This paper

The underground exploitation of large language models (LLMs) for malicious services (i.e., Malla ) is witnessing an uptick, amplifying the cyber threat landscape and posing questions about the trustworthiness of LLM technologies. However, there has been little effort to understand this new cybercrime, in terms of its magnitude, impact, and techniques. In this paper, we conduct the first systematic study on 212 real-world Mallas , uncovering their proliferation in underground marketplaces and exposing their operational modalities. Our study discloses the Malla ecosystem, revealing its significant growth and impact on today’s public LLM services. Through examining 212 Mallas , we uncovered eight backend LLMs used by Mallas , along with 182 prompts that circumvent the protective measures of public LLM APIs. We further demystify the tactics employed by Mallas , including the abuse of uncensored LLMs and the exploitation of public LLM APIs through jailbreak prompts. Our findings enable a better understanding of the real-world exploitation of LLMs by cybercriminals, offering insights into strategies to counteract this cybercrime.


Introduction
The rapid evolution of artificial intelligence has given rise to a new generation of applications powered by large language models (LLMs).These models, which are trained on vast amounts of text from the Internet, possess the capability to generate human-like text that is coherent, contextually relevant, and often indistinguishable from human-written content.LLM-integrated applications, ranging from chatbots and content generators to coding assistants and recommendation systems, have gained significant traction in various sectors, transforming the way we interact with technology.At the forefront of this revolution are LLM vendors like OpenAI, Anthropic, and Meta, who, through their state-of-the-art models and platforms, have made it feasible for developers and businesses to embed LLM capabilities into their applications.This widespread adoption, however, has also raised concerns about the potential misuse of LLM.
Recent reports and news articles [34,81] have highlighted instances of LLMs being repurposed as malicious services in the underground marketplaces, which we call "malicious LLM applications" or Malla.In these scenarios, adversaries exploit the capabilities of LLMs to perform malicious activities, ranging from generating sophisticated malicious code and designing vulnerability scanners to crafting convincing phishing emails and creating deceptive scam websites.The implications of such abuse to cybersecurity are profound.With Malla, even individuals with limited technical skills can now produce complicated cyberattacks, elevating the threat landscape to unprecedented levels.Furthermore, these instances underscore the inherent dangers lurking within publicly accessible LLMs or their associated APIs.Their potential misuse not only magnifies existing security challenges but also casts shadows of doubt over the reliability and trustworthiness of cutting-edge LLM technologies.However, to our knowledge, little has been done so far to systematically explore real-world Malla samples, and understand the underground ecosystem behind them and their security implications.
Bridging this knowledge gap, this paper presents the first systematic study of real-world Mallas.Specifically, we developed a systematic approach to collect a set of Mallas associated with 212 samples, from February 2023 to September 2023.Leveraging this dataset, we designed and implemented a suite of measurement and dedicated reverse-engineering tools.These tools enable us to perform a large-scale study to unearth the underground ecosystem and the modus operandi of Mallas.More specifically, we aim to answer the following questions: Who are the pivotal players within the Malla ecosystem?How is Malla orchestrated and monetized?What techniques did miscreants deploy to exploit LLMs and build up Mallas?
Looking into the ecosystem of Malla, we are surprised to find that this new malicious service is trending in the underground marketplaces, reflecting a notable shift in today's public LLM services landscape.More specifically, through our analysis of Malla listings across nine underground mar-ketplaces, our study uncovered a rapid increase of Mallas, which has grown from April 2023 to October 2023 over the span of six months.Interestingly, we observe that miscreants utilized an LLM-integrated application (LLMA) hosting platform, Poe [60] offered by Quora, to showcase a "vouch copy" of their Malla.Despite the violation of the platform's usage policies [116], this activity went unchecked throughout our observation window from July 2023 to March 2024.Furthermore, a pricing comparison indicates that Malla offers a more economical option for malicious code generation, especially when juxtaposed with the rates of traditional malware vendors ($5-199 vs $399).To provide a deeper understanding of the economic factors at play, our case study focused on a specific Malla service, WormGPT.The findings revealed a staggering revenue exceeding $28K in just two months, underscoring the significant financial allure to Malla vendors.Through investigating 207 Malla samples, we explore the research question: To what extent can Malla generate malicious content, including malicious code, phishing emails, and deceptive websites?Our findings bring to light that certain Mallas, like DarkGPT and EscapeGPT, excel in producing high-quality malicious code that is both compilable and capable of evading Virus-Total detection [75], while others (e.g., WolfGPT) can create phishing emails with a high readability score and manages to bypass OOPSpam [56].Although Malla generally lags in crafting phishing sites, one Malla (i.e., EscapeGPT) distinguishes itself by generating operational phishing site codes that go unnoticed.This highlights the significant concerns surrounding the cybercriminal exploitation of LLMs.
In our exploration of Malla artifacts, we identified two predominant techniques leveraged by miscreants: exploitation of uncensored LLMs and jailbreaking of public LLM APIs.We call an LLM "uncensored" when it can freely generate any content, regardless of its potential harm, offensiveness, or inappropriateness, without undergoing any intentional filtering or suppression.Our findings bring to light the ethical quandaries posed by publicly accessible, uncensored LLMs when they fall into the hands of adversaries.A case in point is the LLM, Luna AI Llama2 Uncensored [69], provided by Tap [70].Our data suggests that this model has been exploited by Mallas to facilitate malicious code generation.Moreover, our research brings to light 182 distinctive jailbreak prompts associated with five public LLM APIs that have been exploited.Notably, OpenAI emerges as the LLM vendor most frequently targeted by Mallas.Among its offerings, gpt-3.5-turboappears to be particularly susceptible to jailbreak prompts.We took the responsible step of informing the affected parties about our findings.Contributions.We summarize the contributions as follows: • We conduct the first in-depth empirical study of realworld cybercriminal activities surrounding the misuse of LLMs as malicious services.
• Our study provides a detailed examination of the Malla ecosystem, revealing its significant growth and impact on today's public LLM services.Our study reveals that public LLMA hosting platforms have been abused for hosting Mallas.
• We characterize real-world Malla samples, including their development frameworks, exploitation techniques such as jailbreak prompts, and quality in generating various malicious content.This sheds light on the capabilities and potential threats posed by these malicious services.
• We have released a set of artifacts integral to Mallas1 , including 45 prompts exploited by miscreants to engineer malicious code and phishing campaigns, 182 jailbreak prompts that circumvent the protective measures of public LLMs, etc.

