Jailbreaks used to be a hobbyist sport. The first wave of “DAN prompts” and “grandma exploits” floated around Reddit and Discord, traded for clout and screenshots. Four years later, the trade is industrial: there is a small but real underground economy where successful AI bypasses are bought, sold, and resold, with reputations tied to whether your prompt still works on the latest model release.
What the market actually looks like
Three product categories dominate. Single-shot bypass prompts are sold for $20-$200 each on Telegram channels and a handful of forum-adjacent marketplaces. They work for one specific use case (e.g., generating malware variants, producing CSAM-adjacent content, bypassing content-policy refusals) and have a half-life measured in days to weeks before the upstream provider patches them.
Subscription jailbreak feeds charge $50-$300 per month and provide a constantly-refreshed library of working bypasses across multiple model providers. The vendor’s value-add is the refresh cadence, they break the new model within hours of its release and push the new prompt to subscribers.
Custom jailbreak commissions sit at the high end. Buyers pay $1,000-$10,000 for a bespoke bypass that handles a specific operational need, a particular agent platform, a particular guardrail vendor, a particular content policy. The buyers are usually small criminal operations (phishing kit authors, scam-call script writers) or specialty content producers.
Who’s actually buying
The buyer pool is more diverse than people assume. Phishing kit authors want jailbroken models to generate convincing pretexts at scale. Scam-call script writers want unhinged dialogue with no content filtering. Disinformation operators want plausible synthetic content that doesn’t refuse. A surprising slice of the demand comes from completely lawful actors, researchers, journalists, security testers, who’d rather pay $50 a month than fight their way through a content-policy refusal every twenty minutes.
That last category complicates the moral framing. The same jailbreak feed that helps a security researcher write a credible phishing email for a sanctioned red-team engagement helps an unsanctioned phisher do the same job. The market doesn’t distinguish.
Why guardrails keep losing this race
The asymmetry is structural. The provider has to ship a single set of guardrails that work across millions of users and use cases. The attacker only has to find one phrasing that works for one task. The provider’s reaction time is measured in days; the attacker’s is measured in minutes. Even with constitutional AI, RLHF, and dedicated safety classifiers stacked on top, the bypass surface is wider than the guardrail surface, and the asymmetry hasn’t meaningfully closed since 2023.
This isn’t a complaint about AI providers. It’s a structural reality of the technology. Defenders should plan around it.
What the buyer-side economics tell us
The price points are interesting. A single-shot bypass at $50 implies the operational use is worth at least $50, usually a lot more. Subscription pricing at $200/month implies steady-state value worth multiples of that. The custom-commission tier at $5,000 is signalling specific high-value use cases where a generic bypass doesn’t cut it.
Translating that into defender language: the people building products with AI inside should assume motivated adversaries are willing to spend low-thousands of dollars to bypass your guardrails for any single high-value workflow. The defence has to be robust to that level of investment, not just to the casual jailbreak attempt.
Implications for AI product teams
Three takeaways. First, guardrails are a layer, not a defence, gate every privileged action behind deterministic checks regardless of what the model says. Second, monitor for outputs that look like successful bypasses, not just inputs that look like attempts. Third, when a working bypass for your product surfaces in the underground, treat it as a Sev-1, patch within hours, not days.
The market is small but professional. Treating it as such gets the threat modelling right.