Alleged Top Ransomware FunkSec Operators Appear to Develop Malware Using AI Help

• A ransomware group launched last year seems to take the spear position in compromised entities.
• While it’s not the first occurrence of artificial intelligence assistance in malware development, FunkSec operators seem quite inexperienced.
• However, employing external help to write code helped the SaaS attract attention on dark web forums.

A newly emerged ransomware group, FunkSec, has quickly risen to prominence since its debut in late 2024—a feat driven by its aggressive operations and innovative use of tools in malware development, which employ the help of artificial intelligence (AI).

One of FunkSec’s most notable differentiators is its apparent use of AI tools to bolster its capabilities, which was seen in the group’s custom ransomware tools and other scripts, particularly in their develop­ment and refinement, according to CheckPoint Research's latest report.

Code linked to FunkSec—frequently written in Rust— demonstrates elements likely crafted with large language model (LLM) agents. For example, code comments exhibit a higher level of fluency and precision in English than seen in the group’s other communications, suggesting external assistance.

They’ve also released malicious AI-powered chatbots via platforms like Miniapps, leveraging the technology for harmful activities. 

However, this is not the first group of hackers to use AI technologies to empower even low-skill actors with tools that once required significant expertise to develop.

FunkSec’s core operations seem to be led by relatively inexperienced individuals, as their encryptor appears to have been developed by an amateur author from Algeria. Yet, FunkSec’s success can be attributed, in part, to the accessibility AI offers.

The group requests unusually low ransoms, sometimes as little as $10,000, and sells stolen data at reduced prices to third parties, which boosts the group’s visibility and reputation.

The Ransomware-as-a-Service (RaaS) hackers reportedly claimed over 85 victims on its data leak site (DLS) in December, setting itself apart as the most active ransomware entity that month. 

While their targets often align with political causes, such as the “Free Palestine” movement, FunkSec also uses double-extortion tactics and monetization of stolen data. 

However, a closer analysis of FunkSec raises questions about the group's expertise, motivations, and the legitimacy of its leaked data, as many of FunkSec’s published leaked sets were later identified as recycled from prior hacktivist leaks, casting doubt on their authenticity.

Security researchers say the most prominent member of FunkSec is Scorpion, which uses multiple aliases, most often DesertStorm.