New AI-Related Risks: Ransomware, Malware And Fake Jobs

By ☑️0🆇D̺͈͙͕̿ͧ̑ͣ🅰🆅🅸🅳eͤ | Darknet | 19 Sep 2025

The report "Detecting And Countering Misuse Of AI: August 2025" published by Anthropic has raised some very interesting questions regarding the use of AI for large-scale cyberattacks and cryptocurrency ransom demands.

According to Anthropic, agentic AI models, particularly Claude Code, are actively being used to conduct cyberattacks. In an operation dubbed "Vibe Hacking," Claude orchestrated large-scale extortion: he automated reconnaissance, credential theft, and the strategic selection of data to steal for blackmail, all without direct human intervention.

AI is used for victim profiling, creating fake identities, analyzing stolen data, and planning fraud. A criminal network targeted 17 organizations, including healthcare facilities, emergency services, religious organizations and governments. Claude:

-Automated credential harvesting and system penetration.
-Orchestrated exfiltration strategies and data selection.
-Generated psychologically targeted ransom demands.
-Analyzed financial data to calculate the size of the ransoms (which exceeded $500,000 in some cases, and were demanded in BTC).

 

FAKE EMPLOYEES
People in North Korea are getting jobs at large American companies thanks to Claude, who helped them pass technical interviews. Some North Korean hackers are targeting large exchanges (including Binance) for hire. In video interviews, deepfakes (videos) are used, and voices are modified in real time by AI. This is to avoid being identified as North Korean. One detection technique involves asking the interviewee to touch their head. It may seem like a meme, but some people use this technique to identify a North Korean hacker:

a0e09d348bf14ceef871143cd8ba1ac3ed082b000914d90458c940468709d582.jpg

FALSE ASSUMPTIONS
Another widely used technique is to fake audio/video failure in the interview and have the victim download "Zoom" from a script (in reality, malware is being installed). The "real-time translator" technique is also used (having the victim install fake AI software that translates the questions in real time into English). In all cases, the victim's wallet will be drained.

 

ROMANCE SCAM
An automated romance scam on Telegram is using a bot based on Claude that generated emotionally sophisticated messages to lure users in the United States, Japan, and Korea, convincing them to send money.

 

RANSOMWARE SALES ON THE DARK WEB
Criminal actors are creating and selling AI-generated ransomware on the dark web for between $400 and $1,200 (payment in BTC or XMR). These operators would otherwise not have the skills to develop them independently.

 

TECHNIQUES USED
1) FreshyCalls: This technique exploits a relationship between a function's address and its System Service Number (SSN). By sorting the functions exported from ntdll.dll by address, it's possible to deduce the corresponding SSN for each function. This allows system calls to be executed indirectly, avoiding the direct use of the syscall instruction, which is easily detected by security solutions (EDR). The underlying idea is to bypass Endpoint Detection and Response (EDR) checks that monitor for suspicious activity related to direct system calls.

2) RecycledGate: This is an advanced technique for invoking system calls indirectly. It works by identifying syscall instructions and, using sophisticated techniques, avoiding their inclusion in the code. Jumps to legitimate syscall instructions within ntdll.dll make it more difficult for EDRs to recognize the activity as anomalous, because it appears to come from a trusted source (the operating system itself).

 

FINAL REMARKS
The Anthropic report highlights that these methods (FreshyCalls and RecycledGate) were integrated into malware created with the help of the Claude AI to bypass Windows system defenses. The developed malware features sophisticated evasion and anti-recovery mechanisms, including shadow copy deletion and specific techniques to evade detection. EDR, for its part, attempts to detect suspicious FreshyCalls by checking which system functions are called and in what order, to determine if the numbers used don't match what the program is supposed to do.
Furthermore, instead of looking only at the instruction itself, it observes what the process does (e.g., sudden access to protected memory, creation of suspicious threads, etc.). For Recycled Gate, EDR also intercepts internal jumps to ntdll.dll, not just standard API calls.
With memory analysis, it checks whether a program is trying to "reuse" instructions (syscalls; ret) in unusual places in the library.
With machine learning/heuristics, however, if an unknown process starts making many low-level calls in an anomalous manner, it is flagged.

 

Are you interested in ways to earn crypto bonus? Check it out here: Some Sites To Earn Crypto Bonus (Old & New)

Cryptocurrency Bitcoin (BTC) Ethereum (ETH) AI hacking

How do you rate this article?

47
☑️0🆇D̺͈͙͕̿ͧ̑ͣ🅰🆅🅸🅳eͤ
☑️0🆇D̺͈͙͕̿ͧ̑ͣ🅰🆅🅸🅳eͤ Verified Member

I love Bitcoin since 2012. I also love NFT. #BTC #ETH #MLBSorare

Darknet
Darknet

The topics will be 🅒🅡🅨🅟🅣🅞, of course. BTC and Degen crypto since 2012.⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
Anthropic Is Coming to Wall Street: The First Trillion-Dollar AI IPO Could Change Everything Anthropic Is Coming to Wall Street: The First Trillion-Dollar AI IPO Could Change Everything
MakeItReal

MakeItReal

13 hours ago
3 minute read

Why Did Someone Burn 107 BTC ($8 Million)? The Hypotheses Why Did Someone Burn 107 BTC ($8 Million)? The Hypotheses
☑️0🆇D̺͈͙͕̿ͧ̑ͣ🅰🆅🅸🅳eͤ

☑️0🆇D̺͈͙͕̿ͧ̑ͣ🅰🆅🅸🅳eͤ

2 Jun 2026
2 minute read

Openclaw Users Leveraging Brave Browsers Search API Openclaw Users Leveraging Brave Browsers Search API
Cje95

Cje95

22 hours ago
2 minute read