CrowdStrike has released its annual Global Threat Report, revealing that cyber attacks are accelerating and increasingly leveraging widely available artificial intelligence tools. The report indicates that the average eCrime breakout time plummeted to 29 minutes in 2025, marking a 65% increase in speed from the prior year. The fastest recorded breakout took just 27 seconds, with some data exfiltration efforts commencing within four minutes of initial access. These findings illustrate a significant transformation in the tactics employed by cybercriminals.
The report highlights that AI tools are not only being utilized for reconnaissance and credential theft but also for evading detection. Activity attributed to AI-enabled adversaries surged by 89% year-on-year. Moreover, attackers have begun to target AI systems directly, injecting malicious prompts into generative AI tools across more than 90 organizations to create commands for stealing credentials and cryptocurrency. Notably, vulnerabilities in AI development platforms have been exploited to maintain persistence and deploy ransomware.
Discussion surrounding mainstream AI tools has proliferated in criminal forums, with references to ChatGPT increasing by 550% compared to mentions of other models. This trend suggests that cybercriminals are actively investigating how to utilize these common tools while seeking ways to bypass their inherent safeguards.
CrowdStrike is currently monitoring 281 nation-state and eCrime groups, having identified 24 new adversaries in 2025 alone. The report recorded a staggering 563% increase in incidents involving fake CAPTCHA lures and a 141% rise in spam emails. Additionally, incidents linked to North Korea rose by over 130%. State-sponsored cyber activity remains a dominant concern, with China-linked operations increasing by 38% in 2025, particularly within the logistics sector, which saw an 85% uptick in targeting.
Of the vulnerabilities exploited by China-linked actors, 67% granted immediate system access, and 40% were aimed at internet-facing edge devices. North Korea-linked operations, particularly from the group known as FAMOUS CHOLLIMA, also intensified; their activity more than doubled, contributing to a broader increase in incidents associated with the Democratic People’s Republic of Korea. The report highlights the alleged cryptocurrency theft involving another group, PRESSURE CHOLLIMA, amounting to USD $1.46 billion, marking it as the largest single financial heist ever documented.
Cloud environments and undisclosed software vulnerabilities were significant themes in the report. It found that 42% of the vulnerabilities were exploited prior to public disclosure, with attackers employing zero-day techniques for initial access, remote code execution, and privilege escalation. Overall, cloud-focused intrusions rose by 37%, including a 266% increase among state-linked actors targeting cloud environments for intelligence collection. This trend reflects a broader transition towards identities, software-as-a-service applications, and cloud infrastructure, where malicious activities can seamlessly blend into normal user behaviors.
The report also provides specific examples of AI utilization by various groups. The Russia-linked faction, FANCY BEAR, deployed LLM-enabled malware dubbed LAMEHUG to automate reconnaissance and document collection processes. Meanwhile, the eCrime actor PUNK SPIDER leveraged AI-generated scripts to expedite credential dumping and erase forensic evidence. FAMOUS CHOLLIMA was also noted for employing AI-generated personas to scale insider operations effectively.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, emphasized that the reduction in breakout time is a pivotal indication of how cyber intrusions have evolved. “This is an AI arms race,” Meyers stated. “Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”
As the landscape of cyber threats continues to evolve with the integration of AI technologies, organizations must remain vigilant and adaptive to counter these rapidly changing tactics. The findings underscore the need for enhanced cybersecurity measures and collaborative efforts to safeguard against a new generation of cyber adversaries.
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
