Trade of stolen ChatGPT account credentials, especially those of the premium accounts, is on a rise on the dark web since March, enabling cybercriminals to get around OpenAI\u2019s geofencing restrictions and get unlimited access to ChatGPT, according to research by Check Point.\n\n\u201cDuring the last month, CPR (Check Point Research) observed an increase in the chatter in underground forums related to leaking or selling compromised ChatGPT premium accounts,\u201d Check Point said in a blog post. \u201cMostly those stolen accounts are being sold, but some of the actors also share stolen ChatGPT premium accounts for free, to advertise their own services or tools to steal the accounts.\u201d\n\nSeveral criminal activities around ChatGPT\n\nResearchers have observed various kinds of discussions and trades related to ChatGPT on the dark web over the past month.\n\nThe latest activity on the dark web in terms of ChatGPT includes leak and free publication of credentials of ChatGPT accounts, and trade of stolen premium ChatGPT accounts. \n\nCybercriminals are also trading brute forcing and checkers tools for ChatGPT. These tools allow cybercriminals to hack into ChatGPT accounts by running huge lists of email addresses and passwords, trying to guess the right combination to access existing accounts.\n\nAlso on offer is ChatGPT account as a service \u2014 a dedicated service that offers to open ChatGPT premium accounts \u2014 most likely using stolen payment cards, Check Point said in its blog. \n\nSilverBullet configuration on sale\n\nCybercriminals are also offering a configuration file for SilverBullet that allows checking a set of credentials for OpenAI\u2019s platform in an automated way, Check Point said. \n\nSilverBullet is a web testing suite that allows users to perform requests toward a target web application. The same is used by cybercriminals as well to conduct credential stuffing and account checking attacks against different websites, and thus steal accounts for online platforms.\n\nIn the case of ChatGPT, researchers said, this enables them to steal accounts on scale. The process is fully automated and can initiate between 50 to 200 checks per minute. Also, it supports proxy implementation which in many cases allows it to bypass different protections on the websites against such attacks. \n\n\u201cAnother cybercriminal who focuses only on abuse and fraud against ChatGPT products, even named himself \u2018gpt4\u2019. In his threads, he offers for sale not only ChatGPT accounts but also a configuration for another automated tool that checks a credential\u2019s validity,\u201d Check Point said. \n\nLifetime upgrade to ChatGPT Plus\n\nAn English-speaking cybercriminal started advertising a ChatGPT Plus lifetime account service, with 100% satisfaction guaranteed on March 20th, Check Point said.\n\nThe lifetime upgrade of a regular ChatGPT Plus account opened via email provided by the buyer costs $59.99 while OpenAI\u2019s original legitimate pricing of this service is $20 per month.\n\n\u201cHowever, to reduce the costs, this underground service also offers an option to share access to ChatGPT account with another cybercriminal for $24.99, for a lifetime,\u201d Check Point said.\n\nWhat can be achieved with stolen ChatGPT account credentials? \n\nThere is a huge demand for stolen credentials of premium ChatGPT accounts as it can help cybercriminals surpass the geofencing restrictions imposed by it. ChatGPT has geofencing restrictions that restrict the use of the service in certain geographies such as Iran, Russia, and China. \n\nHowever, using the ChatGPT API, cybercriminals can bypass the restrictions and use the premium accounts as well, Check Point said. \n\nAnother potential use for cybercriminals is to gain personal information. ChatGPT accounts store the recent queries of the account\u2019s owner.\n\n\u201cSo, when cybercriminals steal existing accounts, they gain access to the queries from the account\u2019s original owner. This can include personal information, details about corporate products and processes, and more,\u201d Check Point said in the blog.\n\nIn March, Microsoft-backed OpenAI revealed that a Redis client open source library bug had led to a ChatGPT outage and data leak, where users could see other users\u2019 personal information and chat queries.\n\nChat queries and personal information such as subscriber names, email addresses, payment addresses, and partial credit card information of approximately 1.2% of ChatGPT Plus subscribers were exposed, the company acknowledged.\n\nPrivacy concerns around ChatGPT \n\nThere have been various privacy and security concerns around ChatGPT coming forward in the last few months. Italy\u2019s data privacy regulator has already banned ChatGPT over alleged privacy violations relating to the chatbot\u2019s collection and storage of personal data. The authorities said they will lift the temporary ban on ChatGPT if OpenAI met a set of data protection requirements by April 30.\n\nThe German data protection commissioner has also warned that ChatGPT may face a potential block in Germany due to data security concerns.\n\nMeanwhile, earlier this week, OpenAI, announced a\u00a0bug bounty program\u00a0inviting the global community of security researchers, ethical hackers, and technology enthusiasts to help the company identify and address vulnerabilities in its generative artificial intelligence systems.\n\nOpenAI will hand out cash rewards ranging from $200 for low-severity findings to up to $20,000 for exceptional discoveries.