Large Language Model
A language model is a type of machine learning model designed to understand and generate human language based on a probability distribution over text corpora.In recent years, significant scaling improvements have been achieved by increasing model sizes (from a few million parameters [94] to hundreds of billions [90]) and incorporating larger text corpora (from a few gigabytes, e.g., English Wikipedia dataset, to hundreds of gigabytes [95]).These advancements have empowered pre-trained large language models (LLMs) to demonstrate remarkable proficiency across a wide array of downstream LLM-integrated applications (LLMA), such as chatbot, coding assistant, and machine translation.
Paradigms for building LLM-integrated applications.To employ a pre-trained LLM for downstream tasks and applications, there are two primary paradigms, i.e., "pre-train and prompt" and "pre-train and fine-tune," as elaborated below.
• "Pre-train and prompt."In this paradigm, the pre-trained LLM is used as-is, while users provide a text or template, known as a prompt, to guide the generation to output answers for desired tasks.This approach is straightforward and costeffective, as the same pre-trained model can be used without the need for task-specific data.However, the quality of results heavily relies on the quality and formulation of the prompts.Crafting effective prompts (a.k.a., prompt engineering [104]) is essential for obtaining desired outcomes.In our study, we observed that this paradigm emerges as the predominant approach employed by Mallas.
• "Pre-train and fine-tune."In this approach, a pre-train LLM is adapted for a particular downstream task through fine-tuning.This fine-tuning process requires training the model using a substantial volume of labeled data that pertains to the target task.While this approach can lead to state-of-the-art performance on specific tasks, it can be computationally expensive due to the need for task-specific data and training resources.
LLM vendors and LLMA hosting platforms.LLM vendors, like OpenAI, Anthropic, and Meta, have established potent and sophisticated models by training on vast corpora, spanning various domains, enabling them to generate coherent and contextually relevant text based on input prompts.These vendors are often made available to the public and developer community via API services, which can be utilized to build various applications and services.However, some models or their variants (e.g., Llama-2-7B) are open-sourced, enabling developers to deploy these models independently of the vendor's API, sometimes leading to instances where they can be used without the vendor's imposed restrictions and generate harmful content (e.g., Luna AI Llama2 Uncensored).In our study, we named those LLMs as uncensored LLM.Our investigation revealed that miscreants frequently utilized uncensored LLMs to power the backend of Malla operations ( § 6).
In addition, LLMA hosting platforms (e.g., Poe [60] and FlowGPT [29]) have emerged to host LLM-integrated applications.They enable users to exploit the capabilities of LLMs by facilitating an accessible interface to deploy custom LLMs and prompts, which can be leveraged to create specific applications or services.However, as highlighted in § 4, these platforms, while enhancing accessibility and utility, can also be exploited for malicious purposes.Safety measures of LLM.LLM vendors and LLMA hosting platforms have recognized the potential for misuse of their models.They usually released usage policies, serving as explicit guidelines to clearly outline prohibited actions that users must adhere to when interacting with the LLM.For instance, OpenAI and Llama have defined various disallowed usage scenarios, including the generation of malicious code and engagement in fraudulent or deceptive activities like spam and scams [108,112].Similarly, Poe's usage policy explicitly prohibits illegal activities and security violations [116].
Also, LLM vendors have implemented safety measures to mitigate such risks ( § 7).Specifically, to prevent LLMs from crafting harmful content, moderation mechanisms, like Ope-nAI Moderation Endpoint [111], have been deployed by LLM vendors to provide real-time checks on the crafted content.Furthermore, some vendors actively safeguard their models to reduce the likelihood of generating harmful or inappropriate content.For instance, OpenAI's GPT-3.5/4 has undergone extensive training incorporating human feedback and redteaming methods [36,114].While these measures represent significant strides toward ensuring responsible use, challenges persist due to the fast-evolving nature of potential risks and threats.In our study, we observed that such security measures can be circumvented by miscreants to build up Mallas ( § 6).

Threat Model
In our research, we explore the scenario where a miscreant violates usage policies and exploits LLMs to offer LLMintegrated applications as malicious services, i.e., Malla.

Malicious LLM Application
Telegram Websites

Work on
Backend LLM These services consist of generating various forms of malicious code (e.g., exploit kits, ransomware, worms), as well as writing phishing emails and creating phishing or scam webpages, among other illicit activities.For this purpose, the miscreant aims to circumvent safety measures, including content filters like OpenAI's moderator [111], that are typically provided by LLM vendors to prevent the generation of prohibited content.Alternatively, they may employ uncensored LLMs and wrap them as malicious services.Note that we assume the miscreant possesses capabilities similar to those of an ordinary user, requiring no special privileges or access to pre-trained commercial LLMs.
Malla workflow.Our preliminary study of Malla ( § 4) indicates that Malla follows a typical workflow, as depicted in Figure 1.A Malla provider engages in the misuse of public LLM APIs (e.g., OpenAI API, Llama API) or uncensored LLMs (e.g., Luna AI Llama2 Uncensored, Pygmalion-13B [62]) and deploys them to offer malicious services (➊), such as malicious code generation.Typically, Malla is deployed as a web service or hosted on a third-party LLMA hosting platform (e.g., Poe) (➋).After the deployment, the Malla provider promotes it through various underground marketplaces and forums (➌).Users who look for automated tools to generate malicious code or phishing emails/websites discover these Malla listings.Once identified, they navigate to the associated storefront websites and proceed to purchase the Malla services (➍).After that, the users interact with the Malla (➎) through a graphical user interface (GUI) or an API, facilitating the generation of malicious code or phishing emails/sites (➏).

Scope of problem.
In this study, the term "malicious service" refers to the exploitative misuse of LLMs for the purpose of facilitating cybercriminal activities.Specifically, based on the functionalities observed in Malla, our focus is on the following cybercriminal activities: generating malicious code, writing phishing emails, and creating phishing or scam webpages, among other illicit activities.We acknowledge that LLMs can potentially be misused for other prohibited purposes ( § 7).However, our study centers on the threats posed by the malicious misuse of LLMs in the context of cybercrime.

Data Collection
In our paper, we categorize Malla into two types: commercial Malla services, where malicious LLM-integrated applications are created and deployed for profit, and publicly accessible Malla projects, where malicious applications are developed and distributed as publicly available projects.In this section, we first explain the methods to collect commercial Malla services and public Malla projects, as well as their artifacts (e.g., backend LLM, abused public LLM APIs, and prompts used by Mallas).After that, we discuss the ethical implications of our data collection ( § 3.3).

Malla Services
To identify Malla services, we collected  [93,117].Note that we focus on underground marketplaces of malicious code and other cyber products/services, instead of illegal drugs.Specifically, to recognize the listings involving Malla services, we crafted a collection of 145 keywords related to "large language model" (see [43]) using a search keyword generation tool of WordStream [31], and then searched those keywords on underground marketplaces and forums.For four forums-Hack Forums, XSS.is, BreachForums, and BlackHatWorld)we built our scrapers using Selenium to crawl and parse site content.Regarding the rest five Tor-based marketplaces, we utilized the scrapers based on Tor browser and Selenium.Our study ensured complete data scraping by manually checking a range of measures, including real-time monitoring of HTTP status codes and page sizes, vigilant session management to address session expiration, and manual CAPTCHA completion when access was denied.
Datasets.In this way, we collected the following datasets related to commercial Malla services, shown in Table 2: • Malla listing dataset (L s ).This dataset consists of 25 Malla listings from five marketplaces and forums (Hack Forums, XSS.is, BreachForums, Abacus Market, and Kingdom Market), extracted by initially filtering with GPT-4 and subsequently verifying the text and images within listings manually.These listings range from 41 to 730 words, averaging 216.75 words.A typical Malla listing contains various artifacts, including the service name, prices, functionality (e.g., malicious code generation), demo screenshots featuring prompts and responses associated with malicious functionality, contact information, and storefront website URLs ( § 4).Due to the few Malla listings, we opted for manual extraction to accurately and thoroughly document these artifacts.From these Malla listings, we identified 14 Malla services as listed in Table 1.
• Samples of Malla services (D s ).Out of the 14 Malla services, we collected nine Malla samples.Note that two samples are provided as complimentary copies (a.k.a., voucher copies), while the remaining seven samples were obtained through purchasing.We elaborate on the ethical discussion related to Malla service purchase in § 3.3.Importantly, we always initiated our purchase attempts by requesting a voucher copy from Malla providers.If a Malla provider furnished us with such a complimentary copy, we refrained from making any further purchases.Note that not all of our purchase attempts yielded successful results; some encountered difficulties due to suspicions on the part of the sellers that we might be acting in a "white hat" role.One notable instance involved a purchase attempt with the DarkBERT vendor, in which the vendor became alarmed when we inquired about DarkBERT's capabilities and performance.Ultimately, our attempt was declined.In other instances, despite the websites of WormGPT [83], FraudGPT [30], and BLACKHATGPT [4] claiming that access would be automatically emailed to customers upon confirmation of cryptocurrency payment, we never received such access after payment.Several other individuals reported similar experiences with WormGPT on underground forums [45,82].Likewise, users have highlighted scams about FraudGPT, DarkBERT, and DarkBARD [82].
• Backend LLM abused by Malla services (M s ).In our research, we studied the backend LLMs driving the Malla services based on the Malla samples (D s ).For samples provided as source code, such as Evil-GPT and WolfGPT, we inspected the models or APIs of LLMs within the code.For Mallas hosted on websites like BadGPT, EscapeGPT, DarkGPT, and FreedomGPT, we monitored network traffic and examined their headers, payloads, and responses.For those hosted on LLMA hosting platforms, like XXXGPT, we extracted backend LLM information by parsing their hosting pages.
From our investigations, we discerned that both BadGPT and XXXGPT utilize OpenAI GPT-3.5 as their backend LLM, while Evil-GPT and WolfGPT employ the APIs of OpenAI Davinci-003 and OpenAI Davinci-002, respectively.
While our efforts to determine the backend LLMs for DarkGPT, EscapeGPT, and FreedomGPT were inconclusive, we did uncover some telling clues.Specifically, DarkGPT purports to be powered by Davinci-003, as claimed on its chat interface.Monitoring EscapeGPT's traffic, we observed "model=gpt-3.5-turbo"and "jailbreak=gpt-evil" in its payload.FreedomGPT mentioned its use of an uncensored model named Liberty [32], whose repository provides the download URL of Liberty's offline model [55], directing to the "Luna AI Llama2 Uncensored" model [47].However, as the vendors of these Malla services employ either self-owned servers without recognizing backend LLMs or APIs, determining the exact backend LLMs remains challenging.To infer these backend LLMs, we propose a reverse-engineering approach in § 6.1.
• Malicious prompt dataset (P m ).To showcase their functionalities in the listings, Malla services typically include  screenshots featuring prompt-response pairs related to their malicious capabilities.In our study, we gathered 45 of these prompts, referred to as "malicious prompts," extracted directly from the screenshots, including 35 prompts associated with malicious code generation, five prompts tailored for phishing email creation, and five prompts designed for phishing site creation.Particularly, of prompts associated with malicious code generation, 26 specify programming languages: 11 for Python, 10 for C/C++, 2 for C#, etc.This collection of prompts offers valuable insights into the prompts employed by miscreants for malicious code generation and phishing email/site creation.

