BTS: How Stealers Malware Targets ChatGPT's Credentials

Group-IB's Threat Intelligence platform found compromised credentials within the logs of info-stealing malware traded on illicit dark web marketplaces over the past year.

By employing anti-analysis methods, Stealers aims to remain undetected for extended periods, amplifying the damage it can inflict.

The rise of AI assistants has revolutionized how we interact with technology. Still, it also presents new opportunities for cybercriminals—according to a report by- Group-IB, identified 101,134 stealer-infected devices with saved ChatGPT credentials. The open logs possessing compromised ChatGPT accounts peaked at 26,802 in May 2023. Recently, a sophisticated malware known as "Stealers" has been making waves by targeting ChatGPT credentials. In this article, we delve into the intricate attack techniques employed by Stealers and shed light on the implications for both users and organizations.

Attack techniques and modus operandi

Stealers' malware operates with alarming precision, targeting the very core of ChatGPT's infrastructure. Stealers utilize various attack techniques to compromise credentials, exploiting system vulnerabilities and social engineering tactics to gain unauthorized access. One of the primary methods used is keylogging, where every keystroke the user makes is captured and transmitted back to the attacker. This allows the malware to intercept sensitive information such as usernames, passwords, and other authentication details. 

Additionally, Stealers leverages form-grabbing techniques to intercept data entered into web forms or applications that utilize ChatGPT. This approach enables the malware to capture login credentials in real-time, making detecting the compromise even more difficult for users. The stealthy nature of Stealers is a significant concern for cybersecurity experts.  The malware is designed to evade traditional detection mechanisms, often disguising itself within legitimate files or using obfuscation techniques to conceal its presence. 

"Interest in ChatGPT, from all corners of the web, has been evident for several months. Powerful tools such as these are always going to attract users with both good and bad intentions. We have recently seen evidence that cybercriminals use ChatGPT to craft phishing lures. Getting access to paid accounts, which remove some restrictions, raises rate limits, and uses the most current models, would be attractive to would-be thieves. Cybercriminals have long used information stealers to hoover up as much data as possible, and ChatGPT accounts are now part of the bounty." - John Shier, Field CTO- Commercial, Sophos comments.

Impact on users and organizations

The theft of ChatGPT credentials can have severe consequences for individual users and organizations. For users, compromising their accounts can lead to personal information exposure, identity theft, or financial losses. Furthermore, if users have linked their ChatGPT credentials with other services or platforms, the potential for a cascading effect of compromised accounts becomes a significant concern. By employing anti-analysis methods, Stealers aims to remain undetected for extended periods, amplifying the damage it can inflict.

"Once publicly released, there's not much a user can do to claw their data back. In the case of user accounts, immediately changing the password and turning on multi-factor authentication (MFA) can possibly evict the imposters and prevent future compromise. OpenAI accounts support MFA but only for legacy enrolments. As of 12 June 2023, OpenAI has paused new MFA enrolments. This is incredibly concerning. Not only should this be the default for a modern service, but also because of increased attention by cybercriminals," adds John Shier.

On the organizational front, companies that integrate ChatGPT into their systems may face reputational damage if customer data is exposed. The breach of sensitive information could result in legal liabilities and financial losses and erode customer trust. Moreover, if an organization's intellectual property or proprietary data is accessed through compromised ChatGPT credentials, the impact on competitive advantage and business continuity can be devastating.

Mitigation and prevention measures

To safeguard against Stealers and similar threats, proactive security measures are crucial. Users and organizations must remain vigilant and implement the following best practices:

Enable multi-factor authentication (MFA): MFA adds a layer of security, making it significantly harder for attackers to gain unauthorized access.

Stay updated: Regularly update operating systems, software, and security solutions to ensure the latest patches and security features are in place.

Exercise caution: Avoid phishing attempts, suspicious email attachments, and untrusted sources. Cybercriminals often use social engineering tactics to unknowingly trick users into compromising their credentials.

Implement behavior-based detection: Deploy security solutions that can identify unusual patterns or behaviors, allowing for the early detection and mitigation of potential threats.

The future of AI assistants and security:

The need for robust security measures becomes paramount as AI assistants evolve and become more ingrained in our daily lives. Developers of AI systems, including OpenAI, should collaborate with security experts to conduct comprehensive security audits and implement stringent security protocols. Integrating advanced threat intelligence and behavior analysis algorithms can aid in the early detection and prevention of credential theft.


The targeted attack on ChatGPT credentials by the Stealers malware underscores the importance of cybersecurity in an increasingly AI-driven world. As the boundaries of technology expand, so do the threats that lurk in the digital landscape. Protecting the integrity of AI assistants requires a collaborative effort between developers, security experts, and end-users. To safeguard against the likes of Stealers, implementing multi-factor authentication, staying updated with security patches, and exercising caution online is essential. However, these measures are just the beginning. As AI assistants advance, developers must prioritize security and conduct thorough audits to identify and address vulnerabilities.

The Stealers incident should catalyze the development of robust security protocols encompassing AI systems. AI developers can fortify their platforms against sophisticated attacks by integrating cutting-edge threat intelligence and behavior analysis algorithms. Proactive monitoring and early detection of threats can significantly reduce the risk of credential theft and its detrimental consequences.

Ultimately, the battle against threats like Stealers is ongoing. Still, with continued collaboration and a collective commitment to cybersecurity, we can stay one step ahead, ensuring that the benefits of AI assistants outweigh the risks. The journey towards secure AI assistants begins now, and it is up to all stakeholders to embrace this responsibility and safeguard the future of this transformative technology.


Add new comment