AI Speeds the Attack Process

Industrialized cybercrime now delivers attacks with greater scale, speed, and success than ever before. The criminal ecosystem has evolved to mimic legitimate business practices, emphasizing efficiency and return on investment. Central to this transformation is the use of artificial intelligence and automation, which allows attackers to operate at machine speed and with minimal human intervention.

According to FortiGuard's latest Global Threat Landscape Report, malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks. Tools such as WormGPT, FraudGPT, HexStrike AI, APEX AI, and BruteForceAI are now widely available on underground forums. These AI-powered tools serve as force multipliers, reducing the skill and time required to launch attacks. FraudGPT and WormGPT, for example, are used to craft convincing phishing messages and generate malicious code at scale, bypassing the guardrails present in legitimate AI models.

HexStrike AI automates reconnaissance and attack-path generation, while APEX AI simulates advanced persistent threat (APT) attacks, including automated open-source intelligence and kill-chain generation. BruteForceAI identifies login forms and executes multi-threaded attacks with human-like behavior. These tools do not create new vulnerabilities but dramatically reduce the time needed to exploit existing ones, contributing to the collapse of predictive security.

Automation Finds the Vulnerabilities

Attackers also rely on automation to discover vulnerabilities. Standard commercial tools like Qualys are used to locate vulnerable software versions and misconfigurations. Nmap performs port scanning and service fingerprinting, while Nessus and OpenVAS provide vulnerability enrichment. This automated scanning allows criminals to map the global attack surface rapidly and continuously.

The report notes that the global attack surface is already mapped, constantly refreshed, and maintained in an operational readiness state by cybercriminal networks. This means that as soon as a new vulnerability is disclosed, attackers can immediately scan for and target vulnerable systems. The efficiency of this process is amplified by AI, which can analyze scan results and prioritize the most promising targets without human delay.

Data Sharing Fine-Tunes the Cybercrime Business

A key component of industrialized cybercrime is data sharing. Access to targets is often already available on underground markets. Databases, credentials, validated access paths, and attacker tooling are continuously advertised and exchanged, forming an upstream supply chain that feeds downstream intrusion activity. This data is primarily obtained via infostealers such as RedLine, Lumma, and Vidar, which harvest credentials from infected systems.

Access brokers then sell validated access into enterprises, with corporate VPNs and RDP being the most frequently advertised access types. In 2025, FortiGuard reports that 656 vulnerabilities were actively discussed on the darknet. Of these, 344 had publicly available proof-of-concept exploit code, 176 had working exploit code, and 149 had both. When vulnerabilities are packaged with scripts, modules, guides, and operational playbooks, exploitation becomes a repeatable industrial process rather than a bespoke intrusion.

The Effect of Industrialization

The primary effect of this industrialization is the collapse of time-to-exploit. Where once it averaged nearly a week, now it is down to 24 to 48 hours for most critical vulnerabilities, and in some cases exploitation begins within hours of public disclosure. As AI accelerates reconnaissance, weaponization, and execution, it is only a matter of time before hours or even minutes become the norm across the board.

Ransomware remains the most monetizable attack type. The report notes that globally there were 7,831 confirmed victims in 2025. The three most active ransomware groups were Qilin, Akira, and Safepay. The most targeted geographic areas were the United States (3,381 victims), Canada, and Europe. These groups leverage the same AI and automation tools to execute their attacks, often using double extortion techniques that combine data encryption with data theft to increase pressure on victims.

Defending Against Industrialized Cybercrime

Defending against this new breed of cybercrime requires a similar level of automation and AI integration. FortiGuard specifically recommends prioritizing identity-centric detection, exposure reduction, and automation to match the machine-speed operations of attackers. Organizations must deploy AI-driven security tools that can analyze vast amounts of telemetry data in real time, identify anomalous behavior, and initiate automated response actions.

Additionally, reducing the attack surface through proactive vulnerability management and continuous monitoring is essential. The report also highlights the importance of collaboration. FortiGuard has engaged in several international cybercrime disruption efforts over the past year, including INTERPOL Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative with the World Economic Forum, and a new Cybercrime Bounty program launched in partnership with Crime Stoppers International. Such public-private partnerships are critical to dismantling the infrastructure that supports industrialized cybercrime.

As the cybercriminal business model becomes more efficient, defenders must evolve their strategies. The use of AI and automation is no longer optional—it is a necessity. Organizations that fail to adopt these technologies risk being overwhelmed by attackers who can exploit vulnerabilities within hours of disclosure. The race between offense and defense will be defined by speed, scale, and the intelligent application of machine-driven capabilities.

Source: SecurityWeek News