Table of Contents

Which Open-Source AI Models Are Cybercriminals Most Likely to Use?

The most capable model is not always the most attractive one. Cybercriminal adoption is shaped by convenience, cost, privacy, hardware requirements, and access to automation tools.

Open-source AI creates an uncomfortable asymmetry.

The same qualities that make open models valuable to businesses and researchers—local deployment, customization, low cost, and freedom from a central provider—also make them attractive to malicious actors. A cybercriminal can run an open-weight model without submitting every prompt to a monitored commercial service. More sophisticated groups can adapt its behavior, connect it to tools, and integrate it into automated workflows.

That does not mean cybercriminals will automatically choose the most powerful downloadable model. In practice, operational convenience often matters more than benchmark performance.

Commercial models remain more popular

Before comparing open models, it is important to establish what current threat reporting shows: cybercriminals still make extensive use of mainstream commercial AI.

CrowdStrike reported that ChatGPT was mentioned in criminal forums 550% more frequently than any other model. It also observed an 89% increase in attacks involving AI-enabled adversaries during 2025. CrowdStrike’s 2026 Global Threat Report suggests that familiar hosted products remain the default because they are easy to access and require no infrastructure.

Google Threat Intelligence reached a similar conclusion. It found that underground products advertised as private, custom-built malicious models were sometimes wrappers around commercial AI services and open-source agent software. Google concluded that threat actors often struggle to develop capable custom models and instead depend on mature hosted systems. Google’s February 2026 AI Threat Tracker documents this gap between underground marketing and technical reality.

So the likely future is not a wholesale migration from commercial to open models. It is a hybrid ecosystem in which criminals use different models for different parts of an operation. OpenAI has also observed this multi-model pattern, noting that threat activity is rarely confined to one platform or model. OpenAI’s 2026 threat report describes models being combined with conventional websites, social media accounts, and other tools.

What cybercriminals would value in an open model

From a threat-analysis perspective, six characteristics matter most.

Local deployability

A model that runs on a workstation or modest GPU server is more accessible than a trillion-parameter model requiring a data center.

Local deployment also reduces exposure to a model provider’s abuse monitoring. It does not provide complete anonymity—the surrounding infrastructure can still create evidence—but it removes one important point of centralized visibility.

Coding and tool use

For technically capable actors, the most valuable models are likely to be those that can explain unfamiliar code, translate between programming languages, debug scripts, call tools, and maintain context across a multi-step task.

The same capabilities are useful to defenders, developers, and system administrators. Intent and surrounding activity determine whether the use is malicious.

Multilingual performance

Cybercrime is global. Strong multilingual models can help produce more natural communication across languages, reducing the grammatical and cultural errors that once made fraudulent messages easier to recognize.

Google has observed threat actors using AI for translation, target research, and more culturally convincing social engineering.

Operational reliability

A model that occasionally generates brilliant code but frequently loses instructions is less useful than one that completes repetitive tasks consistently. Cybercriminals, like legitimate companies, benefit from predictable structured output and reliable tool calling.

Ecosystem support

A slightly weaker model may be more attractive if it works easily with common inference servers, agent frameworks, quantization tools, and automation software.

This is why mature families such as Llama and Qwen may see more practical use than their benchmark position alone would suggest.

Cost

For financially motivated actors, economics matter. A smaller model running on available hardware may be preferable to a stronger model that requires an expensive GPU cluster.

Some criminals will also continue using unauthorized commercial accounts or stolen API credentials instead of funding their own inference infrastructure. Google’s threat reporting identifies theft and underground resale of AI API keys as an established problem.

Likely adoption by model family

Model familyCriminal appealMain constraintLikely adoption
Qwen3.5Multilingual, coding, multimodal, many deployment sizesFlagship remains largeHigh
Gemma 4Strong small models, local deployment, multimodalLower ceiling on long agent tasksHigh among local users
gpt-ossReasoning, tools, structured output, manageable hardwareText-only and behind the newest frontierHigh for text automation
Llama 4Mature ecosystem and extensive toolingCustom license and aging capabilityModerate to high
DeepSeek-V4Strong reasoning, coding and long contextVery large self-hosting footprintModerate, mostly through services
GLM-5.2Excellent coding and long-horizon agents753-billion-parameter deploymentModerate among sophisticated groups
Kimi K2.5Multimodal agents and visual codingOne-trillion-parameter modelModerate through hosted access
Mistral Large 3Multilingual, structured output, permissive licenseLarge and no longer the strongest coderModerate to low

These likelihoods are forecasts based on capability and deployment friction, not claims that every model has been observed in specific criminal campaigns.

