How AI Agents are Making Cybercrime Easier
Author: Eric Pudalov (DWK Contributor)
Date Published: December 17, 2025
AI seems to be everywhere at present, even in places where you might think it unnecessary. From Facebook to Instagram, YouTube, TikTok, and everywhere in between, AI-generated videos, imagery, and text are populating the web the world over.
Of course, the rise of AI agents on mainstream platforms has, in turn, made them popular with cybercriminals as well. Even before the “AI boom,” however, automated tools have long been a weapon used by attackers, carders, and many others.
For instance, botnets have long been a tool used in DDoS attacks, spam, and data theft. The difference, at present, is that the multitude of online devices has made such attacks much easier, because there are so many more vulnerable targets. AI agents that perform such attacks, likewise, take advantage of these possibilities.
FraudGPT: One such AI agent that cybercriminals are taking an interest in is FraudGPT. You might think of it as ChatGPT’s “evil twin,” in a sense. It can write malicious code, make phishing sites, scrape data, find cardable sites, and perform attacks, to name a few.
While the original ChatGPT and other mainstream agents have guardrails, FraudGPT has removed all of these. Its developers have also optimized it for use in attacks. As one example, an attacker might use it to look for sites that accept credit card payments without strong verification requirements.
The attacker might use a stolen or fake credit card or PayPal account, for instance, to make purchases on a cardable site, and FraudGPT makes the process much faster. In the past, the attacker may have had to do all this manually or use a slower program that took hours to search for targets.
There are many more cardable sites than one might think. Considering how many online shops exist at present, and how many payment processors there are, the possibilities are almost limitless.
This, unfortunately, is only the tip of the iceberg. An attacker might ask FraudGPT to write malicious programs of different sorts as well. Suppose the attacker first used FraudGPT to find a series of cardable sites. They could then follow this up by having it write code that could infiltrate these sites.
Some vulnerable sites have a payment process bypass vulnerability, for instance, and these present the perfect targets. On certain shops, there is no two-factor authentication, or it may be easy to use a fraudulent or stolen credit card, if the shop doesn’t check first. If one shop doesn't work, the attacker may just move onto another, considering there are so many possibilities.
FraudGPT can also make scamming much easier. The scammer might ask it to quickly write a smishing message, for example. It may say something like: Your PayPal account needs to be verified. Please click this link to log in.
It may even be able to generate the link, and the attacker could build a simple phishing page at the link in question. Many smishing texts contain shortened links that allegedly go to banks, credit cards, and other financial accounts, and they may look almost identical to the real ones. A program like FraudGPT just makes this process faster and simpler.
It could easily generate the text above, for instance, and a URL to go with it. The attacker might simply purchase or self-host a URL for the attack and take it down if it attracts too much suspicion. It’s quite common for the attackers to have hundreds of fraudulent URLs for such a purpose, in fact. Contrary to popular belief, there are even hosting services who specialize in fraudulent domain names.
Of course, FraudGPT is only one such tool, though it is one of the most popular and widely used in the carding community. A coder could just as easily make their own version of it under a different name as well.
AI Spambots: Beyond typical AI agents like FraudGPT, bots in general are making spam, phishing, and other attacks much simpler. The company Botmaster Labs has been making various types of spambots, even before the existence of ChatGPT and other AI agents.
One of Botmaster Labs’ most popular products is a spambot called XRumer, which has been posting across the web in different places for the past few years. XRumer and some of the company’s other products, like XEvil, have made spam posts simpler than ever. The bot enables attackers to generate usernames, email addresses, and posts with ease, doing so at a rate much faster than most human moderators can keep up with. You can see examples of some of XRumer’s handiwork on sites like Reddit, Dailymotion, and Medium, to name just a few.
Some of the posts in question advertise fake diplomas in China, and reference WeChat IDs for the spammers who created them. People who take the spammers up on their offers eventually end up talking to a human, but XRumer makes the initial process much simpler.
The same bot seems to be advertising escort services, hookup sites, and casinos based in South Korea as well, though the owners of these sites may be different than those selling the diplomas.
XRumer, and bots like it, can read many types of CAPTCHAs that would normally defeat standard spam posts, which is one way that they’ve been able to post across the web in such a short time. Botmaster Labs’ bots also use proxy-based IP addresses to get around administrators blocking the attackers’ IP addresses as well.
While it’s certainly not the only spambot in existence, XRumer and bots of this sort have “revolutionized” the process of posting spam everywhere and have made it more difficult for infosec agencies and administrators to keep up.
Bots like FraudGPT, XRumer, and the others may seem unstoppable at this point, but they’ve forced cybersecurity agencies to come up with new tactics to handle the attacks. It looks like the war between the two will be ongoing, for better or worse.
