The ChatGPT Download Scam That Works Even When You Do Everything Right

Hackers found a way to use ChatGPT's own website against you. A malware campaign called "LLMShare" uses ChatGPT's real domain to host a fake outage page, then redirects you to a download site designed to steal your passwords, browser sessions, and, on Mac, your cryptocurrency. Security researchers at Push Security first reported the campaign on May 29, 2026.^[1]

The attack passes every safety check most people know: the fake page lives on the real chatgpt.com domain, and the download site carries a legitimate padlock. This is a different kind of phishing attack, one designed to work precisely because you do everything right.

Here's how the fake ChatGPT malware works and what to do if you've already clicked on a malicious AI chatbot download.

How hackers turned ChatGPT's own website into a malware trap

The attack starts with a Google ad. Search for "chatgpt," "chatgpt download," or common misspellings like "chatgo" or "chatgpt free," and you may see a sponsored result at the top of the page. Click it, and you land on a page hosted at chatgpt.com, OpenAI's real domain.

But the page is not what it seems.

Attackers used ChatGPT's built-in code-rendering feature to create a fake outage notice and publish it as a shared link at a URL of the form chatgpt.com/s/. The message reads: "We're experiencing high traffic right now. Our website is temporarily unavailable due to a large number of users. Download our desktop app to continue." A prominent download button sits below it.

Clicking that button takes you to openew[.]app, a site designed to look exactly like OpenAI's official ChatGPT download page: same dark theme, same branding, same download buttons for Mac and Windows. The site even displays the padlock icon in your browser.

That secure padlock icon is technically real. The .app top-level domain requires HTTPS connections by default, so the certificate is legitimate.

The site uses cloaking to stay hidden from security tools. When automated scanners and researchers visit, they see a harmless AR/VR company website with no trace of the ChatGPT impersonation. Real users in a browser see the fake download page.

Clicking the Windows download installs malware that connects to an attacker-controlled server and uses PowerShell to execute commands. Odyssey Stealer targets Mac users — a variant of a well-documented macOS malware family that steals browser passwords, cookies, Telegram sessions, and cryptocurrency wallet data. On Mac, the malware also attempts to replace legitimate Ledger and Trezor wallet apps with trojanized versions.

Researchers at Malwarebytes noted that Odyssey reportedly rents for around $3,000 per month on the malware-as-a-service market, a sign the operators expect Mac users to hold cryptocurrency worth stealing.

Push Security also detected a parallel campaign using shared claude.ai conversations designed to look like installation guides, containing malicious terminal commands for users to paste and run. Researchers at Sophos and Trend Micro documented additional fake Claude installer campaigns, each using malvertising to direct users to convincing-looking download pages that delivered malware instead.

Across every major AI platform, the delivery method follows the same pattern: a sponsored search result, a realistic-looking installer, and malware waiting on the other side.

Why this attack bypasses the warning signs you know

The standard advice for avoiding online scams: check the URL, look for the padlock, and avoid lookalike domain names. This attack beats all three.

The shared page hosting the fake outage notice lives on chatgpt.com, OpenAI's real domain. There is no lookalike. There is no misspelling. A careful user who checks the URL before clicking sees nothing wrong. The "Show code" toggle at the top of the page reveals that the outage message is actually rendered HTML and CSS, but most users never look for it.

The fake download site carries a padlock because the .app top-level domain requires HTTPS. That SSL certificate confirms the connection is encrypted. It says nothing about whether the people running the site want your credentials.

ChatGPT is not the only target. Fake Claude installer pages have been documented by security researchers at Sophos and Trend Micro. Fake DeepSeek download sites spread through fake Google Ads within weeks of the app's viral launch in early 2025.

Researchers at Malwarebytes describe AI brands as ideal lures: most users are still installing these tools for the first time, and without an established download habit, they rely on search results to find the installer. That search traffic is exactly where attackers set up shop.

IBM's 2026 X-Force Threat Intelligence Index found over 300,000 ChatGPT credential sets advertised on dark web markets, harvested by commodity infostealer malware. Those credentials give attackers access to saved conversations and stored data, and provide a foothold for broader fraud. OpenAI's February 2026 threat report confirmed that attackers have used the platform to power romance scams, fake legal services, and influence campaigns.

An All About Cookies survey of more than 1,000 U.S. adults found 77% said they had been fooled by AI-generated content online, a measure of how convincing AI-enhanced lures have become across the board.

What to do if you've downloaded ChatGPT recently

If you recently downloaded ChatGPT from anywhere other than the official site or your device's app store:

1. Do not open the installed app again. If you're on Mac, do not open Ledger Live or Trezor Suite on the affected device until you've completed the steps below.
2. From a separate, clean device, sign out of your important accounts everywhere: email, banking, cloud storage, GitHub, Discord, Telegram, and any cryptocurrency exchange. Use each service's "sign out of all devices" option.
3. Change your passwords, starting with your primary email, then your banking account, and any account with financial access.
4. If you hold cryptocurrency and use Ledger or Trezor, move funds immediately from a separate, clean device. The Mac payload may have replaced your wallet software with a trojanized version.
5. Run a full scan with a reputable antivirus application. Here's our guide to the best antivirus software to get started.
6. If this is a work device, contact your IT or security team before taking any other steps.
7. Reinstall your operating system. The Windows malware uses PowerShell for remote commands; the Mac payload may have captured your login password. A clean reinstall is the safest recovery path.

To prevent this from happening again:

1. Never download ChatGPT, Claude, or any AI tool from a sponsored search ad. Navigate directly to the official site instead.
2. Bookmark the official download pages now: ChatGPT at chatgpt.com/download, or install from the Microsoft Store or Apple App Store.
3. Add an ad blocker to your browser. Ad blockers prevent malicious sponsored results from appearing in your search results, removing the entry point for this type of attack.
4. Check our guide to staying safe with ChatGPT for a broader overview of risks and protections.

Bottom line

This campaign works because it plays by the rules your browser was built to trust: a real domain, a real certificate, a convincing design.

The only reliable protection is to skip search results entirely for AI tool downloads and navigate directly to the official source. If you've already downloaded something you're not sure about, treat it as a potential compromise and work through the recovery steps above.