AI on the Dark Side: How Neural Networks Generate Phishing Texts and Bypass CAPTCHA (On the Use of Generative AI in Carding)

[Professor]

Introduction: The Democratization of Evil
While creating a convincing phishing email or bypassing security previously required specialized skills, the advent of generative artificial intelligence (GPT, Claude, Gemini, and their shadow counterparts) has made these capabilities accessible to anyone. AI has become the great equalizer in the world of cybercrime, giving carders and fraudsters tools that radically increase the scale, effectiveness, and personalization of attacks. We are entering an era when your "bank security officer" or "colleague" on a messenger app may not be a human being, but a highly accurate algorithm designed to steal.

Chapter 1: The Phishing Revolution: From Templated Emails to Hyper-Personalized Narratives​

Old school: Mass mailings with gross errors ("Dear customer! Your account has been blocked..."), easily filtered by spam filters and attentive users.

New era with AI:

1. Generating flawless texts. The neural network creates emails, messages, or voice scripts free of grammatical errors, in the desired style (formal, friendly, urgent), and in any language, including rare dialects. This reduces the "cognitive trigger" for suspicion in the victim.
2. On-the-fly contextual personalization. AI analyzes the victim's public data (social media, LinkedIn profiles, leaked databases) and inserts unique detailsinto the text :
   • "Hello, Ivan. This is regarding your recent order (order #457812 from March 12). For delivery details..."
   • "Hi, this is Anna from accounting. Regarding your Q2 report, which you submitted to Pyotr Sergeyevich..."
   • Such references instantly increase trust several times.
3. Dynamic scenarios and question responses. Modern AI-powered chatbots can engage in multi-step dialogue with victims in real time, answering their questions, allaying doubts, and consistently guiding them toward their goal — entering data or taking an action.
4. Multichannel. AI generates content for all platforms simultaneously: an email, a social media post, a script for a vishing call, and a text for SMS — all while maintaining a single, compelling narrative.

An example in carding: A bot that, having found your streaming service subscription data in a leak, generates a notification email about "unauthorized access to an account from a German IP" with a unique but fake link to a "security service" perfectly styled to look like a legitimate website.

Chapter 2: The Death of CAPTCHA? How AI Learns to "See" and "Think" Like Humans​

CAPTCHA (the Turing test for public use) has always been a barrier to bots. Now this barrier is crumbling.

AI-powered evasion methods:

1. Computer vision models (CNN, Vision Transformers). Specially trained neural networks recognize distorted text with exceptional accuracy (over 99%) and select images of traffic lights or bicycles. Services like 2Captcha and Anti-Captcha already use a hybrid of AI and low-cost human labor to solve CAPTCHA in real time, offering this as an API service for fraudsters.
2. Behavior and context analysis. Advanced bots don't simply solve images; they imitate human interaction with CAPTCHA elements: mouse movements with acceleration and trembling, slight pauses, and a "glance" at other page elements before clicking. Behavior analysis systems (such as Google reCAPTCHA v3) increasingly rely on this parameter, but AI is learning to fake it, too.
3. Exploiting vulnerabilities in logic. The neural network can find logical inconsistencies or use an audio version of CAPTCHA, which is often less secure.
4. "Adversarial" attacks on the CAPTCHA model itself. Researchers (and criminals) create special "noise" in images that confuse the CAPTCHA recognition algorithm but are almost undetectable to humans.

Consequences for carding: Mass automation of processes:

• Thousands of fake accounts are registered on marketplaces to post reviews or accept payments.
• Seamless verification of stolen card databases through CAPTCHA-protected websites.
• Automated DDoS attacks that bypass protection.

Chapter 3: Creating a Deep Legend: AI as a Tool for Social Engineering[​

Carders no longer need to spend hours preparing to attack a specific target (CEO, accountant). AI does it for them.

• Generating fake profiles. A neural network creates realistic photos of fictitious people (using GANs – Generative Adversarial Networks), writes posts, and generates a social media activity history. Such a profile can "warm up" trust in professional chats for months.
• Victim Communication Style Analysis. The AI analyzes correspondence (from leaked or open sources) and imitates the writing style of the person under whose guise the attack is planned (for example, to send a phishing email impersonating the CEO with an order for an urgent transfer).
• Deepfake calls. Voice AI, trained on several minutes of the victim's voice recording (for example, from public speeches or stolen voicemails), can call an employee and verbally order a funds transfer.

Chapter 4: Shadow AI Services: Fraud-as-a-Service 2.0​

A new category of services is appearing on the darknet:

1. Phishing-as-a-Service with AI: Rent a platform where you only need to specify a target, and the AI will collect data about it, generate a convincing scenario, create a phishing page, and set up the interaction chain.
2. AI helpers: Bots that assist the carder in real-time dialogue with the victim, suggesting the most convincing answers.
3. Unique content generators for scam sites: Creating descriptions for fake online stores, reviews, and "news" — all to legitimize a fraudulent platform.

Chapter 5: The Dark Side: How AI is Fighted and Can It Be Defeated?​

The paradox is that the best weapon against AI fraud is another AI.

• AI anomaly detection: Banks and email services are training neural networks to identify non-human patterns in texts (overly perfect grammar, unnatural combinations of topics, micropatterns characteristic of generative models).
• Biometric and behavioral authentication: Moving to multi-factor verification, which is more difficult to imitate (3D facial recognition with liveness analysis, behavioral analysis of typing dynamics).
• Digital Watermarking for AI Content: Developing standards where generative models silently "sign" generated content, allowing for its automatic detection.
• Legal action: The fight is not against carders, but against the creators and distributors of malicious AI models (as is the case with the creators of specialized malware).

Conclusion: The Armageddon of Trust.
The introduction of AI into carding marks the beginning of the Armageddon of digital trust. If any text, voice, or image can be generated by an attacker, then what can we rely on?

A fundamental shift is taking place: human intuition and attentiveness, once the last line of defense, are no longer a reliable defense. The battle is moving into a realm beyond ordinary perception — a war of algorithms against algorithms.

AI-powered carding is no longer just a scam. It is a large-scale psychological and technological operation to devalue reality itself, where every signal we receive — an email, a call, a message — requires verification through other, unaffected channels. The future of financial security lies not in fraud detection, but in building systems that don't initially require blind trust in content to conduct a legitimate transaction. We are entering a post-trust era, where the only truth is a cryptographically verifiable fact.