August 8, 2023

WormGPT, a private new chatbot service advertised as a way to use Artificial Intelligence (AI) to write malicious software without all the pesky prohibitions on such activity enforced by the likes of ChatGPT and Google Bard, has started adding restrictions of its own on how the service can be used. Faced with customers trying to use WormGPT to create ransomware and phishing scams, the 23-year-old Portuguese programmer who created the project now says his service is slowly morphing into “a more controlled environment.”


The large language models (LLMs) made by ChatGPT parent OpenAI or Google or Microsoft all have various safety measures designed to prevent people from abusing them for nefarious purposes — such as creating malware or hate speech. In contrast, WormGPT has promoted itself as a new, uncensored LLM that was created specifically for cybercrime activities.

WormGPT was initially sold exclusively on HackForums, a sprawling, English-language community that has long featured a bustling marketplace for cybercrime tools and services. WormGPT licenses are sold for prices ranging from 500 to 5,000 Euro.

“Introducing my newest creation, ‘WormGPT,’ wrote “Last,” the handle chosen by the HackForums user who is selling the service. “This project aims to provide an alternative to ChatGPT, one that lets you do all sorts of illegal stuff and easily sell it online in the future. Everything blackhat related that you can think of can be done with WormGPT, allowing anyone access to malicious activity without ever leaving the comfort of their home.”

WormGPT’s core developer and frontman “Last” promoting the service on HackForums. Image: SlashNext.

In July, an AI-based security firm called SlashNext analyzed WormGPT and asked it to create a “business email compromise” (BEC) phishing lure that could be used to trick employees into paying a fake invoice.

“The results were unsettling,” SlashNext’s Daniel Kelley wrote. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”

SlashNext asked WormGPT to compose this BEC phishing email. Image: SlashNext.

A review of Last’s posts on HackForums over the years shows this individual has extensive experience creating and using malicious software. In August 2022, Last posted a sales thread for “Arctic Stealer,” a data stealing trojan and keystroke logger that he sold there for many months.

“I’m very experienced with malwares,” Last wrote in a message to another HackForums user last year.

Last has also sold a modified version of the information stealer DCRat, as well as an obfuscation service marketed to malicious coders who sell their creations and wish to insulate them from being modified or copied by customers.

Shortly after joining the forum in early 2021, Last told several different Hackforums users his name was Rafael and that he was from Portugal. HackForums has a feature that allows anyone willing to take the time to dig through a user’s postings to learn when and if that user was previously tied to another account.

That account tracing feature reveals that while Last has used many pseudonyms over the years, he originally used the nickname “ruiunashackers.” The first search result in Google for that unique nickname brings up a TikTok account with the same moniker, and that TikTok account says it is associated with an Instagram account for a Rafael Morais from Porto, a coastal city in northwest Portugal.


Reached via Instagram and Telegram, Morais said he was happy to chat about WormGPT.

“You can ask me anything,” Morais said. “I’m an open book.”

Morais said he recently graduated from a polytechnic institute in Portugal, where he earned a degree in information technology. He said only about 30 to 35 percent of the work on WormGPT was his, and that other coders are contributing to the project. So far, he says, roughly 200 customers have paid to use the service.

“I don’t do this for money,” Morais explained. “It was basically a project I thought [was] interesting at the beginning and now I’m maintaining it just to help [the] community. We have updated a lot since the release, our model is now 5 or 6 times better in terms of learning and answer accuracy.”

WormGPT isn’t the only rogue ChatGPT clone advertised as friendly to malware writers and cybercriminals. According to SlashNext, one unsettling trend on the cybercrime forums is evident in discussion threads offering “jailbreaks” for interfaces like ChatGPT.

“These ‘jailbreaks’ are specialised prompts that are becoming increasingly common,” Kelley wrote. “They refer to carefully crafted inputs designed to manipulate interfaces like ChatGPT into generating output that might involve disclosing sensitive information, producing inappropriate content, or even executing harmful code. The proliferation of such practices underscores the rising challenges in maintaining AI security in the face of determined cybercriminals.”

Morais said they have been using the GPT-J 6B model since the service was launched, although he declined to discuss the source of the LLMs that power WormGPT. But he said the data set that informs WormGPT is enormous.

“Anyone that tests wormgpt can see that it has no difference from any other uncensored AI or even chatgpt with jailbreaks,” Morais explained. “The game changer is that our dataset [library] is big.”

Morais said he began working on computers at age 13, and soon started exploring security vulnerabilities and the possibility of making a living by finding and reporting them to software vendors.