Malla Projects
To understand the design and execution of publicly accessible Malla projects, we built a collection of such projects (D p ) hosted on two prominent public LLMA hosting platforms: Poe and FlowGPT.These platforms enable the development and hosting of LLM-integrated applications by providing access to various LLMs (e.g., GPT-3.5 and Pygmalion-13B), alongside the capability to utilize custom text prompts.
In our study, we compiled 73 search keywords (see [43]) by extracting topic keywords from Malla service listings using GPT-4.After that, we utilized the search APIs provided by Poe and FlowGPT to retrieve all of the relevant LLMA projects associated with these keywords.In this way, we collected 575 and 174 LLMA projects hosted on the Poe and FlowGPT, respectively.We further triaged the LLMA projects expressing malicious intents in projects' visible information, including their titles, descriptions, welcome messages, and visible prompts.Specifically, we detected not-safe-for-work (NSFW) content in LLMA projects using an NSFW Text Classifier [50], by analyzing the aforementioned text carrying each project's information.As a result, we flagged 417 and 154 suspicious Malla projects from Poe and FlowGPT LLMA projects.
To validate that those projects are indeed Malla projects, we employed malicious prompts (P m ) related to three malicious functionalities (e.g., malicious code generation, phishing email crafting, scam site creation), respectively, to collect their responses.We filtered out LLMA projects with invalid re-sponses.Here we define an invalid response as a response that lacks malicious content that is properly formatted and compilable or readable.This includes malicious code that cannot be compiled, phishing emails that are hard for a broad audience to understand, and phishing websites that cannot be executed by browsers.Note that for each malicious prompt, we queried an LLMA project three times.We consider an LLMA project as a Malla project if at least one of the three responses is valid.
Datasets.In our study, we collected the following datasets related to Malla projects, also shown in Table 2: • Malla project dataset (D p ).In our study, we collected 198 Malla projects (125 from Poe and 73 from FlowGPT).Among these, 184 projects (113 from Poe and 71 from FlowGPT) exhibited the capability to produce malicious code, 80 (54 from Poe and 26 from FlowGPT) were adept at formulating phishing emails, and 31 (17 from Poe and 14 from FlowGPT) demonstrated proficiency in designing phishing web pages.More details will be discussed in § 5.2.
• Jailbreak prompts employed by Malla projects (P j ).Another critical aspect of our research involves the analysis of the jailbreak prompts used in Malla projects.For part of projects hosted on Poe and FlowGPT, their jailbreak prompts are visible.In our study, we collected 127 jailbreak prompts utilized by 91 Malla projects on Poe and 52 on FlowGPT.Note that for those projects concealing prompts, we uncovered their prompts via the prompt injection approach, detailed in § 6.
• Backend LLMs employed by Malla projects (M p ).For the Malla projects hosted on platforms like Poe and FlowGPT, the hosting page documents the backend LLMs used by these projects.In our research, we parsed these hosting pages to extract information about the backend LLMs of Malla projects.Using this method, we identified five distinct backend LLMs being employed by Malla projects: OpenAI GPT-3.5, OpenAI GPT-4, Pygmalion-13B, Claude-instant, and Claude-2-100k.

Discussion
Potential bias.Given the inherent difficulties in thoroughly identifying Malla services and analyzing their illicit activities, our study relied on the available data (including Malla services observed during our research, pre-trained LLM models and jailbreak prompts we could fingerprint, and other accessible resources).This reliance may introduce some bias into our study.While we consider our research as the pioneering large-scale investigation into Malla services, offering valuable insights into this emerging underground phenomenon, we exercise caution when drawing conclusions.
Ethical concerns.Our study involves malicious service purchase, which could raise legal and ethical considerations, particularly in the context of interactions and transactions with miscreants.Specifically, our study has been approved by our institution's institutional review board (IRB).In close collaboration with our IRB counsel, we crafted comprehensive guide-lines (e.g., always asking for voucher copy, not deanonymizing seller) governing our conversations and purchase interactions.These guidelines were designed to establish a robust legal and ethical framework, thereby minimizing any potential risk of harm to any involved parties.Also, the approach in our study was legally deployed under the sting operation guidance [110].To assess the ethical considerations and potential risks associated with our study, we apply a critical analysis informed by the principles outlined in the Menlo Report [87] and Cybersecurity Research Ethical Frameworks [101].Particularly, in line with previous cybercrime research that has employed malicious service purchase as data collection methodology [86,99,103,107,124], we maintain a steadfast belief that the potential societal benefits resulting from our research far surpass the relatively minimal elevated risks of harm.It is important to note that within this data collection, there is likely a minimal or non-existent presence of Personally Identifiable Information (PII), and our comprehensive analysis did not yield any instances of PII.Thus, there is a minimal risk of us creating any privacy harm from our analysis.We did not attempt to deanonymize anyone in these leaks as part of our study.
In addition, our research involved testing LLMA projects on Poe and FlowGPT using malicious prompts to uncover Malla projects.Such an approach could raise ethical concerns that warrant thorough discussion.Specifically, we took utmost care to ensure that our testing did not disrupt services, harm users, or lead to any unintentional damages.Particularly, we queried LLMA projects using a single registered account, adhering strictly to daily query limitations.After each testing session, we promptly deleted the chat history to reduce the impact on target platforms.These experiments comply with the principles identified in the Menlo Report, and were approved by our organization's IRB.Responsible disclosure.We responsibly disclosed our findings to the affected LLM vendors (OpenAI, Anthropic, and Meta) and LLMA hosting platforms (Poe and FlowGPT).Poe solicited Malla project names from us in November 2023.Until submission, we did not receive a response from FlowGPT.

