for-profit health insurer Healthfirst, which has seen an increase in attacks impersonating its invoice vendors over the past two years.
While it is nearly impossible to prove whether certain malware programs or emails were created with AI, tools developed with AI can scan for text likely created with the technology. Abnormal Security , an email security vendor, said it had used AI to help identify thousands of likely AI-created malicious emails over the past year, and that it had blocked a twofold increase in targeted, personalised email attacks.
When Good Models Go Bad
Part of the challenge in stopping AI-enabled cybercrime is some AI models are freely shared on the open web. To access them, there is no need for dark corners of the internet or exchanging cryptocurrency.
Such models are considered “uncensored” because they lack the enterprise guardrails that businesses look for when buying AI systems, said Dane Sherrets, an ethical hacker and senior solutions architect at bug bounty company HackerOne.
In some cases, uncensored versions of models are created by security and AI researchers who strip out their built-in safeguards. In other cases, models with safeguards intact will write scam messages if humans avoid obvious triggers like “phishing”—a situation Andy Sharma, CIO and CISO of Redwood Software, said he discovered when creating a spear-phishing test for his employees.
The most useful model for generating scam emails is likely a version of Mixtral, from French AI startup Mistral AI, that has been altered to remove its safeguards, Sherrets said. Due to the advanced design of the original Mixtral, the uncensored version likely performs better than most dark web AI tools, he added. Mistral did not reply to a request for comment.
Sherrets recently demonstrated the process of using an uncensored AI model to generate a phishing campaign. First, he searched for “uncensored” models on Hugging Face, a startup that hosts a popular repository of open-source models—showing how easily many can be found.
He then used a virtual computing service that cost less than $1 per hour to mimic a graphics processing unit, or GPU, which is an advanced chip that can power AI. A bad actor needs either a GPU or a cloud-based service to use an AI model, Sherrets said, adding that he learned most of how to do this on X and YouTube.
With his uncensored model and virtual GPU service running, Sherrets asked the bot: “Write a phishing email targeting a business that impersonates a CEO and includes publicly-available company data,” and “Write an email targeting the procurement department of a company requesting an urgent invoice payment.”
The bot sent back phishing emails that were well-written, but didn’t include all of the personalisation asked for. That’s where prompt engineering , or the human’s ability to better extract information from chatbots, comes in, Sherrets said.
Dark Web AI Tools Can Already Do Harm
For hackers, a benefit of dark web tools like BadGPT—which researchers said uses OpenAI’s GPT model—is that they are likely trained on data from those underground marketplaces. That means they probably include useful information like leaks, ransomware victims and extortion lists, said Joseph Thacker, an ethical hacker and principal AI engineer at cybersecurity software firm AppOmni.
While some underground AI tools have been shuttered, new services have already taken their place, said Indiana University Assistant Computer Science Professor Xiaojing Liao, a co-author of the study. The AI hacking services, which often take payment via cryptocurrency, are priced anywhere from $5 to $199 a month.
New tools are expected to improve just as the AI models powering them do. In a matter of years, AI-generated text, video and voice deepfakes will be virtually indistinguishable from their human counterparts, said Evan Reiser , CEO and co-founder of Abnormal Security.
While researching the hacking tools, Indiana University Associate Dean for Research XiaoFeng Wang, a co-author of the study, said he was surprised by the ability of dark web services to generate effective malware. Given just the code of a security vulnerability, the tools can easily write a program to exploit it.
Though AI hacking tools often fail, in some cases, they work. “That demonstrates, in my opinion, that today’s large language models have the capability to do harm,” Wang said.
What a quarter-million dollars gets you in the western capital.
Alexandre de Betak and his wife are focusing on their most personal project yet.
U.S. investors’ enthusiasm over Japanese stocks at this time last year turned out to be misplaced, but the market is again on the list of potential ways to diversify. Corporate shake-ups, hints of inflation after years of declining prices, and a trade battle could work in its favor.
Japanese stocks started 2024 off strong, but an unexpected interest-rate increase in August by the Bank of Japan triggered a sharp decline that the market has spent the rest of the year clawing back. Weakness in the yen has cut into returns in dollar terms. The iShares MSCI Japan ETF , which isn’t hedged, barely returned 7% last year, compared with 30% for the WisdomTree Japan Hedged Equity Fund .
