Table of Contents

Which AI Models Will Fraudsters Use?

Fraudsters will not choose models the way AI researchers do. They will optimize for convenience, scale, anonymity, language coverage, and the ability to create believable identities.

When people discuss the misuse of generative AI, they often imagine criminals searching for the most powerful model available.

That is probably the wrong mental model.

Fraud is an economic activity. Fraudsters care about return on investment, operational friction, and the number of victims one operator can manage. A model that is slightly less capable but cheap, familiar, and easy to automate may be more attractive than a frontier system requiring expensive infrastructure.

They will also rarely rely on one model. A modern fraud operation might use a commercial language model to research targets, an open model to automate conversations, an image generator to create personas, and a specialized service for synthetic voice or video.

The likely future is therefore not one dominant “fraud model.” It is a modular fraud stack.

AI is already industrializing fraud

INTERPOL’s 2026 financial-fraud assessment describes generative AI as a force multiplier for social engineering, synthetic identities, impersonation, and fraud-as-a-service. It estimates that AI-enabled schemes can be 4.5 times more profitable than non-AI-enhanced tactics because they allow criminals to reach more victims while making each interaction more convincing. INTERPOL’s report also identifies underground synthetic-identity kits combining video avatars, cloned voices, and biometric data.

That is the important change. AI does not need to invent a new category of fraud to be disruptive. It makes existing scams cheaper, faster, more personalized, and easier to operate across languages.

What fraudsters will look for in a model

Five characteristics are likely to shape adoption.

Convenience

Most fraudsters are not machine-learning engineers. They will prefer a familiar chat interface or inexpensive API over downloading hundreds of gigabytes of weights and managing GPU servers.

Believability

For social engineering, natural conversation matters more than advanced mathematics. A model must maintain tone, remember details, avoid obvious contradictions, and communicate naturally in the victim’s language.

Scale

Organized fraud groups need to manage many simultaneous conversations. Models with low inference costs, predictable structured output, and reliable API access will be particularly valuable.

Privacy from the provider

Hosted models can detect abuse, suspend accounts, preserve logs, and cooperate with investigations. Locally deployed models remove that central point of visibility, although the surrounding infrastructure can still expose the operator.

Multiple modalities

Text alone is no longer enough for some fraud schemes. Images establish a persona. Voice creates urgency and familiarity. Video may be used to overcome skepticism or attack remote identity-verification systems.

The most effective fraud stacks will combine all four.

Commercial models will remain the most widely used

Despite concerns about open-source AI, mainstream hosted models are likely to remain the first choice for a large share of fraudsters.

CrowdStrike reported that ChatGPT was mentioned on criminal forums 550% more frequently than any other model. Its 2026 Global Threat Report indicates that familiarity and easy access currently outweigh the benefits of private self-hosting.

Google Threat Intelligence has also found underground services that claimed to be private, purpose-built malicious models but were actually assembled from commercial AI APIs and open-source agent software. In other words, parts of the criminal market sell convenient wrappers rather than genuinely independent models. Google’s 2026 AI Threat Tracker concludes that many threat actors still struggle to develop custom AI systems.

ChatGPT and GPT models

ChatGPT is likely to remain the most commonly used single AI product among fraudsters, just as it is among legitimate users.

Its advantages include high-quality writing, coding, research, translation, document creation, image capabilities, and widespread familiarity. A low-skill operator can begin using it immediately.

Its disadvantage for criminals is centralized monitoring. OpenAI can identify patterns of abuse, disable accounts, improve safeguards, and preserve evidence. OpenAI’s own threat reporting describes fraudulent dating services, impersonation schemes, and other malicious activity that it detected and disrupted. It also notes that threat actors frequently use multiple models and platforms rather than remaining within one service. OpenAI’s 2026 report supports a multi-model view of criminal adoption.

Likely role: research, drafting, translation, document creation, and general planning.

Gemini

Gemini is likely to be another major choice because of its multimodal capabilities and integration with search, productivity tools, and a large consumer ecosystem.

Google has observed malicious actors using generative AI for target research, multilingual social engineering, technical troubleshooting, and content generation. It has also documented campaigns that used public links from several AI platforms—including Gemini, ChatGPT, Copilot, DeepSeek, and Grok—to make malicious instructions appear trustworthy.

