A new and ominous player has emerged in the rapidly expanding landscape of \u201cShadow AI.\u201d Researchers at Resecurity have identified DIG AI, an uncensored artificial intelligence tool hosted on the darknet that is empowering threat actors to automate cyberattacks, generate illicit content, and bypass the safety guardrails of traditional AI models.<\/p>\n
First detected on September 29, 2025, the tool has seen a surge in adoption throughout Q4, particularly during the winter holiday season<\/a>.\u200b<\/p>\n This development marks a significant escalation in the \u201ccriminalization of AI,\u201d lowering the barrier to entry for sophisticated cyberattacks and posing severe risks ahead of major global events in 2026, including the Winter Olympics in Milan and the FIFA World Cup.\u200b<\/p>\n Unlike legitimate platforms that enforce strict ethical guidelines, DIG AI is explicitly designed to have none. Accessible via the Tor network, it requires no account registration, ensuring complete anonymity for its users. The platform offers a suite of specialized models, as revealed in interface screenshots obtained by investigators:\u200b<\/p>\n The tool\u2019s operator, a threat actor known by the alias \u201cPitch,\u201d actively promotes the service on underground marketplaces alongside narcotics and compromised financial data.\u200b<\/p>\n One of the most alarming capabilities of DIG AI is its ability to generate functional malicious code. Resecurity analysts successfully used the tool to create obfuscated JavaScript backdoors designed to compromise web applications.\u200b<\/p>\n Screenshots of the tool in action show it processing requests to \u201cgenerate and obfuscate malicious script,\u201d producing code designed to be stealthy and hard to detect.<\/p>\n The generated output acts as a web shell, allowing attackers to steal user data, redirect traffic to phishing sites, or inject further malware.<\/p>\nHow DIG AI Works<\/strong><\/h2>\n
\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg8tsZpuEb7lbHE0MGAK8R0In5GGqM8gYzCkJH_nZFmtw06uk3q7i93h-caqgRtGp-ARnsGeLsaTUS1BO_A7zcAje6wTmjvLMDjd1G9z8n8rR13s0ZHV1YL14VUWRoeZku3PW3mVk30qDKaM4ir8KbsHKtkJE493AYySvc_UgvLl_EXX1RCMj2qqpKEk25x\/w640-h404\/img2.webp?ssl=1\")
<\/figure>\n<\/div>\nAutomating Malicious Code and Exploits<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhUVkjS1r0CNC-CM7fb6yC4t2bzFUd_4XjRvLc6-_LY9MZfzgDeX5Xf_lFCrelXkVAKPCD6np6_HxR2UnQF121V3dI5x9s13k5eYuUyFWtRebaDT30STv4GW-7mXQ8S3I_ZYtd5mRo9edRvTzNcpD1jtY0WMRr5TJMIqrcyu-3JAFEYeSDR3GW74HhtICaQ\/w640-h170\/img3.webp?ssl=1\")
<\/figure>\n<\/div>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEimESjMYjfexBTYot0gN9Igi7JQKF44RZq7Uh4o5gGwszLy86FYeS6pX4DzCFmdKRBPkGtscvHIdsYfWJxPgVfSBv0kXQJmrRG4yWAsq8BV5TY7ov9WVTYpFKdg3YBt8xGedL3UxO5JzgHU1zzMEBcasIH3-XlgbAjF83NBihWtUpW74asRpNVlPlZXLkHG\/s16000\/img1%2520%281%29.webp?ssl=1\")
<\/figure>\n<\/div>\n