It took me a few months to write the articles in Cognitive Warfare articles , The most important link, the one with dark web services and threat actors from tor/telegram/underground(clear-net) . This article is the first of Cognitive Warfare series… and I hope i will bring the focus on this now when isnt so big on threat landscape (until isnt to late)… to few companies/researchers are focus on this the connection betwen Human Behavior,Cognitive Warfare,Influence Ops, dark net-telegram,underground.
I first watched cognitive warfare take shape from the inside, between 2014 and 2016, when I had direct contact with the actors building out hybrid-warfare and PsyOps ecosystems on the Eastern Flank. Back then the toolkit was slow and labor-intensive: manually run sockpuppet farms, forum seeding done by hand, narrative testing that took weeks to show results, and recruitment that depended on patient, one-to-one grooming inside underground communities. The strategic logic divide, confuse, exhaust, delegitimize was already fully formed. What has changed since is not the doctrine. It’s the engine.
Ten years later, the same category of actors is running the same playbook, except now the manual bottlenecks are gone. AI didn’t invent cognitive warfare. It industrialized it, and it did so by fusing directly with the dark web and underground services economy that criminal actors had already built for profit.
Where the Threads Meet
Cognitive warfare and cybercrime used to be treated as separate disciplines one concerned with narratives and perception, the other with intrusion and monetization. That separation no longer holds. The underground now functions as a shared supply chain for both.
Group-IB’s 2026 threat research documents a 371% surge in dark web forum posts referencing AI since 2019, with replies up nearly twelvefold. The offerings split into three buckets: proprietary “Dark LLMs” stripped of guardrails, jailbreak-framework services sold as reusable templates, and malware or tooling generation. None of this is exotic anymore subscriptions to uncensored criminal AI models run $30–200 a month with customer bases exceeding a thousand users per vendor. A tool like DIG AI, accessible through Tor with no registration, can generate malware, scam scripts, and propaganda content on demand, explicitly designed to bypass the moderation layers built into mainstream models.
That last detail matters more than it looks. Influence operations and cybercrime infrastructure are now built on the same commodity tooling, sold through the same channels, to the same buyer pool.
Recruitment: From Patient Grooming to Automated Sourcing
In 2014–2016, building a network of operators whether for narrative amplification or technical intrusion meant identifying people inside forums, testing their reliability, and slow-walking trust. It was HUMINT tradecraft, full stop.
The recruitment layer has since moved largely onto Telegram, which by 2026 functions as the connective tissue linking access brokers, ransomware affiliates, malware vendors, and leak channels into one operational environment. Ransomware groups post affiliate terms publicly the RaaS group “The Gentlemen” grew into the second-most-active ransomware operation of 2026 partly by offering a 90/10 revenue split to attract experienced operators away from competing programs. Hacktivist collectives with documented state-aligned sympathies use the same channels to recruit participants, coordinate DDoS campaigns, and distribute propaganda in the same breath. The line between “hire a hacker” and “recruit an influence operator” has effectively collapsed into a single Telegram storefront.
What used to require weeks of vetting now happens through a public post and a commission structure.
The As-a-Service Layer: Buying Capability Instead of Building It
This is where the operational shift is sharpest, and it maps directly onto what you’d expect from an industrialized underground:
- Ransomware-as-a-Service (RaaS) — turnkey lockers, affiliate panels, and negotiation infrastructure, rented rather than built. The barrier to running a ransomware campaign is now a payment, not a skill set.
Download the Medium App
Phishing-as-a-Service (PhaaS) — platforms such as Darcula and Lucid have impersonated 200+ organizations across a hundred-plus countries and operate across iMessage and RCS at global scale, all sold as subscription products. A law-enforcement takedown this year of one such operation, “Outsider Enterprise,” linked it to over a million fraudulent URLs and roughly $1.9 billion in losses.
Hacking-as-a-Service / access brokerage — initial access to corporate VPNs, RDP servers, and domain credentials is sold with proof-of-compromise screenshots attached, the same way a legitimate vendor would attach a product spec sheet.