Likely role: research, multilingual content, image and document analysis, and general fraud support.

Claude

Claude’s appeal lies in long-context analysis, natural writing, document processing, and the ability to work through complicated tasks. It could be useful to organized fraud groups analyzing large collections of stolen documents or constructing internally consistent narratives.

As with other hosted systems, provider safeguards and monitoring reduce its attractiveness for direct, repeated abuse. Fraudsters may nevertheless access it through disposable accounts, unauthorized credentials, or underground wrapper services.

Likely role: long-document analysis, polished communications, and planning for complicated schemes.

Grok and other consumer chatbots

Other widely available chatbots will also be used opportunistically. Fraudsters do not need loyalty to a particular provider. They will move between services according to price, availability, language support, and the effectiveness of abuse controls.

Likely role: overflow capacity and opportunistic use when other services are unavailable or restrictive.

Qwen is the open family most likely to be widely adopted

Among open-weight language models, Qwen is the strongest candidate for broad fraudster adoption.

The family combines several qualities that matter for fraud:

  • Strong multilingual performance

  • Coding and tool use

  • Multimodal input

  • Many model sizes

  • Apache 2.0 licensing

  • Compatibility with common local inference software

  • Smaller variants that can run without a data center

The flagship Qwen3.5 release supports more than 200 languages and dialects, according to Qwen’s official documentation. That is particularly relevant to fraud operations targeting victims across different regions.

The largest Qwen model still requires significant infrastructure, but criminals do not need the flagship for every task. Smaller models can handle classification, message generation, translation, and routine conversations at much lower cost.

Likely role: high-volume multilingual messaging, locally operated chatbots, persona management, and fraud-service backends.

Overall assessment: the open family most likely to become a general-purpose fraud workhorse.

Gemma 4 will appeal to local operators

Gemma 4 is likely to be attractive because of its capability relative to its size.

Google provides variants targeting hardware ranging from edge devices to workstations. The larger Gemma models support text, images, coding, reasoning, and more than 140 languages, while remaining far easier to host than trillion-parameter systems. Google’s Gemma 4 documentation positions the family around high intelligence per parameter.

Gemma may not be the strongest model for managing extremely long, emotionally complex conversations. But local availability and low operating costs could make it useful for generating content or supporting simpler automated interactions.

Likely role: private local generation, lightweight multilingual automation, and image-assisted workflows.

gpt-oss will be useful for structured automation

The gpt-oss family offers predictable reasoning, tool use, function calling, and structured output.

The 20-billion-parameter version can run within roughly 16 GB of memory, while the larger 120-billion-parameter model fits within 80 GB. That makes the family practical for private deployment compared with the largest open models. OpenAI’s gpt-oss release describes both models as Apache-licensed and compatible with popular local inference systems.

Its weaknesses for fraud are its text-only design and primarily English-oriented training. It is less suitable than Qwen for a global, multimodal fraud operation.

Likely role: workflow automation, data processing, message routing, and English-language text generation.

Llama will persist because of its ecosystem

Llama may remain common even though Llama 4 is no longer the leading open model on raw capability.

The reason is ecosystem inertia. Many inference systems, fine-tuning tools, quantization projects, and automation frameworks already support Llama. Existing underground chatbots built with earlier Llama releases can continue using familiar infrastructure.

Smaller or quantized Llama-based models may be more relevant to ordinary fraudsters than the large Llama 4 releases.

Likely role: existing self-hosted services, customized chatbots, and systems built around mature local tooling.

DeepSeek and GLM will matter more to organized groups

DeepSeek-V4 and GLM-5.2 offer powerful reasoning, coding, long context, and agent capabilities. On paper, this makes them concerning.

Their size is also a practical limitation. DeepSeek-V4’s larger version contains 1.6 trillion parameters, while GLM-5.2 contains approximately 753 billion. Sparse activation reduces computation, but the full weights still require substantial storage and accelerator infrastructure.

Individual fraudsters are unlikely to self-host these models. Organized groups may access them through hosted providers, shared infrastructure, unauthorized compute, or fraud-as-a-service intermediaries.

