Wednesday, May 14, 2025
HomeCyber AttackCyber Criminals Sharing GPT-4 API Keys for Free

Cyber Criminals Sharing GPT-4 API Keys for Free

Published on

SIEM as a Service

Follow Us on Google News

Recently, a script kiddie has been banned for sharing the stolen OpenAI API keys with many users on Discord for the r/ChatGPT subreddit.

Developers can seamlessly incorporate OpenAI’s language model, GPT-4, into their applications using API keys.

Oftentimes, developers unintentionally leave their keys embedded in their code, creating an opportunity for account theft that can be exploited with minimal effort.

- Advertisement - Google News

The individuals who possess the stolen API keys can effectively deploy GPT-4 while accumulating charges for its users under the compromised OpenAI account.

Sharing GPT-4 API Keys for Free

Starting from March or even earlier, a user named “Discodtehe” has been skillfully extracting API keys from the source code shared on Replit, the software collaboration platform.

Discodtehe acquired unauthorized access to a highly valuable OpenAI account, which boasted a usage limit of $150,000.

On r/ChimeraGPT, the individual generously distributed complete unrestricted access to the GPT-4 and GPT-3.5-turbo, leading to a community of over 700 members who promptly accumulated usage charges on compromised accounts. Motherboard report says.

How the hacker obtained entry underscores a significant security concern that paid users of OpenAI should carefully evaluate.

There has been a noticeable surge in the usage of at least one stolen OpenAI API key in the past few days by “Discodtehe.”

Several screenshots were shared, depicting the progressive account usage increase over time. A recent screenshot reveals that the current month’s usage amounts to $1,039.37 out of the total allocation of $150,000.

However, Discodtehe has been extracting vulnerable API keys for extended periods. Discodtehe didn’t stop at scraping tokens; it went a step further.

According to Vice’s findings, in March, Discodtehe openly boasted about their exploit and stated:-

“I recently scraped repl.it and uncovered more than 1000 functional OpenAI API keys. Remarkably, I didn’t even conduct a comprehensive scrape; I roughly examined around half of the results.”

Discord and Reddit cannot trace the existence of “Discodtehe.” But, the cybersecurity analysts stressed the ongoing risk posed by the multitude of exposed API keys.

Stop Advanced Email Threats That Target Your Business Email – Try AI-Powered Email Security

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Microsoft Patch Tuesday May 2025 Released With the Fixes for 72 Flaws With 5 Actively Exploited 0-Day

Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across...

Ivanti Released Security Updates to Fix for the Mutiple RCE Vulnerabilities – Patch Now

Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across...

Fortinet FortiVoice Zero-day Vulnerability Actively Exploited in The Wild

A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products,...

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in...

Researchers Introduce Mythic Framework Agent to Enhance Pentesting Tool Performance

Penetration testing is still essential for upholding strong security procedures in a time when...

Swan Vector APT Targets Organizations with Malicious LNK and DLL Implants

A newly identified advanced persistent threat (APT) campaign, dubbed "Swan Vector" by Seqrite Labs,...