Deepfake-as-a-service — synthetic identity kits, cloned voices, and even biometric datasets are advertised for as little as $5, built from as little as ten seconds of scraped audio.
Every one of these categories is bundled and cross-sold on the same forums and Telegram channels. A buyer doesn’t need to be a hacker, a forger, or a propagandist. They need a budget and a Telegram handle.
What AI Actually Changed
The doctrine I watched form in 2014–2016 hasn’t moved. What AI changed is throughput, personalization, and deniability the three variables that used to be cognitive warfare’s real bottleneck.
Phishing and social engineering no longer carry the tells that used to make them spottable. Academic researchers testing LLM-generated phishing content found it grammatically sound, contextually coherent, and linguistically natural — controlled studies now show AI-generated phishing matches or exceeds human-crafted phishing in effectiveness, while collapsing the skill and time an attacker needs to nearly zero. Industry data from 2025 put AI-supported social engineering above 80% of observed cases.
Voice and video impersonation turned a scarce, high-skill capability into a commodity. Ten seconds of audio pulled from a webinar, a podcast, or a social clip is now enough to clone a voice convincingly. Group-IB tracked a 52% year-on-year increase in unique dark-web actors trading in deepfake/KYC-bypass material.
Site and infrastructure generation used to require a developer. Now AI can stand up a convincing spoofed login page or MITM relay from a prompt, at a speed and volume that makes takedown-and-whack-a-mole defense structurally unwinnable — the same phishing operation dismantled this year had registered over 9,000 fake websites.
Attribution and deniability improved for the operator, not the defender. Dark LLMs with no ethical restrictions let a state-aligned actor or a purely criminal one produce identical-looking output, deepening the plausible-deniability layer that hybrid warfare has always depended on. State-aligned operators increasingly route through ransomware crews and hacktivist fronts specifically because it blurs the line between espionage, crime, and propaganda — one advisory this year describing a state-aligned actor using Telegram-controlled botnets to scale operations is one visible thread of a pattern that’s mostly invisible.
Why This Should Worry You More Than the Individual Incidents
None of the pieces above are new in isolation. What’s new and what I didn’t see coming with this much force back in 2014 is the convergence. The underground stopped being a place where you found either criminal tooling or influence-operation support. It’s now a single marketplace serving both missions with the same products, because the technical substrate (AI-generated content, synthetic identity, automated infrastructure) is identical whether the objective is a ransom payment or a destabilized electorate.
That convergence has three consequences worth sitting with:
The cost of entry for cognitive warfare has collapsed. A state actor no longer needs a dedicated troll farm. It needs a Telegram account and a subscription.
Attribution is getting structurally harder, not just tactically harder. When criminal RaaS affiliates, hacktivist fronts, and state operators draw from the same AI tooling and the same recruitment channels, distinguishing “crime” from “warfare” becomes a judgment call rather than a technical finding.
Detection built for the old signatures is aging out in real time. Defenses tuned to catch bad grammar, robotic voices, or slow-built sockpuppet histories are being outrun by tooling that removes exactly those tells. The gap isn’t awareness — most of the industry now knows this is happening. The gap is that the defensive tooling and the regulatory response are still catching up to an offense that reorganizes itself on Telegram in the time it takes a channel to get banned and reborn.
The doctrine I saw form a decade ago was patient and manpower-limited. It no longer is. That’s the part worth taking seriously — not because the intent behind cognitive warfare changed, but because the underground economy handed it an engine built for scale.
Disclaimer: This article is provided for educational and situational-awareness purposes only. It reflects open-source analysis and publicly reported research (TLP:CLEAR), does not name or accuse any specific state, government, or nationality of wrongdoing, and does not attribute any activity to a named individual, organization, or country. Nothing in this piece constitutes technical instruction, operational guidance, or a how-to for conducting intrusion, fraud, phishing, or influence operations — no methods, code, prompts, configurations, or vendor/market identifiers are provided. All findings are drawn from and attributed to third-party, publicly available security research; no proprietary, classified, or non-public information is disclosed. The views expressed are the author’s own analytical assessment and do not constitute legal advice.
Top comments (0)