WormGPT AI Hacking Platform Suffers Data Breach, Exposing 19,000 Users A malicious AI tool designed for cybercrime, WormGPT, has allegedly suffered a data breach, exposing the personal details of 19,000 users. The leak, posted on a popular data breach forum earlier this month, includes sensitive information such as payment details, subscription plans, and user identities, raising concerns about targeted attacks against its customers. WormGPT, launched as a ChatGPT alternative for cybercriminals, offers subscription-based access starting at $50 per month or a $220 lifetime plan. The platform enables users even those without advanced hacking skills to conduct malware development, DDoS attacks, social engineering, and system infiltration. Its Telegram channel openly promotes illicit activities, including password cracking and crypto wallet hacking. The leaked data, verified by researchers, includes email addresses, payment currencies, and plan types, which could be exploited for phishing campaigns, blackmail, or identity discovery. The breach also highlights the risks of blackhat AI tools, as users of WormGPT may now face retaliation from other cybercriminals. The incident follows a pattern of malicious AI services being targeted by attackers, underscoring the growing threat of AI-driven cybercrime and the vulnerabilities of underground platforms.

DragonForce Escalates Cybercrime Turf War, Disrupts RansomHub and Rivals A new report from Sophos reveals that the ransomware group DragonForce is waging a “turf war” against rival operators as it seeks to dominate the cybercrime marketplace. The group’s aggressive expansion—including a hostile takeover attempt—may have contributed to RansomHub’s infrastructure outage in late March 2025, leading to a notable drop in ransomware attacks in April. ### DragonForce’s Cartel Model and Expansion In March 2025, DragonForce rebranded as a ransomware cartel, adopting a RaaS (Ransomware-as-a-Service) syndicate model that allows affiliates to operate under their own brands while leveraging DragonForce’s infrastructure. The group introduced “RansomBay”, a white-label service enabling affiliates to rebrand its ransomware tools. In exchange, DragonForce takes a 20% cut of ransom payments, providing affiliates with technical support, leak-site hosting, and operational backing. This model has already seen use in high-profile attacks, including those by Scattered Spider against UK retailers Marks & Spencer (M&S), the Co-operative Group, and Harrods in late April 2025. ### Attacks on Competing RaaS Groups Sophos researchers noted that DragonForce’s cartel announcement in March coincided with defacements of leak sites operated by rival groups BlackLock and Mamona, both of which were replaced with DragonForce’s logo. The move signals an aggressive push to undermine competitors and consolidate control over the ransomware ecosystem. The disruption of RansomHub and the broader decline in ransomware activity suggest DragonForce’s tactics may be reshaping the cybercrime landscape—at least temporarily.