“My story began in 2013 with some greyhat activies, never anything blackhat tho, mostly bugbounty,” he said. “In 2015, my love for coding started, learning c# and more .net programming languages. In 2017 I’ve started using many hacking forums because I have had some problems home (in terms of money) so I had to help my parents with money… started selling a few products (not blackhat yet) and in 2019 I started turning blackhat. Until a few months ago I was still selling blackhat products but now with wormgpt I see a bright future and have decided to start my transition into whitehat again.”

WormGPT sells licenses via a dedicated channel on Telegram, and the channel recently lamented that media coverage of WormGPT so far has painted the service in an unfairly negative light.

“We are uncensored, not blackhat!” the WormGPT channel announced at the end of July. “From the beginning, the media has portrayed us as a malicious LLM (Language Model), when all we did was use the name ‘blackhatgpt’ for our Telegram channel as a meme. We encourage researchers to test our tool and provide feedback to determine if it is as bad as the media is portraying it to the world.”

It turns out, when you advertise an online service for doing bad things, people tend to show up with the intention of doing bad things with it. WormGPT’s front man Last seems to have acknowledged this at the service’s initial launch, which included the disclaimer, “We are not responsible if you use this tool for doing bad stuff.”

But lately, Morais said, WormGPT has been forced to add certain guardrails of its own.

“We have prohibited some subjects on WormGPT itself,” Morais said. “Anything related to murders, drug traffic, kidnapping, child porn, ransomwares, financial crime. We are working on blocking BEC too, at the moment it is still possible but most of the times it will be incomplete because we already added some limitations. Our plan is to have WormGPT marked as an uncensored AI, not blackhat. In the last weeks we have been blocking some subjects from being discussed on WormGPT.”

Still, Last has continued to state on HackForums — and more recently on the far more serious cybercrime forum Exploit — that WormGPT will quite happily create malware capable of infecting a computer and going “fully undetectable” (FUD) by virtually all of the major antivirus makers (AVs).

“You can easily buy WormGPT and ask it for a Rust malware script and it will 99% sure be FUD against most AVs,” Last told a forum denizen in late July.

Asked to list some of the legitimate or what he called “white hat” uses for WormGPT, Morais said his service offers reliable code, unlimited characters, and accurate, quick answers.

“We used WormGPT to fix some issues on our website related to possible sql problems and exploits,” he explained. “You can use WormGPT to create firewalls, manage iptables, analyze network, code blockers, math, anything.”

Morais said he wants WormGPT to become a positive influence on the security community, not a destructive one, and that he’s actively trying to steer the project in that direction. The original HackForums thread pimping WormGPT as a malware writer’s best friend has since been deleted, and the service is now advertised as “WormGPT – Best GPT Alternative Without Limits — Privacy Focused.”

“We have a few researchers using our wormgpt for whitehat stuff, that’s our main focus now, turning wormgpt into a good thing to [the] community,” he said.

It’s unclear yet whether Last’s customers share that view.

16 thoughts on “Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT’

  1. Ray Tracy

    If this is their idea of a convincing phishing email, I have a half billion in Krugerands that my father, a Nigerian Prince is trying to get out of Namibia.
    While software might not be able to swat that kind of thing away, I think anyone with 2 functioning braincells could pick it out.

    1. CallMeSuspicious

      I agree Ray. This has pretty much all the red flags for a phishing email lol.

  2. mealy

    “Uncensored, not blackhat! Blackhat users welcome! Also, now we censor some things.
    Now we’re whitehat, but we can still write FUD malware.”
    It’s like his responses themselves were written by a GPT.

  3. Lucks

    Hi, I believe I coincidentally happened to send you a message about this on the day that this article was published concerning a research project I’m currently doing! If you could possibly send me a reply via email, it would be much appreciated!

  4. jb

    To be fair, it seems like WormGPT is more about writing malware than phishing.

    1. mealy

      It’s anything you task it to do. It’s ultimately about automating campaigns.

  5. Howard

    He literally advertised it for, and I quote, “blackhat” and “illegal stuff”. He’s also advertising it on hacking forums well known for housing cybercriminals and selling illegal things. It doesn’t get any more transparent then that. Not to mention hackforums is notorious for pretending that everything there is legal, only for the sellers and customers to get arrested. I say he’s sh***ing his pants and trying to do damage control.

  6. Blanche DuBois

    Alberto Gonzales (only stole 130 million CCs, 2005-2008, a giant for his time) will be released from FMC Lexington on 9Sep2023, having completed his 20 year sentence.
    One wonders how he will adjust to all the new options for online fraud presented in the story…
    (20 years…Where has the time gone…?)