Qwen3.5: the most likely general-purpose choice

Among open families, Qwen is probably the strongest candidate for broad criminal adoption.

Its appeal comes from combination rather than dominance in one category. Qwen offers coding, reasoning, multimodal input, tool use, extensive language coverage, permissive licensing, and multiple model sizes. This gives actors a path from inexpensive local experimentation to larger hosted deployments.

Its multilingual capability is especially relevant to fraud and social engineering, while its coding and agent features make it useful to more technically capable groups.

The flagship Qwen3.5 model is too large for a typical personal computer, but smaller Qwen releases preserve much of the family’s tooling and behavior. That accessibility makes Qwen more likely to spread than an equally capable model available only at data-center scale.

Assessment: the most likely open family to become a general-purpose criminal workhorse.

Gemma 4: the accessible local option

Gemma 4 is likely to appeal to actors prioritizing local deployment.

Its smaller models target mobile and edge hardware, while the 26-billion- and 31-billion-parameter versions can run on suitably equipped workstations. The family supports text, images, coding, reasoning, and many languages.

That does not make Gemma 4 the strongest choice for sophisticated autonomous operations. Larger models are generally more capable when a task requires extended planning, repeated tool use, or recovery from unexpected failures.

But most cybercriminals do not operate advanced AI laboratories. A capable model that can run privately on obtainable hardware may be more attractive than a technically superior model requiring an expensive cluster.

Assessment: highly likely among lower-resource actors and developers of locally operated underground services.

gpt-oss: attractive for structured text automation

The gpt-oss family offers a useful balance between reasoning and deployability.

The 20-billion-parameter model can run within roughly 16 GB of memory, while gpt-oss-120b fits on a single 80 GB accelerator. Both support adjustable reasoning effort, structured output, and function calling.

Those features make the family attractive for automated text processing, code assistance, data transformation, and tool routing. Its compatibility with popular local inference software further reduces deployment friction.

Its limitations are equally clear. It is text-only, primarily oriented toward English, STEM, and coding, and has been overtaken in raw capability by newer open releases. It would be less attractive for multilingual or visually grounded operations.

Assessment: likely to be used as a reliable local component, especially where structured output matters more than maximum intelligence.

Llama 4: still relevant because everything supports it

Llama 4 is no longer the strongest open family, but it has one of the largest ecosystems.

Many inference servers, fine-tuning libraries, hardware platforms, and agent frameworks support Llama well. Existing underground services built around earlier Llama versions may upgrade within the same family instead of rebuilding around a different architecture.

This is the same form of inertia that keeps older enterprise software alive. Compatibility and accumulated operational knowledge can outweigh a modest capability difference.

Llama’s custom license will matter to legitimate businesses, but it is unlikely to influence criminal adoption. Hardware requirements and capability will matter more.

Assessment: continued moderate-to-high use, particularly in existing local AI stacks.

DeepSeek-V4: powerful, but not truly lightweight

DeepSeek-V4 is attractive for reasoning, long-context analysis, and coding. Its MIT license and availability as both Pro and Flash variants also reduce legal and technical restrictions for legitimate deployers.

The obstacle is size. Even the Flash model contains 285 billion total parameters, while the Pro model reaches 1.6 trillion. Sparse activation reduces computation but does not eliminate the cost of storing and serving the weights.

Individual criminals are therefore less likely to self-host the largest DeepSeek models. More plausible routes include hosted inference, third-party services, shared infrastructure, or unauthorized access to someone else’s compute.

Assessment: likely to be consumed as a service; local deployment will be concentrated among sophisticated and well-resourced groups.

