AI Speeds the Attack Process

The industrialization of cybercrime, which began in the 1990s, has now reached a new peak with the integration of artificial intelligence. As criminal enterprises mimic legitimate business efficiencies, AI tools have become force multipliers, reducing the time and skill required to launch attacks. FortiGuard's 2025 Global Threat Landscape Report, based on telemetry from millions of sensors, reveals that time-to-exploit has collapsed from nearly a week to just 24-48 hours, and in some cases, exploitation begins within hours of public disclosure.

Derek Manky, Chief Security Strategist at FortiGuard Labs, notes that malicious actors are leveraging agentic AI to execute more sophisticated attacks. Tools like WormGPT, FraudGPT, HexStrike AI, APEX AI, and BruteForceAI are now widely available on underground markets. WormGPT and FraudGPT are used to craft compelling phishing campaigns, generating malicious code and conducting social engineering at scale. HexStrike AI automates reconnaissance and attack-path generation, while APEX AI simulates advanced persistent threat (APT) tactics, including automated OSINT and kill-chain modeling. BruteForceAI performs multi-threaded attacks with human-like behavior patterns to bypass login forms.

These AI-powered tools do not create new vulnerabilities but drastically reduce the time needed to exploit existing ones. This acceleration is contributing to the collapse of predictive security, as defenders struggle to keep pace with machine-speed operations.

Automation Finds Vulnerabilities

Cybercriminals rely on automation to identify targets. Standard commercial tools like Qualys are used to locate vulnerable software versions and misconfigurations, while Nmap performs port scanning and service fingerprinting. Nessus and OpenVAS are employed for vulnerability enrichment. This automated reconnaissance enables attackers to map global attack surfaces continuously, maintaining operational readiness.

The efficiency of this process is amplified by data sharing within cybercriminal communities. Infostealers such as RedLine, Lumma, and Vidar harvest credentials, session tokens, and other sensitive data. This stolen data is then sold by access brokers, who provide validated paths into enterprise networks. The most frequently advertised access types include corporate VPNs and RDP connections. The report notes that databases, credentials, and attacker tooling are continuously advertised and exchanged, forming a supply chain that feeds downstream intrusion activity.

Data Sharing Fine-Tunes the Cybercrime Business

FortiGuard reports that in 2025, 656 vulnerabilities were actively discussed on darknet forums. Of these, 344 (52.44%) had publicly available proof-of-concept (PoC) exploit code, 176 (26.83%) had working exploit code, and 149 (22.71%) had both PoC and working exploit code. This availability allows even low-skill attackers to leverage sophisticated exploits. The report emphasizes that CVEs become 'industrial' when they are packaged with scripts, modules, guides, and operational playbooks, enabling repeatable exploitation rather than bespoke intrusions.

Ransomware remains the most lucrative and feared attack type. In 2025, there were 7,831 confirmed victims globally. The most active ransomware groups were Qilin, Akira, and Safepay. The United States experienced the highest number of attacks with 3,381 victims, followed by Canada and Europe. The ease of monetization drives continued investment in ransomware operations, with groups often operating as franchises.

Defending Against Industrialized Cybercrime

The speed and scale of industrialized cybercrime demand a proportional defensive response. FortiGuard recommends prioritizing identity-centric detection, exposure reduction, and automation to match the machine-speed operations of attackers. Traditional security approaches that rely on manual analysis are no longer sufficient. Defenders must deploy AI and automation to detect anomalies, respond to incidents, and anticipate attack vectors in real time.

To counter these threats, FortiGuard has engaged in several international disruption efforts over the past year, including INTERPOL Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative with the World Economic Forum, collaboration through the Cyber Threat Alliance (CTA), and a new Cybercrime Bounty program launched with Crime Stoppers International. These partnerships aim to dismantle the infrastructure and supply chains that support industrial cybercrime.

As AI continues to advance, the gap between attacker and defender capabilities will widen unless organizations invest in proactive defense strategies. The integration of AI into both offense and defense is inevitable, and the race is now on to secure digital ecosystems against increasingly automated and adaptive threats.

Source: SecurityWeek News