100K+ Infected Devices Leak ChatGPT Accounts to the Dark Web

In the last year, at least 100,000 devices infected by various infostealer malwares have leaked ChatGPT credentials to the Dark Web.

Infostealers can collect just about anything: information about a target machine, cookies and browser histories, documents, and so on. More often than not, hackers profit off of this kind of bounty not just by utilizing it themselves, but by reselling it on the Dark Web. For example, online marketplaces regularly traffic in logs that contain victims' account credentials for popular applications.

From June 2022 through last month, cybersecurity firm Group-IB tracked how many of these for-sale logs expose ChatGPT accounts. In total, it counted 101,134.

The malware overwhelmingly responsible for these leaks was Raccoon, the infamous Russian-designed tool first discovered in 2019. The Raccoon operation briefly shut down early last year after the death of its creator, only to come back new and improved three months later. Since then, it has been responsible for at least 78,348 devices leaking ChatGPT credentials.

Besides Raccoon, the researchers tracked 12,984 GPT-laden logs attributed to Vidar and 6,773 to Redline.

In the entire sample size, less than 5,000 infected devices were traced to North America. A plurality originated in the Asia-Pacific, with the biggest offenders being India (12,632) and Pakistan (9,217). Other countries with many exposed ChatGPT credentials included Brazil (6,531), Vietnam (4,771), and Egypt (4,558).

ChatGPT Logins the Tip of the Iceberg

Last December — the first month ChatGPT was made available to the public — the researchers tracked 2,766 Dark Web stealer logs containing compromised accounts. That number surpassed 11,000 the following month and doubled two months after that. By May, the figure was up to 26,802.

In other words, the trendline is clearly only moving in one direction.

But ChatGPT credentials are almost beside the point, says Mike Parkin, senior technical engineer at Vulcan Cyber. "Infostealers can be an issue, at least in part, because they're not as outwardly destructive as, say, ransomware, which is hard to miss. A well obfuscated infostealer can be much harder to detect, precisely because it doesn't make itself known."

Because organizations can more easily miss infostealers than certain other kinds of malware, they're liable to realize their sensitive data is gone only after it's too late.

"Depending on the strain of information stealer, hackers can be gathering everything from application and Web credentials to personal information, stored files, and system configurations. Organizations that have these malware infections in their environment could face having intellectual property, company financials, and pretty much any other data that lands on infected systems exposed," Parkin says.

As long as infostealers continue to run rampant, ChatGPT credentials will be the least of anybody's worries. "The real question," Parkin asks, "is what kind of data isn't being leaked by these kinds of malware?"