Summary
Cyberou ran the threat-research programme on the SlashNext Blog as senior security researcher, covering the emerging category of cybercrime tooling being sold on Russian-language forums and encrypted channels. The work opened with the WormGPT discovery in July 2023, the first malicious large language model advertised to cybercriminals, and continued through Xanthorox AI, GoIssue, and the SlashNext Phishing Intelligence Reports.
Across the SlashNext era, the programme earned 250+ documented media features. WormGPT alone was picked up by Forbes, The Hacker News, WIRED, NY Post, Infosecurity Magazine, Security Boulevard, and was cited by the US Congress in AI security hearings. Xanthorox AI earned Scientific American coverage before the acquisition closed.
When Varonis acquired SlashNext for $150M in September 2025, the programme was retained. Research continued on the Varonis Blog under Threat Labs with the same editorial voice. The pre-acquisition SlashNext era is documented here; the Varonis era continues in the Varonis case study.
Challenge
SlashNext was an AI-native email security vendor competing in a crowded BEC and phishing category. Abnormal Security, Proofpoint, and Mimecast all had more sales reach, bigger PR retainers, and longer analyst relationships. To differentiate, SlashNext needed a threat research voice journalists would cite as a primary source on emerging cybercrime tooling, not another vendor blog.
The category itself was also new. In mid-2023, "malicious LLM" did not yet exist as a beat. Tier-1 tech press had not written about how cybercriminals were already building their own GPT derivatives, selling them by the month on cybercrime forums, and advertising specific BEC and phishing use cases. The opportunity was to own the beat before anyone else named it.
The programme had to stand up technically. WormGPT was an actual product sold on a real forum, with pricing, capability claims, and a community of early adopters, not a marketing abstraction. Editors at Forbes, WIRED, and The Hacker News would only run the story if the research showed receipts: screenshots, pricing, example output, and defensible context on the underlying model.
Approach
We ran the programme as a continuous threat research output on the SlashNext Blog, with each piece opening on the specific cybercrime tool being tracked: pricing, capability detail, and cybercrime forum screenshots as primary evidence. Defensive framing for SlashNext's email security product landed without puffery because the technical core was strong enough to stand on its own.
News-turn discipline kept the output current. When a new AI-augmented phishing tool or criminal LLM dropped on a Russian-language forum, a SlashNext Blog piece would be drafted within days, complete with the screenshots and pricing detail editors needed to run the story. WormGPT, FraudGPT, DarkBERT, GoIssue, and Xanthorox AI all followed this cadence.
Thematic coverage stacked across categories: malicious LLMs being weaponised for BEC, phishing kits lowering the technical barrier for attackers, credential theft infrastructure, and GitHub-native phishing automation. Each piece stood alone for a search-driven reader, but they reinforced a coherent SlashNext "cybercrime AI" POV that journalists started quoting by name.
Results
250+ documented media features across the SlashNext era of the programme. The WormGPT discovery anchored the run and set the reference point for every malicious-LLM story that followed.
WormGPT: 250+ features, including Forbes, The Hacker News, WIRED, NY Post, Infosecurity Magazine, SecureWorld, Silicon Republic, Security Boulevard, Bloomberg, Axios, and ReversingLabs. Cited by the US Congress in AI security hearings as a reference point on how generative AI was being operationalised for cybercrime.
Xanthorox AI: discovered in late Q1 2025, branded in cybercrime communities as the "Killer of WormGPT." Earned Scientific American coverage for SlashNext before the acquisition closed.
GoIssue: a GitHub phishing automation tool documented on the SlashNext Blog in November 2024. Became the canonical public reference on how attackers were using GitHub profile scraping and bulk email to target developers.
SlashNext Phishing Intelligence Reports: 2024 mid-year and H2 reports documenting a 341% increase in BEC and advanced phishing attacks, and a 703% increase in credential phishing in H2 2024. Picked up by PRNewswire, Channel Futures, Security InfoWatch, and Cyber Defense Wire.
For SlashNext, Threat Labs became a reusable GTM asset: sales decks cited the WormGPT discovery, comms pasted research lines into rapid-response threads, and product marketing had a steady pipeline of technical proof points in the email-security category conversation. The programme survived the acquisition, which is the best possible outcome a content programme can have.