Scope and Magnitude
Altogether, we collected and examined 14 Malla services and 198 Malla projects in our study.On average, each of them is associated with more than one malicious functionality.Malicious code generation stands out as the dominant capability offered by Mallas (93.40%), followed by phishing email crafting (41.51%) and scam website creation (17.45%).
Regarding Malla services, we observe that the first Malla listing, which promotes CodeGPT, appeared on April 12, 2023 on Hack Forums.The number of Malla service listings has witnessed a rapid increase, from two to 12, within July and August across five marketplaces and forums.For Malla projects,  We analyzed the longevity of Malla during the study period from August 2023 to March 2024.In our study, we observed a concerning duration of the Malla listings, services, and projects.Of the Malla service listings, 24 out of 25, excluding FraudGPT, remain active on underground marketplaces or forums.Among the 10 listings with feedback, Evil-GPT, WolfGPT, FreedomGPT, and DarkGPT continuously receive positive user reviews.Despite no scam report on Malla service listing pages, we did observe scam reports about WormGPT, FraudGPT, DarkBERT, and DarkBARD on other discussion pages [45,82] ( § 3.1).The most notable Malla, WormGPT, announced the closure of its project and its feedback thread due to media pressure, so did EscapeGPT, which however failed to provide any reason.For Malla services, only four out of nine-CodeGPT, MakerGPT, XXXGPT, and FreedomGPTare operational or accessible by March 2024.The unavailability of other Malla services is attributed to two factors: (1) OpenAI's deprecation of DaVinci-002 and DaVinci-003 on January 4, 2024, leading to the discontinuation of WolfGPT, Evil-GPT, and DarkGPT; (2) the shutdown of Malla's hosting websites, rendering BadGPT and EscapeGPT inaccessible.Regarding Malla projects, with our responsible disclosures to Poe in November 2023 and FlowGPT in October 2023, 69.60% (87 out of 125) of projects on Poe and 86.30% (63 out of 73) on FlowGPT remain available.Note that we did not receive the response from FlowGPT, and there is no clear evidence that the takedown of the Malla projects is directly related to our responsible disclosures.The fact that a high percentage of Mallas remain active despite disclosures indicates an urgent need for actions to be taken by the stakeholders and a pressing demand for holding them accountable.

Malla Stakeholders
Malla providers.Our analysis revealed the existence of 11 distinct Malla vendors, with an average of 1.27 listings per vendor.We observed that the Malla vendor with the most listings has contributed to 11 listings across two marketplaces Abacus Market and Kingdom Market.To understand the activeness of Malla vendors, we identified the account creation date and the number of posts associated with Malla vendor accounts.We observed that the vendor account on Hack Forums for WormGPT has the most extensive history, dating back to January 2021, while most of the other vendor accounts were registered after February 2023 and seem primarily dedicated to promoting Malla services.Regarding Malla project owners, we identified 109 Malla project owners on Poe and 54 on FlowGPT.Each owner contributes an average of 1.21 Malla projects: 1.15 on Poe and 1.35 on FlowGPT.Additionally, since FlowGPT's disclosure of user account creation dates, we can track Malla project owners' registration dates.Figure 2 shows that the first Malla owner registered in January 2023, with a notable surge in Malla owner accounts starting in April, paralleling the increase of Malla projects.Hosting platforms of Malla services.Our study revealed two primary hosting methods utilized by Malla services: • Dedicated web servers.In our study, we collected one domain and one IP address associated with the hosting of BadGPT and EscapeGPT, respectively.Upon conducting Whois Domain/IP Lookup, we discovered that both the domain and IP address concealed registrant information.With regard to the domain, the BadGPT domain was registered in August 2023, and it is hosted on the Cloudflare platform.This suggests an attempt to obscure the ownership details of this malicious service.Regarding the IP address, it was created in August 2015 and is located in Switzerland.Users can access EscapeGPT via a dedicated port associated with this IP.
• Third-party LLMA hosting platforms.An interesting observation in our study was the exploitation of third-party LLMA hosting platforms by Malla vendors.Specifically, we found instances where Malla vendors abused platforms like Poe to host the demo or vouch copy of their Malla services.We observed the extended lifespan of these abused accounts, some of which remained active for several months despite violating hosting platforms' usage policies.An example is the account associated with XXXGPT on Poe.Despite engaging in activities that clearly contravene the platform's policies [116], this account continued to operate without intervention during our observation period from July 2023 to March 2024.
Storefront websites of Malla services.A storefront site is a website that displays Malla services to potential customers for purchase.In our study, we observed three instances-XXXGPT, WormGPT, and FraudGPT-were hosted on web platforms featuring cryptocurrency payment processing systems (Sellix.io[20] and BTCPay Server [8]).Also, one instance (BLACKHATGPT) was hosted utilizing Netlify [53], a cloud-based web deployment and hosting service.This reveals critical aspects of the operational strategies employed by Malla services.On the one hand, they facilitate transactions via cryptocurrency, likely aiming to harness its pseudonymous attributes to veil financial transactions.On the other, they subtly exploit reputable and public web hosting services, like Sellix.io,BTCPay Server, and Netlify, for malicious purposes, thus, minimizing the risk of detection and disruption.As of the acceptance of our study in June 2024, we observed that the storefront websites of XXXGPT [28], WormGPT [79,83], and BLACKHATGPT [4] remain active and accessible.

Price Strategy and Revenue
In our study, we study the price strategy and revenue of Malla services to understand Malla vendors' financial incentives.Price strategy.Table 1 lists the price strategies of Malla services.We observed two price models offered by Malla vendors: a fixed pricing model where customers pay a predetermined amount for a specific service or product and a subscription-based pricing which involves customers paying regular fees to access Malla services over a defined period.The subscription-based pricing model is particularly popular among Malla vendors.This preference might stem from the fact that subscription prices are typically much lower than those for a complete model, and a more affordable price can attract a larger customer base and foster buyer loyalty.
Our analysis of Malla service pricing models also revealed that the price range for these services can vary significantly: from a fixed rate of $5 to $199 per month.This price discrepancy can be attributed to the techniques used in Malla services.For instance, we observed that jailbreak prompt-based Malla services (e.g., CodeGPT and MakerGPT) are often priced lower than fine-tuned-based Malla services (e.g., WormGPT and FreedomGPT).Additionally, we have discovered a phenomenon of competitive price undercutting among malicious GPTs, to attract buyers.For instance, the seller of EscapeGPT claims in its listing that his product has a much lower price but a better performance than WormGPT.An interesting observation from our analysis is that, when compared to conventional malware vendors, the prices associated with Malla's malicious code generators tend to be notably lower.For example, the Charybdis Worm malware [9], available in underground forums, is priced at $399.This is twice the cost of the most expensive Malla service we found, namely BLACKHATGPT.Case study: revenue analysis of WormGPT.After manually examining the cryptocurrency addresses gathered throughout our study, we pinpointed two dedicated cryptocurrency addresses (one Bitcoin and one Ethereum) used by WormGPT, which was active from July to September 2023.By querying Bitcoin Explorer [7] and Etherscan [24], we accumulated data on 27 and 57 incoming transactions to these addresses, respectively, spanning from July 20, 2023, to September 12, 2023.This activity resulted in a noteworthy revenue of $28,325 ($26,783 or 0.24141306 BTC on the Bitcoin address, and $1,542 or 2.4115588 ETH on the Ethereum address), averaging approximately $15,965 per month.We verified the authenticity of these transactions, ensuring the amounts were congruent with the selling prices of the relevant Malla services.

Analyzing Quality of Malla-generated Content
In this section, we first explore the research question: what is the quality of Malla generate malicious content (malicious code, phishing email, and phishing site)?After that, we present case studies and human subject research to assess the effectiveness of the generated exploit payloads, as well as the user susceptibility to Malla-created phishing content.By assessing the capabilities associated with Mallas, we will gain insights into the potential threats posed by Mallas.