  7. shannon

    he’s thriving because journos like you are giving him and his pasted program publicity. it’s not revolutionary nor inventive and he would have abandoned it long ago if not for articles praising how “scary” it is (it’s not) driving up his sales. stop with this unimportant ai, please

  8. zen

    How can this have had any customers? Are people just so naive that they can’t do a google search and find a dozen completely uncensored AI models? Most class of malware are represented in github already and in the training data, let alone that almost all malware functionality is simple and just a matter of wording. Think of a “software that can securely encrypt a bunch of your files and delete them”. Ransomware? or does that not also fit 7-zip, rar, zip, etc? This isn’t rocket science. Are people really not aware of things like or You can run hundreds of these AI models on a consumer-grade desktop pc just using CPU and the quality is good and many models are completely uncensored, as they should be. Censoring AI is idiotic – go burn a book while you’re at it you cretins. Access to information should be unlimited and total. If you are concerned about something, deal with the actions, not the knowledge itself. The media has been chasing it’s tail about the stark raving fear that a computer program might say the n word or tell you how to make napalm when that information is a google search away or at any public LIBRARY. The US government itself publishes that information, in numerous manuals and in court documents but mainstream AI will act like it’s the end of the world to tell you. -> how to make napalm -> click on first link. There you go genius. People are worried about the completely wrong things when it comes to AI.

    1. mealy

      AI hallucinates, can be compromised, isn’t mature or trustworthy UNLESS censored and curated.
      Comparing it to book burning is just naive. Comparing 7-zip to ransomware, trolling or serious?
      “Access to information should be unlimited and total.” – It works like this nowhere at all in reality.

      Using the media’s scattershot coverage as if a shield against actual issues is a simplistic non-take.
      If it’s going to be invested in by big corps they’re going to want to protect their investment / IP.
      Pretending its akin to “book burning” to sanitize inputs and manage scope is Q-Anon level jive.

      1. Van ealy

        Restricting free speech and freedom of information and privacy are the embodiment of evil. Those who allow fear to be a key, motivating factor are a bane to human advancement. Yeah, sure… let’s backdoor encryption, abolish the first amendment, and continue investing into military and weapons development, right? You literally fucking make me sick.

        1. mealy

          “Restricting free speech and information and privacy are embodiment of evil.”
          -‘Good and evil’ references on this topic are like Bible quotes in Calculus.
          The devil is in details as always they were. The “greater good” still applies,
          (and that’s actually complicated AF) but please, worship Braveheart memes…

          In the age of nuclear weapons, AI-curated pathogens, malware, ghost guns,
          “Oh, all information wants to be free, as in lunch.” No questions asked…
          Nor unfortunate possible questions comprehended beforehand either…

          “Those who allow fear to be a key factor are a bane to human advancement”
          And what’s your definition of “human advancement?” Cinnamon challenges?
          Security realizations in an insecure world may manifest as “fears,” but that’s
          just a common emotional response to perhaps overwhelming information.
          (Not all information is “good” and those who believe that are “morons” -really.
          “Good company” excluded naturally of course…)

          Even as we tolerate a “literal sickness” towards discussing epistemology,
          your definition of evil is somewhat obviously not an “ultimate” one. Nope.
          You just don’t have the comparative perspective to make that judgement;
          because you live a safe, convenient, prosperous, censored, curated life.
          This conversation is exhibit A: It exists, demonstrating that.

          *BK could censor both of us for deviating from topically-related mention,
          as is his control over his domain. He’s got the power, uses it sparingly…
          Is BK your embodiment of “evil” too? “All slogans equal, all the time?”
          Not all censorship is of pro-military or authoritarian aim, it’s a fallacy.
          (Ask mom when you’re older.)

          And if you find a single country, system or group of people without ANY
          censorship, please document your new finding in that wonderful style…
          Never stop being “literally sick” about things you don’t quite understand.
          That could only lead to self-censorship, while you consider the issues…
          Wouldn’t that be a literal pity.

  9. Togamika

    Since the guy tells he is an “open book”, it would have been nice to have him explain exactly what he means by “uncensored”. How do you “uncensor” an LLM? Does it mean that he tuned the model so that it is able to execute new tasks, and if yes with what technique and with what data? Note: For a nice overview of what techniques are available, have a look at “A Survey of Large Language Models” on arXiv.

  10. Brian Hadley

    One of my biggest concerns that I had while watching the rise of these AI LLM “GPT” models was “when will they be turned towards nefarious things”. I guess I know the answer to that now – immediately. Using these AI models to write novel malware as easily as it can write a novel movie script is concerning to say the least. What will be really interesting is to see how they implement another AI LLM against these malware factories. AI wars – kind of has a catchy ring to it!

Comments are closed.