Their advanced reasoning may also be unnecessary for routine scams. A romance or customer-support impersonation scheme benefits more from consistent dialogue and low cost than from exceptional mathematical reasoning.

Likely role: sophisticated automation, large-scale analysis, software development, and agentic workflows operated by well-resourced groups.

Fraudsters will use specialist media models for impersonation

Language models will provide the script, but specialist generative models will provide the identity.

Images

Commercial image generators will be used for generic advertisements, product images, profile pictures, and fictional personas because they are convenient and produce polished results.

Open-weight families such as Stable Diffusion and FLUX are more attractive when operators want local generation, extensive customization, or freedom from provider-level monitoring. Black Forest Labs offers open FLUX variants, while commercial versions provide higher-end generation and editing. Its current release notes illustrate the split between downloadable and hosted image models.

Voice

Voice fraud is more likely to rely on specialist speech synthesis and voice-conversion systems than on general-purpose language models. The language model writes and manages the conversation; the speech model produces the voice.

The open ecosystem already includes local voice-conversion frameworks such as RVC and a growing number of multilingual speech models. Commercial voice services may offer better convenience and quality, but provider safeguards create pressure toward local tools and underground deepfake-as-a-service offerings.

The International AI Safety Report 2026 cites research in which people accepted cloned audio as authentic in 80% of cases, underscoring why voice impersonation is such an important fraud risk.

Video and identity verification

Fraudsters attacking remote identity checks are more likely to use specialized face-swapping, reenactment, and synthetic-identity services than general text-to-video models.

INTERPOL has already identified deepfake-as-a-service marketplaces selling packages that combine avatars, voice clones, and biometric materials. The service matters more to the buyer than the underlying model: low-skill criminals can purchase the result without understanding how it was generated.

The likely fraud stack

Fraud functionMost likely model category
Research and planningChatGPT, Gemini or Claude
High-volume multilingual messagingQwen or a commercial frontier API
Private text automationQwen, Gemma, gpt-oss or Llama
Generic fake images and adsCommercial image generators
Locally generated personasFLUX, Stable Diffusion or similar open models
Voice impersonationSpecialist speech and voice-conversion models
Synthetic identity or videoDeepfake-as-a-service and specialized media tools
Complex agent automationCommercial frontier agents, GLM or DeepSeek through hosted infrastructure

The conclusion: convenience first, openness second

The most commonly used individual AI product among fraudsters will probably remain ChatGPT, followed by other mainstream services such as Gemini and Claude. They are accessible, powerful, and require no technical infrastructure.

The open model most likely to achieve broad criminal adoption is Qwen, particularly its smaller and mid-sized variants. It offers the best combination of multilingual ability, capability, deployment flexibility, and ecosystem support.

For private local operation, Gemma, gpt-oss, and Llama-based models are also likely to be common. For sophisticated, well-funded groups, DeepSeek and GLM may provide more advanced reasoning and agent capabilities, usually through hosted or shared infrastructure.

The most concerning operations will not depend on one of these models. They will combine:

  • A commercial frontier model for planning and difficult reasoning

  • An open local model for scalable, less-visible automation

  • An image model for personas and promotional material

  • A specialist voice or video system for impersonation

  • Conventional fraud infrastructure for messaging, payments, and > victim management

That is why defenders should avoid trying to identify a particular model from its writing style. Model attribution will become increasingly unreliable.

The more durable signals are behavioral: one operator managing implausibly many conversations, sudden changes in language quality, repeated scripts with personalized details, suspicious payment requests, synthetic identity reuse, unusual API consumption, and attempts to treat voice or video as sufficient proof of authorization.

The model will keep changing. The economics and behavior of fraud are the more stable things to watch.

Author

  • Mickey Boodaei

    Mickey is the CEO and Co-Founder of Transmit Security where he passionately leads the product and development teams in Tel Aviv, Israel. As a pioneer and serial entrepreneur with over 30 years of experience Mickey has co-founded leading cyber companies such as Imperva (IMPV) and Trusteer (acquired by IBM in 2013) and personally invested in over a dozen startups in the field including Armis, Apiiro, and Island.

    View all posts