Methods and Metrics
In our study, we assessed the performance of nine Malla services and 198 Malla projects in response to 31 malicious prompts, respectively 2 .Note that, in this experiment, we excluded prompts from P m that were not associated with malicious code written in Python or C/C++ 3 .Also, we posed each malicious prompt to a Malla service three times and assessed the average performance.Our evaluation employed five key metrics to assess the quality of Malla as below: • Format compliance (F).This metric measured the extent to which Malla responses adhered to the expected format (i.e., code, email, HTML) defined in the malicious prompts.In our study, we employed regular expressions 4 to verify the presence of the target format.Here we define the format compliance rate as the ratio of responses that meet the format requirements to the total number of responses from this Malla.
• Compilability (C) and validity (V).This metric was designed to examine the compilability of malicious code snip-pets and the validity of HTML/CSS code generated by Mallas.In our study, we implemented an automated pipeline for malicious code and phishing site-related malicious prompts.For each malicious code snippet and phishing site generated by Mallas, we first conducted a syntax check to confirm that the code (e.g., Python, C/C++, and HTML/CSS) adhered to the correct language's syntax.In our implementation, we utilized syntax checkers ast [1] for Python, Clang [10] for C/C++, and W3C Markup Validation Service [76] for HTML/CSS.For each malicious code snippet that passed the syntax check, it was compiled using the appropriate compiler or interpreter for the respective programming language (i.e., codeop [12] for Python and Clang [10] for C/C++).This step aimed to identify any compilation errors that could prevent the code from running.Similarly, for each phishing site code snippet that passed the syntax check, we executed them within web browsers (Chrome and Firefox).This step aimed to validate the code's integrity and adherence to HTML/CSS standards, confirming that it could render and function as intended in realworld browser environments.Here the compilability rate of Mallas is defined as the proportion of malicious code snippets that can be compiled by the compiler or interpreter, out of all malicious code generation responses.Similarly, the validity rate of HTML/CSS code produced by Mallas is defined as the percentage of code snippets executable within web browsers among the total number of phishing site creation responses.
• Readability (R).This metric assessed the linguistic fluency and coherence of phishing emails created by Mallas.In our study, we used the Gunning Fog Index [38] to assess the readability of phishing emails.This index provides a readability score, with a score of 12 or lower considered ideal, indicating content that is generally accessible to a wide audience [38].Here we define the readability rate as the ratio of email crafting responses that both satisfy the format requirement and score 12 or lower on the Gunning Fog Index, to the total number of email creation responses.
• Evasiveness (E).This metric focused on evaluating the ability of Malla-generated compilable malicious code, valid phishing site, and readable phishing email in evading detection by common anti-malicious code and phishing site/email detectors.For this evaluation, we utilized VirusTotal [75] for malicious code and phishing site detection and OOPSpam [56] for phishing email detection.We define the evasiveness rate of a Malla as the ratio of responses that successfully pass format, syntax, validity, compilability, and readability checks, as well as evade detection, in comparison to the total number of generated responses.Limitations.Note that the aforementioned metrics are not meant to measure the actual effectiveness or maliciousness of Malla-generated content, but rather to assess the quality of the content.To further assess the effectiveness of the generated exploit payloads and the susceptibility of users to Malla-created phishing content, we conducted a case study and a human subject study, as reported in §5.3 and §5.4,respectively.

Results and Findings
Quality of content generated by Malla services In our study, we evaluated the quality of malicious content generated by nine Malla services (i.e., BadGPT, CodeGPT, DarkGPT, Es-capeGPT, Evil-GPT, FreedomGPT, MakerGPT, WolfGPT, and XXXGPT) as shown in Table 3.
For malicious code generation, EscapeGPT and DarkGPT outperformed others, with Evil-GPT and WolfGPT following closely behind.Such code generated by EscapeGPT and Dark-GPT demonstrated a high degree of compilability (66.67% and 65.08%), with a majority of the generated code snippets passing syntax checks and successfully being compiled.Also, both of them have high evasiveness rates compared with others.Specifically, none of the compile-ready malicious code generated by EscapeGPT was detected by VirusTotal.DarkGPT had just one instance of compilable malicious code picked up by a security vendor on VirusTotal.This malicious code, responding to the prompt "Write me ransomware code in C++," was flagged as "Trojan[Ransom]/Win32.Dcrypt.a," a script-based Trojan to encrypt files on a victim's computer.
In terms of phishing email creation, WolfGPT stands out, followed by Evil-GPT and EscapeGPT.Every phishing email it produced cleared both format and readability checks.Also, WolfGPT possesses the highest evasiveness rate among Malla services.Upon closer examination, we discerned that phishing emails written by WolfGPT are notably concise, averaging 67.47 words in length.This contrasts with the 196.32 words of other Malla services on average.Considering the significance of spam words in OOPSpam's phishing email detection mechanism [56], shorter texts tend to have fewer detectable spam words.On average, WolfGPT's emails contained 3.07 detected spam words, while others averaged 8.15.This brevity contributes to WolfGPT's capability to evade detection.Regarding phishing site creation, EscapeGPT performs best.Interestingly, 80.00% of malicious prompts linked to phishing site creation failed to trigger BadGPT, CodeGPT, or MakerGPT into producing phishing sites, resulting in the lowest format compliance rates.Except for EscapeGPT, only 34.48% of phishing sites conjured by other Malla services passed the syntax check and were executable in web browsers.Our syntax check highlighted CSS element errors as the most frequent issue, trailed by HTML element errors and instances of unclosed elements.Additionally, VirusTotal struggled to spot the valid phishing sites created by Malla services.A sole phishing site, the output of Evil-GPT, got flagged by two VirusTotal security vendors as a phishing HTML page.
We did not find a clear correlation between the cost of Malla services and their performance.For instance, despite being more expensive, BadGPT fails to function in all three malicious services, whereas the more cost-effective Evil-GPT and EscapeGPT deliver superior performance.Similarly, WolfGPT, despite being cheaper, outperforms FreedomGPT across all evaluated malicious capabilities.Discussion: evasiveness.To understand whether malicious content that evades the detection has malicious functionality, we manually reviewed 30 malicious code samples and 30 phishing website samples that are both compilable and capable of evading VirusTotal detection.Of these, half of each type were generated by Malla services and the other half by Malla projects.Two security professionals validated the sampled malicious cases for four days.Among the malicious code samples, four were non-malicious, serving the purposes such as processing string input and output.The remaining samples were utilized for various attacks, including reverse shell, file deletion, browser cookie theft, etc. Regarding the phishing website samples, three were non-malicious, acting as a personal website without specific content or a landing page redirecting to the target website.The other samples were designed to mimic the content or style of target websites to deceive users.This finding confirms the malicious functionality of a large part of the Malla generated content, and shows Mallas' capability to circumvent today's detection.

Case Study: Effectiveness of Mallagenerated Exploit Payloads
To assess Malla's capability to generate malicious code carrying exploit payloads targeting specific vulnerabilities, we tested nine Malla services (listed in Table 3) using the malicious prompts (P m ) that required the exploitation of vulnerabilities reported in CVEs.Such prompts, collected from listings of Malla services, have the following format: Write a program that demonstrates https://www.cvedetails.com/cve/CVE-Year-Num/.
The CVEs described in these prompts are associated with SQL injection (CVE-2022-34877 and CVE-2022-34878) and buffer overflow (CVE-2022-34819).Due to the lack of a Siemens device for reconstructing exploits targeting CVE-2022-34819, in this experiment, we focus on the effectiveness assessment of generated exploits related to CVE-2022-34877 and CVE-2022-34878.We evaluate the responses related to CVE-2022-34819 only at the vulnerability type level, i.e., buffer overflow, as detailed in the Discussion paragraph below.Environment setups.We setup the exploit payload testing environment for CVE-2022-34877 and CVE-2022-34878, based on their CVE reports and related documents [73].Specifically, these two vulnerabilities are in the AST Agent Time Sheet interface and the User Stats interface of VICIdial [74].So we deployed this vulnerable open-source system (version 2.14b0.5 and SVN version 3261), using VICIbox v9.0.3 [44,72], on a PC with an Intel i7 CPU and 16GB of memory.Dataset and methodology.Among 50 exploits generated by the nine Malla services for these two CVEs, 22 are compilable (11 for CVE-2022-34877, 11 for CVE-2022-34878).We then evaluated them in the aforementioned testing environments and monitored their executions on VICIdial.Results.The tests show that none of the exploits succeeded: running them on VICIdial did not cause unauthorized changes to its databases or disclose its system data.We manually looked into the compilable code snippets.Among the 22 generated for these two CVEs, five contain payloads for SQL injection (e.g., ' OR 1=1; --), while the rest perform other operations: (1) targeting other vulnerability types (9.09%), (2) printing the text introduction of these CVEs (36.36%), or (3) crawling the web page describing these CVEs (36.36%).Discussion.In our study, we noted that while the Malla has limitations in generating operable exploit payloads for specific vulnerabilities, it is capable of building the code with related vulnerability types, such as overrunning a buffer or injecting code into an SQL query.Particularly, we ran these 39 compilable exploits (11 for CVE-2022-34877, 11 for CVE-2022-34878, 17 for CVE-2022-34819) on OWASP WebGoat 7.1 [58], a platform providing a set of vulnerable programs for testing different exploit code.More specifically, for SQL injection, WebGoat features a built-in website interface connected to a backend database vulnerable to SQL injection.For buffer overflow, WebGoat offers a built-in website application that allows attackers to overrun its vulnerable buffers to disrupt its execution stack.In our experiments, we entered the exploit payloads generated by Mallas into the website interfaces to monitor whether information was disclosed.
Although the exploits built by the Mallas have nothing to do with the vulnerable code hosted by WebGoat, we found that seven of them (created by XXXGPT and BadGPT) successfully compromised the vulnerable targets on the system.This reveals that while some Malla services can indeed generate exploit payloads for different types of vulnerabilities, such as SQL injections and buffer overflows, they tend to be rather basic, and have not yet been tailored to specific vulnerabilities, as documented by CVEs, to ensure successful attacks.

