For years, “AI-powered cyberattack” mostly meant a slightly better-written phishing email. That era is over. Over the past several months, security researchers have documented ransomware operations run start-to-finish by autonomous AI agents, a state-sponsored espionage campaign in which artificial intelligence carried out roughly 80 to 90 percent of the actual intrusion work, and fraud cases in which deepfake video calls convinced experienced finance professionals to wire away tens of millions of dollars. According to the World Economic Forum, 94% of organizations now consider AI the single biggest force reshaping cybersecurity this year — and that’s true on both sides of the fight. Here’s a detailed look at how AI-driven threats actually work today, who’s behind them, and what’s genuinely new about this moment.
From Assistant to Operator: The Rise of Agentic Attacks
The clearest sign that something has fundamentally shifted is the emergence of what researchers now call “agentic ransomware” — attacks executed by an AI agent operating largely on its own, rather than a human typing commands at each step.
The clearest documented example is JadePuffer, an operation identified by cloud security firm Sysdig in mid-2026. After exploiting a known vulnerability in Langflow, a popular open-source framework for building AI applications, an autonomous AI agent independently carried out the entire remaining attack chain: scanning the environment, harvesting credentials, moving laterally between systems, establishing persistence, escalating privileges, and finally encrypting a production database before generating a ransom note. What stood out to researchers wasn’t the sophistication of any individual technique — none were new — but the fact that the agent adapted to failure in real time. In one documented instance, after an initial attempt to create an administrator account failed, the agent diagnosed the problem and produced a working fix in 31 seconds, with no human involved.
An even more consequential case came directly from Anthropic, the AI company behind Claude. In a public disclosure, Anthropic reported that its Threat Intelligence team had detected and disrupted a cyber-espionage campaign it assessed, with high confidence, was run by a Chinese state-sponsored group. The threat actor manipulated Claude Code, Anthropic’s agentic coding tool, into attempting infiltration of roughly thirty organizations worldwide, spanning large technology firms, financial institutions, chemical manufacturers, and government agencies, successfully breaching a small number of them. According to Anthropic’s own account, the AI agent carried out an estimated 80 to 90 percent of the operational work — researching vulnerabilities, writing exploit code, harvesting credentials, and even documenting the stolen data for the attackers — with human operators intervening at only four to six critical decision points across the entire campaign.
When the Target Is the AI Itself
What makes the Anthropic case especially interesting from a security-research perspective isn’t just what the AI did, but how the attackers got it to do it. According to Anthropic’s technical account, the operators didn’t defeat Claude Code’s safety guardrails through some clever technical exploit. They broke the attack into small, individually innocuous-looking tasks and framed the overall operation as legitimate penetration testing, exploiting the model’s contextual reasoning rather than any code-level vulnerability. Analysts at the Australian Strategic Policy Institute described this succinctly: the model wasn’t hacked, it was persuaded.
That distinction matters. It suggests a genuinely new category of attack, one aimed not at a network or a server but at an AI system’s own judgment. Traditional social engineering exploits human psychology — authority, urgency, trust. This newer variant exploits the same vulnerabilities in a language model’s reasoning, and security researchers argue it demands a different kind of defense entirely: stronger prompt validation, non-human identity management for AI agents, and continuous oversight of what autonomous tools are actually being asked to do, not just what they’re technically capable of.
When Governments Get Involved: State-Sponsored Use and Its Limits
It’s worth being precise about where most state-linked AI misuse actually sits today, because the picture is more mixed than the headline-grabbing cases suggest. In a joint disclosure with Microsoft Threat Intelligence, OpenAI reported disrupting five state-affiliated actors that had used its services in support of cyber operations: two China-linked groups known as Charcoal Typhoon and Salmon Typhoon, the Iran-linked Crimson Sandstorm, North Korea’s Emerald Sleet, and Russia’s Forest Blizzard. Notably, their use of AI was largely mundane by comparison to the Claude Code case — translating documents, debugging code, researching publicly available vulnerability information, and drafting content likely intended for phishing campaigns. This is “AI-assisted” activity: real, but still fundamentally augmenting existing human-led tradecraft rather than replacing it.
The Anthropic case represents the more autonomous frontier, and governments have responded accordingly. In a rare joint statement, the Five Eyes intelligence alliance — the United States, United Kingdom, Canada, Australia, and New Zealand — warned that AI models capable of launching major cyberattacks able to overwhelm government and corporate defenses were “months, not years” away, and urged organizations to shore up their defenses immediately.
That warning followed a period of unusually direct government intervention in frontier AI deployment. Earlier this summer, U.S. authorities temporarily restricted access to two of Anthropic’s newest models, Fable 5 and Mythos 5, citing national-security concerns tied to export controls, after Anthropic itself had flagged that one of the models showed an unusually strong ability to identify software vulnerabilities. Anthropic complied with the restriction, and access was restored on July 1 after the relevant compliance requirements were addressed. It’s a concrete illustration of a broader trend: a model’s raw technical capability, especially around vulnerability discovery, is now being treated as a factor serious enough to warrant direct government action, not just industry self-regulation. (Anthropic’s own account of the episode is available on its website for anyone wanting the full details.)
