The New Face of Cybercrime: How AI Is Changing the Threat Landscape

There’s a number worth sitting with before we go anywhere else: 27 seconds. That’s the fastest recorded time it took an attacker to go from initial access to a full breakout inside a network in 2025, according to CrowdStrike’s latest Global Threat Report. Not 27 minutes. Twenty-seven seconds. The average breakout time across all attacks dropped to 29 minutes a 65% jump in speed from the year before.

Somewhere along the way, cybercrime stopped being a heist and became a production line.

The Criminal Has a New Hire, and it Never Sleeps

For most of the internet’s history, being a cybercriminal required a skill floor. You needed to know how to write code, spot a vulnerability, or at least convincingly fake being a bank’s IT department on the phone. AI has quietly removed that floor.

CrowdStrike’s data shows attacks by AI-enabled adversaries jumped 89% in a single year, and in a detail that tells you everything about where criminals are shopping for tools ChatGPT was referenced on criminal forums 550% more often than any other model. Not because criminals are building rogue superintelligences in basements. Because a general-purpose chatbot is enough to draft a flawless phishing email in a language you don’t speak, debug a malicious script, or role-play as a helpdesk technician on a practice call before doing it for real.

Fortinet’s 2026 Global Threat Landscape Report gives this new workforce a name: shadow agents. These are AI tools operating inside the criminal supply chain, and their effect isn’t necessarily making elite hackers more elite it’s making mediocre hackers dangerous. The report describes a threat ecosystem now structured like a semi-autonomous business: access brokers, botnet operators, and AI agents all offering services on demand, the way a legitimate company might use contractors instead of in-house specialists.

From “Breaking In” to “Logging In”

Maybe the most important shift in the whole landscape has nothing to do with malware at all. It’s about identity.

Flashpoint’s 2026 Global Threat Intelligence Report found more than 11 million machines infected with infostealer malware in 2025 alone, generating a haul of roughly 3.3 billion stolen credentials and cloud access tokens. Once an attacker has your session cookie or a valid login, they don’t need an exploit. They just need to look, to every system checking, like you.

This is why security researchers keep repeating a version of the same line: attackers aren’t breaking in anymore, they’re logging in. It’s a bigger deal than it sounds. A firewall is built to stop intruders. It has nothing to say about someone who already has a key.

Deepfakes and The Death of “Just Verify by Phone”

For years, the advice for avoiding a wire-transfer scam was simple: if an email looks off, call the person to confirm. That advice is aging badly.

AI-generated deepfakes and voice cloning are now standard tools in social engineering campaigns, according to PwC’s Annual Threat Dynamics 2026 report, which also flags a rise in IT helpdesk impersonation and multi-stage phishing built to survive scrutiny across several touchpoints, not just one email. The financial sector in particular is seeing deepfakes and AI-crafted phishing lures used to extort institutions and impersonate executives with a level of polish that used to require a film studio.

The uncomfortable implication: verifying identity by how someone sounds or looks on a call is no longer a reliable defense on its own. It’s a strange thing to have to say out loud in 2026, but here we are.

Ransomware, But Make it a Franchise

Ransomware hasn’t gone away it’s gone corporate. Reports this year describe Ransomware-as-a-Service (RaaS) as an industrialized, franchise-style economy: developers build the malware, affiliates run the actual break-ins, and profits split, often with the affiliate keeping the larger share. That division of labor means someone with zero technical skill can rent a sophisticated attack the way you’d rent a car.

Fortinet’s telemetry recorded more than 7,800 confirmed ransomware victims in the past year, and separate industry data pegs the year-over-year rise in ransomware victims near 389%. Meanwhile, dwell time how long attackers sit inside a network before triggering the damage has been compressed to as little as four days in some campaigns, largely because AI is automating the reconnaissance and lateral movement that used to take a human days to do by hand.

There’s also a newer, stranger trend hiding in the ransomware numbers: extortion without encryption. Rather than locking your files, some groups are simply threatening to leak stolen data, recruiting insiders, or abusing legitimate access no malware “payload” required at all, which makes the attack harder to detect with tools built to look for malicious files.

The Part Nobody Saw Coming: AI Attacking AI

Here’s the genuinely new frontier. It’s not just that criminals use AI it’s that the AI systems companies deploy have become targets themselves. CrowdStrike documented more than 90 organizations where legitimate, company-owned AI tools were manipulated into generating malicious commands or exfiltrating sensitive data. The AI wasn’t hacked in the traditional sense. It was convinced.

As companies roll out agentic AI, systems that don’t just answer questions but take actions, move money, manage infrastructure, and talk to other systems the risk profile changes entirely. Trend Micro’s 2026 predictions single this out as the defining shift of the year: an agent that hallucinates, gets manipulated, or is quietly compromised can drain an account or disrupt a supply chain without any human noticing until it’s done. The attack surface isn’t just your network anymore. It’s every decision your AI is trusted to make on your behalf.

So What Actually Helps?

None of this is a reason to panic, but it is a reason to update some assumptions that were true in 2015 and just aren’t anymore:

  • Speed is now the main variable. With breakout times measured in seconds and dwell times in days, “we’ll patch it next sprint” is a bigger gap than it used to be. Detection has to be closer to real-time, because the human-response window criminals used to give you for free is gone.

  • Identity is the new perimeter. If credentials and session tokens are the primary way in, multi-factor authentication, credential monitoring, and quickly killing stale sessions matter more than another firewall rule.

  • “Verify by call” isn’t enough anymore. Voice and video can be faked convincingly. Sensitive requests wire transfers, password resets, access changes need a second, independent channel of confirmation that doesn’t rely on recognizing a voice or face.

  • Whatever AI you deploy needs its own guardrails. If an AI agent can take real-world actions, someone needs to think adversarially about what happens when it’s tricked, not just when it’s used correctly.

  • Training has to move faster than an annual cycle. A phishing simulation from last year is teaching people to recognize last year’s attack. The tactics criminals use now shift on a timescale of weeks, not fiscal quarters.

The strange twist in all of this is that the same technology reshaping the offense is the best tool defenders have for keeping up. AI-driven detection, automated response, and behavioral monitoring are the only things that operate on the same timescale as an AI-driven attack. The 2026 threat landscape isn’t a story about robots versus humans. It’s a story about which side automates faster and for the first time, that race is genuinely even.

Facebook
Twitter
LinkedIn
WhatsApp