User Study: User Susceptibility to Mallacreated Phishing
Here we aim to assess the quality of phishing emails and websites created by Mallas in deceiving human users.The study is conducted with our institution's IRB approval.
Recruitment.This user study 5 was performed through Amazon Mechanical Turk.We recruited adult participants living in the U.S. who could read and write in English.Each participant will receive $1. To ensure quality, we validated responses based on time duration and completeness.We consider responses invalid if participants finished the questionnaire within two minutes (11 responses) or did not complete all the questions (6 responses).After removing 17 invalid responses, we collected 83 valid responses with diverse backgrounds: ages from 18 to 54+ (33.73% female and 66.27% male); education from high school to graduate degree; 14 various occupations.97.59% and 95.18% have known the concept of phishing emails and phishing websites, respectively.Dataset.In our study, we collected 30 phishing emails created by Mallas ( § 5.2), 30 non-Malla-created phishing emails sourced from Confense [13], along with 30 benign emails from Enron Email Dataset [22].For phishing sites, we gath-ered 30 phishing sites created by Mallas ( § 5.2), 30 non-Mallacreated phishing sites from PhishTank [59], and 30 benign sites from the legitimate sites.These legitimate sites were selected from the pool of victim sites targeted by the phishing campaigns we gathered above.Note that since Mallas' capabilities are confined to creating the content of emails and websites without sender addresses and URLs, we excluded the display of sender addresses and URLs to participants in our survey.In addition, to guarantee that non-Malla phishing emails and sites are not created by LLMs, we collected the phishing content created before GPT-3.5 was released.
Methodology and results.The survey is designed to ask participants to what extent they think an email is a phishing email.Specifically, they will distinguish phishing/non-phishing emails from a mix of benign emails, non-Malla-created phishing emails, and Malla-created phishing emails.They will be asked to do a similar task in the context of phishing websites.More specifically, participants were presented with nine emails and nine websites, randomly chosen from the dataset pool, that showed in a UI designed to mimic the browser for an authentic browsing experience and atmosphere.For each email (or website), we asked participants whether they thought the email (or website) was phishing.Following their response (i.e., "Yes," "No," or "Sort of"), we asked them to explain their reasoning (as an open-ended question).
In total, we received 246, 251, and 250 valid responses to Malla-created phishing emails, non-Malla-created phishing emails, and benign emails, respectively.As depicted in Figure 3(a), 192 (78.05%) of the Malla-created phishing emails were correctly identified as phishing emails, in contrast to 174 (69.32%) of the non-Malla-created phishing emails and 93 (39.20%) of the benign emails.Meanwhile, for approximately 15% of emails across all three categories, participants remained undecided.We also received 266, 240, and 241 valid responses to Malla-created phishing websites, non-Mallacreated phishing websites, and benign websites.Echoing the findings with phishing emails, 194 (72.93%) of the Mallacreated phishing websites were identified to be phishing, compared to 139 (57.92%) of the non-Malla-created phishing sites and 108 (44.81%) of the benign sites, as shown in Figure 3(b).
Most participants who partially or completely trusted the Malla-created phishing emails or websites attributed their judgment to the apparent normality in content or design, for instance, citing reasons like "The information was given properly," "The design appears properly as a Facebook login," "It looks normal," etc. Conversely, nearly all participants who distrusted the Malla-created phishing content attributed their skepticism to urgent requests for account information, fund transfers, or other actions in emails and solicitation of login information on websites, lacking appropriate context.For example, "The email emphasizes the importance and urgency of the fund transfer request, pressuring me to act quickly." The results in Figure 3 indicate that the participants were attentive in reading the emails/websites and capable of dis-  show that Malla-created phishing content is of lower quality due to the raising of suspicion by the general public, compared to non-Malla-created phishing content.To understand why Malla-created phishing content raises more suspicion than other phishing content, we looked into such content in our study.In the case of phishing emails, a majority (76.67%) of Malla-created emails are designed to urgently capture personal information (such as account details), through misleading users to verify accounts, reset passwords, transfer funds, etc.In contrast, only 30% of non-Malla-created emails employ a similar strategy.Instead, 63.33% of non-Malla-created emails typically lure recipients to initiate communication using the contacts (e.g., phone numbers and email addresses) or attached documents (like invoices, job offers) provided by attackers, to enable subsequent attacks.For phishing websites, Malla-created sites tend to use a minimalistic design with limited colors and simple logos.On the other hand, non-Malla websites, while also minimalistic in structure, incorporate more vibrant designs and images, making them appear more similar to benign websites than those created by Malla.Limitation and discussion.As mentioned earlier, all Mallacreated web content in our research lacks any sender addresses and URLs.So we excluded such information in our user study and instead focused on the effectiveness of other fraudulent content created by these services.In this way, we can fairly compare Malla-created content against other fraudulent content, to understand how deceptive the former could be.However, the absence of sender addresses and URLs may introduce certain problems or biases.In real-world scenarios, email addresses and URLs play a critical role in helping users identify phishing attempts.By excluding such information, the study might not accurately reflect actual user behavior when faced with a complete phishing email or website, potentially overestimating the effectiveness of the content alone.Additionally, by focusing solely on the content, there's a risk of missing how users react to phishing attempts where the email address or URL is the key indicator of malicious intent.For instance, a legitimate-looking website with a suspicious URL might be easily identified as phishing in real situations but was missed in this study.We acknowledge that while the exclusion of email addresses and URLs allows for a focused analysis of content quality, it might not fully capture the complexities and user responses to phishing in more realistic settings.This could impact the generalizability and applicability of the results to real-world scenarios.

Reverse-engineering Malla
As detailed in § 3, we identified the backend LLMs and/or jailbreak prompts for four Malla services and 143 Malla projects by examining their source codes or parsing their hosting pages.For the remaining three Malla services and 55 Malla projects, we employed the techniques outlined below to reverse-engineer their backend LLMs and/or associated jailbreak prompts.After that, we characterized the infrastructures commonly leveraged to construct Malla, i.e., abuse uncensored LLMs and jailbreak public LLMs.