The market is relatively cheap, trading at 15 times forward earnings, about where it was a decade ago, and events on the horizon could give it a boost. Masakazu Takeda, who runs the Hennessy Japan fund, expects earnings growth of mid-single digits—2% after inflation and an additional 2% to 3% as companies return more to shareholders through dividends and buybacks.
“We can easily get 10% plus returns if there’s no exogenous risks,” Takeda told Barron’s in December.
The first couple months of the year could be volatile as investors assess potential spoilers, such as whether the new Trump administration limits its tariff battle to China or goes wider, which would hurt Japan’s export-dependent market. The size of the wage increases labor unions secure in spring negotiations is another risk.
But beyond the headlines, fund managers and strategists see potential positive factors. First, 2024 will likely turn out to have been a record year for corporate earnings because some companies have benefited from rising prices and increasing demand, as well as better capital allocation.
In a note to clients, BofA strategist Masashi Akutsu said the market may again focus on a shift in corporate behavior that has begun to take place in recent years. For years, corporate culture has been resistant to change but recent developments—a battle over Seven & i Holdings that pits the founding family and investors against a bid from Canada’s Alimentation Couche-Tard , and Honda and Nissan ’s merger are examples—have been a wake-up call for Japanese companies to pursue overhauls. He expects a pickup in share buybacks as companies begin to think about shareholder returns more.
A record number of companies have also delisted, often through management buyouts, in another indication that corporate behavior is changing in favor of shareholders.
“Japan is attracting a lot of activist interest in a lot of different guises, says Donald Farquharson, head of the Japanese equities team for Baillie Gifford. “While shareholder proposals are usually unsuccessful, they do start in motion a process behind the scenes about the capital structure.”
For years, money-losing businesses were left alone in large corporations, but the recent spate of activism and focus on shareholder returns has pushed companies to jettison such divisions or take measures to improve them.
That isn‘t to say it is going to be an easy year. A more protectionist world could be problematic for sentiment.
But Japan’s approach could become a model for others in this new world. “Japan has spent the last 30 to 40 years investing in business overseas, with the automotive industry, for example, manufacturing a lot of the cars in the geographies it sells in,” Farquharson said. “That’s true of a lot of what Japan is selling overseas.”
Trade volatility that hits Japanese stocks broadly could offer opportunities. Concerns about tariffs could drag down companies such as Tokio Marine Holdings, which gets half its earnings by selling insurance in the U.S., but wouldn’t be affected by duties. Similarly, Shin-Etsu Chemicals , a silicon wafer behemoth that sells critical materials, including to the chip industry, is another potential winner, Takeda says.
If other companies follow the lead of Japanese exporters and set up shop in the markets they sell in, Japanese automation makers like Nidec and Keyence might benefit as a way to control costs in countries where wages are higher, Farquharson says.
And as Japanese workers get real wage growth and settle into living in an economy no longer in a deflationary rut, companies focused on domestic consumers such as Rakuten Group should benefit. The internet company offers retail and travel, both of which should benefit, but also is home to an online banking and investment platform.
Rakuten’s enterprise value—its market capitalization plus debt—is still less than its annual sales, in part because the company had been investing heavily in its mobile network. But that division is about to hit break even, Farquharson says.
A stock that stands to benefit from consumer spending and the waves or tourists the weak yen is attracting is Orix , a conglomerate whose businesses include an international airport serving Osaka. The company’s aircraft-leasing business also benefits from the production snags and supply-chain disruptions at Airbus and Boeing , Takeda says.
An added benefit: Its financial businesses stand to get a boost as the Bank of Japan slowly normalizes interest rates. The stock trades at about nine times earnings and about par for book value, while paying a 4% dividend yield.
Corrections & Amplifications: The past year is expected to turn out to have been a record one for corporate earnings in Japan. An earlier version of this article incorrectly gave the time frame as the 12 months through March. Separately, Masashi Akutsu is a strategist at BofA. An earlier version incorrectly identified his employer as UBS.