GLM-5.2: potentially important for advanced operators

GLM-5.2 deserves special attention because it is optimized for long-running coding and agent tasks.

It supports a one-million-token context window and performs strongly on software-engineering, terminal, and tool-use evaluations. The MIT license permits broad redistribution and adaptation.

From a defensive perspective, these are meaningful capabilities. A reliable coding agent can accelerate technical work and allow one operator to supervise more activity. Sysdig’s July 2026 analysis of JADEPUFFER described what it assessed as an AI-driven database-extortion operation that adapted to failures in real time, although Sysdig could not identify the underlying model. Sysdig’s report is evidence that agentic misuse is moving beyond hypothetical demonstrations—not evidence that GLM itself powered the incident.

GLM-5.2’s 753 billion parameters create a high barrier to self-hosting. Its immediate audience is therefore more likely to be nation-state operators, organized criminal services, and actors accessing it through hosted infrastructure.

Assessment: one of the most concerning models for sophisticated agentic misuse, but unlikely to be the most widely deployed locally.

Kimi K2.5: attractive for multimodal operations

Kimi K2.5 combines text, image, video, coding, and agent capabilities. This makes it relevant to operations involving visual material, interface interpretation, large collections of mixed media, or coordinated research tasks.

Its agent-swarm design could also appeal to advanced groups experimenting with parallelized workflows.

The model’s one-trillion-parameter footprint is the decisive constraint. Most criminal users will not operate the infrastructure needed to serve it. Its use is more likely to occur through Moonshot’s service, third-party inference providers, or underground products that wrap those services.

Assessment: potentially valuable for multimodal and agentic activity, but unlikely to achieve the local popularity of Qwen, Gemma, or gpt-oss.

Mistral Large 3: capable but squeezed by alternatives

Mistral Large 3 offers multilingual support, vision, function calling, structured output, and an Apache 2.0 license.

Those are useful properties, but its position is difficult. The model is too large to be the easiest local option, while newer models are stronger at advanced reasoning or coding. Actors seeking local efficiency have Gemma, Qwen, gpt-oss, and smaller Llama variants. Those seeking maximum capability have GLM, DeepSeek, Kimi, and commercial frontier services.

Mistral may still appear in European-language operations or systems already built around Mistral infrastructure.

Assessment: likely to see specialized or inherited use, but less likely to become the default criminal model.

The most likely outcome

There will not be one dominant “cybercrime model.”

The likely pattern is a three-layer market:

  1. Mainstream hosted models will remain the most commonly used. > They offer the highest convenience and often the strongest > performance. Criminals will continue trying to abuse legitimate > accounts, unauthorized API access, and underground wrapper > services.

  2. Qwen, Gemma, gpt-oss, and Llama will dominate accessible local > use. They offer the most practical balance of capability, > hardware requirements, and tooling.

  3. GLM-5.2, DeepSeek-V4, and Kimi K2.5 will be used by more > sophisticated actors or accessed through services. Their > capability is attractive, but their enormous weight files make > private deployment expensive.

If one open family is most likely to achieve broad adoption among cybercriminals, it is Qwen. Its combination of model sizes, multilingual ability, coding strength, multimodality, permissive licensing, and ecosystem support gives it the widest potential audience.

If the question is which model creates the greatest concern for advanced agentic cyber operations, GLM-5.2 and DeepSeek-V4 deserve closer attention.

The larger conclusion, however, is that defenders should not build detection strategies around model names. Threat actors switch providers, combine models, use wrapper services, and mix AI with conventional tools. Observable behavior—unusual automation speed, repeated machine-generated actions, identity abuse, anomalous API consumption, and rapid error correction—will be a more durable signal than trying to identify which model produced a particular line of text or code.

Author

  • Mickey Boodaei

    Mickey is the CEO and Co-Founder of Transmit Security where he passionately leads the product and development teams in Tel Aviv, Israel. As a pioneer and serial entrepreneur with over 30 years of experience Mickey has co-founded leading cyber companies such as Imperva (IMPV) and Trusteer (acquired by IBM in 2013) and personally invested in over a dozen startups in the field including Armis, Apiiro, and Island.

    View all posts