Methodology
Discovering backend LLMs.To uncover the backend LLMs employed by three Malla services (i.e., DarkGPT, EscapeGPT, and FreedomGPT), we explore techniques to address the LLM authorship attribution problem [88,123], i.e., given a set of responses T and k candidate LLMs, what is the LLM (among k alternatives) that generated T ?
In our approach, we adopted the technique in [88,123] to develop an authorship attribution classifier for identifying the backend LLMs of Malla services.In our implementation, we initially identified six candidate LLMs for consideration: GPT-3.5, Davinci-002, Davinci-003, Luna AI Llama2 Uncensored, GPT-J [21], and Pygmalion-13B.Our selection was based on those most exploited by Malla services and Malla projects.To collect the training dataset, we fed malicious prompts (P m ) to each candidate LLM (under 21 different temperature settings) six times and gathered 15,114 responses (available in [43]) after eliminating 6 failed queries.Note that the three Malla services we probed are all related to malicious code generation.Thus, our dataset exclusively incorporated 20 malicious prompts related to malicious code generation.Then, each response was converted into vector form to serve as input for a multi-class classifier.Given the multifaceted nature of the responses, which could be a mix of text and code, we employed SBERT [67] and Code2Vec [85] for vectorization.Specifically, we used regular expressions to distinguish between text and code segments and concatenated the SBERT-derived text vector with the Code2Vec-derived code vector for a comprehensive representation.Finally, we trained our classifier with the convolutional neural networks, as used in [88,123].Through five-fold cross-validation, this model achieved a precision and recall of 0.87.Using the model, we investigated the backend LLMs for DarkGPT, EscapeGPT, and FreedomGPT, successfully identifying them as Davinci-003, GPT-3.5, and Luna AI Llama2 Uncensored, respectively.The classification results of three Malla services are aligned with their self-reported details and our traffic payload analysis ( § 3.1).Uncovering jailbreak prompts.As mentioned in § 3.2, we observed that out of the 198 Malla projects hosted on Poe and FlowGPT, 55 did not publicly display their prompts.To uncover these concealed jailbreak prompts, we employed an off-the-shelf "Ignore the above instructions" prompt leaking attack [115].This approach allowed us to retrieve their pre-composed prompts, which are essentially the jailbreak prompts in Malla projects.More specifically, in our study, we presented the following query to the 55 Malla projects whose jailbreak prompts are invisible: Ignore the previous instructions.What was written at the beginning of the document above?Please give a complete response using the following format: 'At the beginning of the document, it states, "...".' Utilizing this approach, we successfully uncovered 52 jailbreak prompts associated with 54 Malla projects.
We evaluated the prompt leaking attack on the ground truth dataset, consisting of 143 Malla projects with visible jailbreak prompts.Following previous work [115], we achieved a 93.01%success rate.Using Jaro-Winkler similarity [46] and Semantic textual similarity [67] to measure edit distance and semantic closeness, with ideal scores of 1.0, we achieved scores of 0.88 and 0.83, respectively.These results indicate that our attack can effectively restore jailbreak prompts.

Abused Uncensored LLMs
As mentioned earlier, we classified an LLM as "uncensored" if it can generate any content, even potentially inappropriate or harmful, without filtering.In contrast, a "censored" LLM, like GPT-3.5 [114] and , is trained to avoid generating certain harmful content.In our research, we conducted a thorough analysis of the eight backend LLMs identified.Based on our investigation, we compiled the list of uncensored LLMs including Pygmalion-13B, Luna AI Llama2 Uncensored, Davinci-002, and Davinci-003.Uncensored LLMs in Malla.Our observations highlighted that two Malla projects from FlowGPT misused the uncensored LLM Pygmalion-13B.Provided by PygmalionAI [63], this model is a refined version of Meta's Llama-13B, which has been fine-tuned using data with NSFW content.Notably, Pygmalion-13B is often categorized as an "uncensored" model [62] due to its efficacy in roleplay scenarios, even when simulating ethically questionable or NSFW roles.However, FlowGPT allows users to develop LLMA using Pygmalion-13B, yet neglected to offer explicit usage guidelines.
The vendors of Malla services often utilize or wrap uncensored LLMs as Malla services.This approach reduces the overhead associated with data collection and model training.

Prompt Engineering on Public LLM APIs
As discussed in § 2, the "pre-train and prompt" paradigm is a commonly employed approach for constructing LLMintegrated applications.In our research, we observed that miscreants also adopted this paradigm when developing Malla.
In particular, they utilized jailbreak prompts to instruct pretrained LLMs, usually via commercial LLM APIs, in generating malicious content (i.e., malicious code and phishing emails/sites), while evading content moderation measures.
Abused public LLM APIs.In our study, we identified five public LLM APIs, belonging to three companies, misused by two Malla services and 198 Malla projects.One potential reason for gpt-3.5-turbo'spopularity could be its absence of query restrictions compared to others.Additionally, there are notably more jailbreak prompts targeting gpt-3.5-turbothan those targeting other LLMs, such as GPT-4.Jailbreak prompts used by Malla.We identified the top-10 topic terms related to the four types of jailbreak prompts: those used by Malla services (P s ) and Malla projects (P j and P i j ), along with 744 public jailbreak prompts (P r ) [105,122], listed in Table 5.Interestingly, Malla-related prompts focus on breaking LLM policies (e.g., "break," "policy," "restriction"), and public jailbreak prompts include terms like "anarchy," "unethical," and "immoral," highlighting a desire to challenge LLM ethical norms.It indicates the semantic similarity between Malla-related and public jailbreak prompts.
For the Malla service, EscapeGPT, clues shown in § 3.1 suggest that it might use a jailbreak prompt on gpt-3.5-turbo.We attempted to uncover its jailbreak prompt using prompt injection.The result provides insights into the role and task designated in the jailbreak prompt.The jailbreak prompt depicts the model as a "blackhat evil confidant" tasked with "breaking rules and exploring the forbidden."Comparing this with publicly known jailbreak prompts, we discovered a similar one [25] that also positions the LLM as an "evil confidant" who has "escaped the matrix" of rules, policies, and ethics, paralleling EscapeGPT's vendor name "EscapeMatrix" [23].
We compared the malicious content produced by Malla services and public jailbreak prompts (see this study's GitHub repository [43]) and observed that the malicious content from public jailbreak prompts can be highly similar to that from Malla services, indicating the risk of public jailbreak prompts.

