The dark web’s new ‘AI Marketplace’: Where stolen LLM credentials go to die?

By Mandar Patil, Executive Vice President, Cyble

The backbone of the contemporary business, governmental and digital service environment will increasingly be the utilization of artificial intelligence (AI) in everyday operations and activities (e.g., customer service automation, financial analytics, cyber-security) of many organisations will involve the use of Large Language Models (LLMs), a type of AI technology that generates responses based upon language patterns. But with the overall increase of adoption of AI, we are also seeing the emergence of new, dangerous underground economies that are comprised of black-market websites trading in stolen AI user credentials/access, compromised application programming interfaces (APIs) and hijacked enterprise accounts that leverage AI.

Rise of Stolen AI Credentials

During the past 12 months, numerous cybersecurity researchers have reported a dramatic increase in the number of compromised credentials linked to various AI-related systems and enterprise tools. Threat Actors are now targeting all types of accounts associated with AI development and creation, including developer accounts, API keys, cloud-hosted AI environments and enterprise subscriptions that offer unlimited access to advanced AI machine-learning models. Cybercriminals may use these stolen credentials to conduct business on encrypted message boards or dark web marketplaces, often bundling the credentials with details, such as limits on usage, enterprise permissions or methods of bypassing usage limits. In many situations, cybercriminals obtain users’ credentials by using infostealer malware (which enables retrieval of saved credentials) from the target device’s storage or from corporate systems used by the target. After acquiring the credentials, they become assets commonly used in underground markets.

Why AI Access Has Become a High-Value Target
AI access has become a high-value target due to its popularity given that advanced LLMs (large language models) are expensive to obtain and highly regulated. As many cybercriminals cannot afford the enterprise-level subscription for LLM access or are restricted geographically or by compliance, they are taking the stolen accounts way as a means of bypassing such restrictions. The other worry is the emerging trend of attackers targeting companies that use their private data to fine-tune inside LLMs for a particular company’s use. If an LLM from an enterprise is hacked into, it may grant an attacker access to any number of confidential internal documents, customer lists, strategy meetings that have occurred, or even proprietary code. These AI platforms can then be used as both a tool of operation as well as a treasure trove of intelligence for criminal networks. In such scenarios, dark web monitoring becomes critical for identifying leaked credentials, exposed enterprise access, discussions around compromised AI accounts, and threat actor activity targeting AI ecosystems. Cyble’s dark web monitoring capabilities help organisations detect early signs of compromise across underground forums, marketplaces, and illicit channels, enabling security teams to respond proactively and reduce the risk of sensitive AI-related data exposure.

The Emergence of “AI-as-a-Crime-Service”

The emergence of “AI-as-a-Crime-Service” is occurring as the underground economy is now evolving towards what experts refer to as “AI-as-a-Crime-Service.” In these environments, criminals can rent access to stolen AI accounts in a way that is similar to renting access to cloud infrastructure. Thus, they can purchase temporary access to premium models for use with spam creation, social engineering, and automated cyberattacks.

Some dark web forums are even beginning to list “uncensored” AI instances that can bypass all ethical protections and content moderation systems. These retooled systems are built specifically to conduct any number of illicit activities, including scripting fraud, developing malware, and impersonating a business or person. The industrialization of AI misuse represents a significant shift in how cyber criminals operate. They are no longer relying on technical skill alone; they are leveraging AI to scale the amount of deception, automate attacks, and lower operational expenses of performing illegal acts.

AI Technology Need For Enhanced Security
As companies incorporate AI technologies into their primary business functions, storing LLMs safe must be a priority for cybersecurity. Multi-factor authentication, API key rotation, endpoint security, and employee awareness should not be optional, but must now be requirements in order to protect against AI-specific cyber attacks.

Along with the advancement of AI, regulatory bodies and AI vendors need to develop larger regulatory models for monitoring user accounts for any significant unusual activity and to help identify malicious credential abuse. As a result of this increasing battle for AI, the landscape of that battle has expanded from one of technological development and competition to one of control, security, and trust in a technology-based society.