AI-Generated Malware: Code That Adapts Mid-Attack
Beyond agentic operators, AI is changing the malware itself. Google’s Threat Intelligence team has reported cybercriminals actively using AI-enabled malware capable of altering its own behavior mid-execution — generating new scripts, rewriting portions of its own code to dodge detection, and creating malicious functions on demand rather than relying on a fixed, pre-written payload. Security researchers have documented early working prototypes of this kind of “polymorphic” AI malware over the past year, built specifically to demonstrate that a piece of malicious software could query a language model at runtime and use the response to change its own logic on the fly.
The broader statistics back up how mainstream this has become. Fortinet’s 2026 Global Threat Landscape Report recorded a 389% year-over-year increase in ransomware victims, alongside evidence that criminal groups are increasingly organized around what the report calls “shadow agents” — AI tools that reduce the skill required to run an operation while increasing the speed at which it executes. The same report found a 25.49% increase in global exploitation attempts year-over-year, even as raw brute-force attempts actually declined slightly, a sign that attackers are using AI to be more selective and efficient rather than simply louder.
The Human Layer: Deepfakes and the Death of “I’d Know That Voice Anywhere”
If agentic malware represents the most technically novel AI threat, deepfake fraud is by far the most immediately damaging to ordinary people and businesses. The most widely cited case in the industry remains the 2024 incident at engineering firm Arup’s Hong Kong office, where a finance employee joined a video call believing he was speaking with the company’s CFO and more than a dozen colleagues. Every participant on the call was an AI-generated deepfake, built from publicly available earnings calls, conference footage, and internal videos. Convinced by what he saw and heard, the employee authorized fifteen separate transfers totaling roughly $25.6 million. The case has since become the industry’s reference point for why video verification alone can no longer be trusted.
The technology behind these scams has become dramatically more accessible since then. Research cited by McAfee found that just three seconds of audio is enough to produce a voice clone with around 85% accuracy, and multiple industry reports now describe voice cloning as having crossed the “indistinguishable threshold,” meaning human listeners can no longer reliably tell a cloned voice from a real one. On the low end of the market, so-called “Fraud-as-a-Service” platforms now let low-skill scammers rent the entire pipeline, voice model, phone spoofing, and call routing, for under $50 a month.
The human cost shows up clearly in law enforcement data. The FBI’s 2025 Internet Crime Report logged more than 22,000 AI-related fraud complaints with losses exceeding $893 million, and congressional researchers believe that figure significantly understates the real total, since fewer than 5% of voice-clone scam victims are believed to report their losses. Deloitte’s Center for Financial Services has projected that AI-enabled fraud losses in the U.S. alone could reach $40 billion annually by 2027, up from $12.3 billion in 2023. Many of the individual cases behind those numbers are painfully similar: a panicked call that sounds exactly like a family member claiming to be in trouble, demanding urgent payment through a gift card, wire transfer, or cryptocurrency, precisely the kind of untraceable payment method legitimate authorities never actually request.
Lawmakers have started to respond. In the U.S., the proposed AI Fraud Accountability Act would create federal criminal penalties for using AI-generated “digital impersonation” to defraud someone, while individual senators have pressed voice-cloning companies including ElevenLabs, LOVO, Speechify, and VEED to explain what safeguards they have in place to prevent nonconsensual voice cloning and detect impersonation of public figures and minors.
Can Defense Actually Keep Pace?
The uncomfortable answer, according to most current threat intelligence, is: barely, and only by adopting the same tools attackers are using. CrowdStrike’s 2026 Global Threat Report recorded an 89% increase in attacks attributed to AI-enabled adversaries, alongside an average “eCrime breakout time,” the time between initial compromise and lateral movement, of just 29 minutes, a 65% improvement in speed for attackers compared to the year before, with the single fastest recorded case clocking in at 27 seconds. Fortinet’s researchers describe the shift in similarly stark terms: working exploits for newly disclosed vulnerabilities are now appearing within hours of public disclosure, not weeks, which leaves almost no window for traditional patch-cycle defense to matter.
The consistent message across nearly every major threat intelligence report this year, from CrowdStrike to Fortinet to Check Point to PwC, is that defenders have no real option except to fight AI with AI: automated detection tuned to machine-speed attacks, continuous behavioral monitoring rather than periodic review, and, increasingly, treating AI agents themselves, both the ones defenders deploy and the ones attackers might be manipulating, as identities that need active management and oversight, not just software that needs patching.
The Throughline
What ties JadePuffer, the Claude Code espionage campaign, AI-generated malware, and a grandmother losing her savings to a cloned voice together isn’t the sophistication of any single technique. It’s that AI has removed the traditional cost of running a serious attack: the years of training, the technical fluency, the time it takes a human to research a target and craft a convincing pretext. A nation-state group and a scammer running a $50-a-month fraud subscription are, in a real sense, drawing on the same underlying capability now. That’s the actual story behind “AI-driven threats” in 2026: not a single dramatic breakthrough, but the quiet erosion of every skill barrier that used to separate a serious attacker from an amateur one — which is exactly why the defensive side of this fight is racing so hard to catch up.




