Artificial intelligence (AI) is speeding up cyberattacks and widening the areas companies must defend, according to the 2026 Global Threat Report of CrowdStrike, a cybersecurity company.
The report showed that AI-enabled adversaries increased operations by 89% year over year in 2025. At the same time, the average eCrime breakout time, or the time it takes an attacker to move from initial access to other systems, dropped to 29 minutes. That is 65% faster than in 2024. The fastest recorded breakout happened in 27 seconds. In one case, data theft began within four minutes of entry.
“This is an AI arms race,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”
Based on frontline intelligence tracking more than 280 named threat groups, the report found that attackers are using AI across reconnaissance, credential theft, and evasion. Intrusions increasingly move through trusted identities, software-as-a-service applications, and cloud infrastructure, making malicious activity look like normal user behavior and reducing the time defenders have to respond.
AI systems are also becoming direct targets.
Attackers injected malicious prompts into generative AI tools at more than 90 organizations to produce commands for stealing credentials and cryptocurrency. They also exploited weaknesses in AI development platforms to maintain access and deploy ransomware. In some cases, attackers set up fake AI servers that appeared to be trusted services to capture sensitive data.
Nation-state and criminal groups are both expanding their use of AI.
Russia-linked group FANCY BEAR deployed large language model-enabled malware known as LAMEHUG to automate reconnaissance and document collection. Cybercriminal group PUNK SPIDER used AI-generated scripts to speed up credential dumping and erase forensic evidence. North Korea-linked FAMOUS CHOLLIMA used AI-generated personas to scale insider operations.
China-linked activity rose 38% in 2025, with attacks on the logistics sector increasing 85%. Of the vulnerabilities exploited by China-linked actors, 67% provided immediate system access, and 40% targeted internet-facing edge devices.
Incidents linked to North Korea increased more than 130%, as FAMOUS CHOLLIMA activity more than doubled. PRESSURE CHOLLIMA was tied to a $1.46 billion cryptocurrency theft.
The report also found that 42% of vulnerabilities were exploited before public disclosure, showing continued use of zero-day flaws for initial access, remote code execution, and privilege escalation. Cloud-focused intrusions rose 37% overall, including a 266% increase from state-linked actors targeting cloud environments for intelligence gathering.