Artificial intelligence is accelerating the pace of cyberattacks, according to CrowdStrike’s 2026 Global Threat Report, which reveals that the average “breakout time” for attackers has plummeted to just 29 minutes. This represents a staggering 65% increase in speed from the previous year, with the most rapid case recorded at a mere 27 seconds. These findings underscore how AI is not only equipping cybercriminals with advanced tools but also exposing new vulnerabilities within organizations.
The report, which analyzes threat activities from over 280 identified adversaries, indicates a significant evolution in the tactics used by cybercriminals. In 2025, once attackers gain initial access to a system, they have begun moving laterally within networks with unprecedented speed. In one incident, data was exfiltrated within four minutes of breaching a system.
One troubling trend highlighted in the report is the exploitation of legitimate generative AI tools. Attackers have manipulated these systems by inputting harmful prompts, which in turn generate commands capable of stealing login credentials and cryptocurrency. Some adversaries have also discovered weaknesses in AI development platforms, deploying ransomware and establishing counterfeit AI servers that mimic trusted services to capture sensitive information. This shift signifies that AI systems have transitioned from merely being tools for employees to becoming integral components of the attack surface.
The rise in AI-driven malicious activity is striking, with such incidents surging by 89% year-over-year. Cybercriminals and state-sponsored groups are increasingly leveraging AI for tasks ranging from network scanning to credential dumping and obfuscating their tracks. These attacks often navigate through trusted user accounts and SaaS applications, blending seamlessly into legitimate traffic and diminishing the response window for security teams.
State actors scale up
Nation-state actors have also intensified their reliance on AI. For example, the Russian-linked group FANCY BEAR has deployed malware integrated with large language models known as LAMEHUG to automate reconnaissance and document collection. Similarly, the eCrime group PUNK SPIDER utilized AI-generated scripts to expedite credential dumping and eliminate forensic trails. Activity linked to North Korea, particularly by the group FAMOUS CHOLLIMA, has surged, with incidents more than doubling. The group PRESSURE CHOLLIMA notably executed a $1.46 billion cryptocurrency theft, marking it as the largest documented financial heist to date.
Additionally, China-linked activities increased by 38% in 2025, predominantly targeting logistics firms, which saw an 85% uptick in assaults. Two-thirds of the vulnerabilities exploited by these actors allowed immediate system access, with 40% directed at internet-facing edge devices.
The report also notes a concerning rise in zero-day exploitations, with 42% of vulnerabilities being exploited before public disclosure. These flaws have been leveraged for initial access, remote code execution, and privilege escalation. Cloud-focused intrusions experienced a 37% increase overall, while attacks targeting cloud environments by state-linked actors surged by 266%, often for intelligence gathering purposes.
Another alarming trend involves the dramatic increase in fake CAPTCHA pages, which have risen by 563%. Instead of verifying user identities, these deceptive pages lure victims into downloading malware. This shift indicates a potential pivot away from traditional tactics like fake browser update prompts, as cybercriminals increasingly adopt these CAPTCHA traps.
The report emphasizes that 2025 has been characterized by “the evasive adversary,” where attackers exploit trusted relationships—such as supply chain partners, legitimate software, and even internal systems—to infiltrate networks and evade detection. Adam Meyers, head of counter adversary operations at CrowdStrike, stated, “This is an AI arms race. Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”
The findings from CrowdStrike highlight a growing urgency for organizations to adapt to the rapid evolution of cyber threats. As AI continues to permeate both offensive and defensive strategies in cybersecurity, the pressure on security teams will only escalate, necessitating faster responses to neutralize threats before they can inflict harm.
See also
Anthropic’s Claims of AI-Driven Cyberattacks Raise Industry Skepticism
Anthropic Reports AI-Driven Cyberattack Linked to Chinese Espionage
Quantum Computing Threatens Current Cryptography, Experts Seek Solutions
Anthropic’s Claude AI exploited in significant cyber-espionage operation
AI Poisoning Attacks Surge 40%: Businesses Face Growing Cybersecurity Risks