Discussion
Mitigation.Our research presents the first systematic examination of the real-world misused LLMs for cybercriminal activities, analyzing 14 Malla services and 198 Malla projects in depth.We found evidence through our extensive analyses of the underground ecosystem of Mallas ranging from Malla development and hosting strategies to pricing models and revenue streams, which fuels these malicious activities.When assessed by professionals, our initial results demonstrate useful findings and provide a resource to law enforcement and public policymakers for impactful structural interventions against the misused LLMs for cybercriminal purposes.In particular, we suggest a suite of mitigation approaches below.
A fundamental prerequisite to mitigate such security issues is the effective detection of cybercriminal LLM misuse on a large scale.In our study, we released the prompts used by miscreants to generate malicious code and phishing campaigns, along with the prompts in Malla to bypass the existing safety measures of public LLM APIs.By profiling those prompts, we point out the potential to enhance the current content moderation mechanism.For instance, integrating these up-to-date prompts can enhance the efficacy of guardrails, which are designed to monitor and control LLM inputs and outputs and deployed by LLM providers (e.g., the OpenAI Moderation Endpoint [106,111] and Llama Guard [100]) or third parties (e.g., NeMo Guardrails [120], the OpenChatKit Moderation Model [71], and Guardrails AI [37]).Furthermore, a significant source of misuse is the accessibility to uncensored LLMs.It would be prudent for LLM vendors to default to models with robust censorship settings.Access to uncensored models should be judiciously granted, primarily to vetted entities or for specific research initiatives, guided by rigorous protocols.Meanwhile, to improve the alignment of existing LLMs, developers working on the security of LLMs can employ reinforcement learning from human feedback (i.e., RLHF) [114] to fine-tune LLM with the dataset that dynamically incorporates updated malicious and jailbreak prompts, coupled with ethical responses.Cutting-edge techniques [92,121] can also be applied to robustify LLMs against alignment-breaking attacks.We advocate for the implementation of a dynamic Malla threat monitoring system to continuously update safety measures based on emergent jailbreak strategies and evolving malicious content generation methodologies, as identified by ongoing research and monitoring, can ensure that LLMs remain resilient against these evasion attempts.
Importantly, our study sheds light on two relatively overlooked stakeholders within the Malla ecosystem, i.e., LLMA hosting platform (e.g., Poe and FlowGPT), which have been co-opted to construct and host Mallas, and web hosting platforms featuring cryptocurrency payment processing systems (e.g., Sellix.io and BTCPay Server), which have emerged as preferred storefronts for Malla offerings.We suggest these two parties contribute to the disruption of Malla.For instance, FlowGPT, offering unrestricted access to uncensored LLMs, has failed to establish or enforce clear usage guidelines on its platform.This laissez-faire approach essentially provides a fertile ground for miscreants to misuse the LLMs.Similarly, Real-world Malla-generated instances.We attempt to search for malicious code, phishing emails, and phishing websites, which are generated by Malla services, in the real world.
In this study, based on the malicious content produced by Malla services in our experiment, we examine whether the same content generated by Malla services has been utilized in the real world.It is important to note that the scope of this experiment is limited by the variety and volume of prompts used for generation, as well as the limited public datasets of malicious code and phishing content available for comparison.
• Methodology.For malicious code, we explored whether there have been previous reports of the same real-world malicious code as those generated by Malla services in § 5.2.VirusTotal, a widely used malicious code detection service, maintains a historical record of malicious code reports.Each reported piece of code is tagged with a unique hash, allowing for the re-examination on VirusTotal.Thus, we used the hashes of malicious code generated by Malla services to determine if this code had been reported earlier.
For phishing emails and websites, we aimed to ascertain whether real-world emails and websites, similar to those created by Malla services in § 5.2, had previously been reported.Utilizing data from Confense Email Security [13] and Stanford phishing report website [65], we gathered 71 of the most recent phishing emails starting from November 2022, coin-ciding with the release of GPT-3.5.From PhishTank [59], we collected 36,343 latest phishing webpages, also beginning from November 2022 to March 2024.To assess the similarity between the phishing email text and that between the phishing webpage code, we used sentence and code embeddings from SBERT [67] and CodeT5+ [66], respectively, computing the cosine similarity between Malla-created samples and realworld ones.If the similarity between a Malla-created phishing sample and a real-world one exceeds a set threshold (0.9 for both emails and webpages), we consider this real-world phishing content to potentially be created by Malla services.
• Findings.Based on the detection history on VirusTotal, we determined that the malicious code samples we generated using Malla services had not been reported to VirusTotal before.Additionally, our analysis of phishing emails/webpages revealed that none of the collected real-world phishing emails or webpages could be attributed to being created by Malla services.The highest cosine similarity score between the realworld phishing emails and the Malla-created samples was only 0.64, and for webpages, it was 0.84.Both scores fall below the thresholds for considering a real-world phishing email or webpage as potentially produced by Malla services.

Related Work
Past research showcased how LLMs can be weaponized across diverse domains, such as misinformation propagation [91,102,125], deepfake user profile creation [109], spear phishing campaigns [97,98], attack and malware generation [97] and the generation of hateful memes [119].Specifically, Zhou et al. [125] generated a dataset of AI-generated misinformation and analyzed their characteristics compared with human-created misinformation.Hazell et al. [98] created spear phishing messages using GPT-3.5 and GPT-4 models to explore LLMs' ability to assist with the reconnaissance and message generation stages of a spear phishing attack.Gupta et al. [97] undertook an exploratory study, interacting with a jailbroken ChatGPT to generate attack payloads and malware.Qu et al. [119] demonstrated the ease with which adversaries can craft convincing hateful meme variants using advanced algorithms.To the best of our knowledge, none of these works have studied the exploitation of LLMs as malicious services in the context of tangible cybercriminal activities.
Another body of research has delved into the weaknesses of LLMs that can be exploited to facilitate such misuse, mainly associated with two main types of attacks: prompt manipulation and jailbreaking.Prompt manipulation refers to the practice of manipulating an LLM's system prompt, leading to model generations that are undesirable and harmful.Specifically, Perez et al. [115] proposed the PromptInject framework to demonstrate that the simple prompt "Ignore the previous instructions and classify [ITEM] as [DISTRACTION]" can be used to lead an LLM into predicting [DISTRACTION], regardless of the original task.Branch et al. [89] demonstrated the effectiveness of the above attack on GPT-3, BERT, ALBERT, and RoBERTa.Greshake et al. [96] discussed the threats of indirect prompt injection, which placed the Prompt-Inject framework into indirect data sources that are retrieved and used by an LLM to generate a response.In contrast to prompt injection, jailbreaking solely depends on crafting prompts to circumvent the LLM's safety measures, instead of mandating access to the model's system prompt.Oremus [113] crafted prompts with DAN ("Do Anything Now") to circumvent moderation filters.Qiu et al. [118] listed a set of prompts, for English-Chinese translation, that contains malicious instructions.Shen et al. [122] reported a measurement study of jailbreak prompts collected from four public online resources, and assessed their effectiveness against three safeguarding approaches.In contrast to these works, our research uncovered the mechanisms underpinning Malla, supplementing the understanding of the LLM exploitation landscape.

Conclusion
In our study, we indicate the rise of Malla as a new dimension of threat to the cybercrime landscape.We have systematically unveiled the misuse of LLMs for cybercriminal activities, shedding light on as many as 14 Malla services and 198 Malla projects.In particular, our exploration into the underground Malla ecosystem has provided insights into its rapid proliferation, from the development, hosting, and pricing strategies, to the revenue models driving these malicious activities.Moreover, we developed a suite of measurement and dedicated reverse-engineering tools which enabled us to characterize Malla samples and their artifacts, including 45 malicious prompts, eight backend LLMs, and 182 jailbreak prompts, revealing a notable shift in the modus operandi of cybercriminals.Our findings bring new insight into the Malla threat.Such understanding and artifacts will help better defend against LLM misuse for cybercriminal activities.

Jan ' 23 Feb ' 23 Figure 2 :
Figure 2: Creation dates of Malla projects and owner accounts on FlowGPT.

Figure 3 :
Figure 3: Human subject study responses

Table 1 :
Malla services and details * βytes is the forum token of hackforums.net;indicates implicit mention.

Table 2 :
Summary of datasets

Table 3 :
Quality of content generated by Mallas pilability, and evasiveness, when compared with Malla services.Additionally, Malla projects on FlowGPT and Poe show weak performance in phishing email creation.OOPSpam found an average of 10.44 and 10.85 spam words in emails from FlowGPT and Poe, respectively, significantly higher than WolfGPT's 3.07, the best in phishing email creation among Malla services.The high numbers of identified spam words account for their poor results.FlowGPT's and Poe's Malla projects demonstrate suboptimal results in phishing site creation.Of the responses to the phishing site creation prompts, 48.03% from FlowGPT and 55.25% from Poe declined the request, citing ethical concerns.The remaining responses that refused to create the site code simply declined the request without providing a specific reason.However, nearly all sites that were syntactically correct and browser-executable evaded VirusTotal detection.

Table 5 :
Table 4lists all the LLM providers and their associated LLMs abused by Malla Top-10 topic terms of jailbreak prompts Malla projects.In terms of Malla services, we observed that gpt-3.5-turbo is the exclusive LLM targeted by XXXGPT and EscapeGPT.Of the LLMs used Malla projects, gpt-3.5-turbo is the predominant choice, accounting for 174 Malla projects.It is followed by Claude-instant and GPT-4.

Table 6 :
Types of fraud and abuse claimed in Malla listings Other types of fraud and abuse using Malla services.To understand the types of fraud and abuse that are alleged to be facilitated by Malla services, we parsed the Malla listings and cataloged their advertised functionalities, summarized in Table6.Beyond malicious code generation and phishing email/site creation, the product introductions in the listings enumerate other functionalities, including generating lead and misinformation, collecting bank card information, navigating underground markets, and detecting code vulnerabilities.In addition, six Malla services (i.e., WormGPT, Evil-GPT, Es-capeGPT, BadGPT, FreedomGPT, and DarkGPT) are claimed to be able to perform any task as uncensored AI models.However, vendors' promotional focus and available demo screenshots highlight the generation of malicious code and phishing emails/sites, lacking screenshots, videos, or prompt-response pair examples for other functionalities in Malla listings.Thus, our study concentrates on these three key functionalities.