AI-powered hacking has exploded into an industrial-scale threat in just three months, according to a new report from Google's threat intelligence group. The findings add to an intensifying global discussion about how the newest AI models are becoming extremely powerful tools for exploiting vulnerabilities in software systems.
Rapid Escalation of AI-Driven Attacks
The report finds that criminal groups, as well as state-linked actors from China, North Korea, and Russia, appear to be widely using commercial models—including Gemini, Claude, and tools from OpenAI—to refine and scale up their attacks. John Hultquist, the group's chief analyst, stated: 'There's a misconception that the AI vulnerability race is imminent. The reality is that it's already begun. Threat actors are using AI to boost the speed, scale, and sophistication of their attacks. It enables them to test their operations, persist against targets, build better malware, and make many other improvements.'
Recent Developments in AI Cybersecurity
Last month, AI company Anthropic declined to release one of its newest models, Mythos, after asserting it had extremely powerful capabilities and posed a threat to governments, financial institutions, and the world generally if misused. Specifically, Mythos had found zero-day vulnerabilities in 'every major operating system and every major web browser'—terms for flaws unknown to developers. Anthropic said these discoveries necessitated 'substantial coordinated defensive action across the industry.'
Google's report found, however, that a criminal group recently was on the verge of leveraging a zero-day vulnerability for a 'mass exploitation' campaign, and this group appeared to be using an AI large language model (LLM) that was not Mythos. The report also found that groups were 'experimenting' with OpenClaw, an AI tool that went viral in February for offering users the ability to hand over large chunks of their lives to an AI agent with no guardrails and a tendency to mass-delete email inboxes.
Expert Perspectives on AI in Cybersecurity
Steven Murdoch, professor of security engineering at University College London, noted that AI tools could help the defensive side in cybersecurity as well as hackers. 'That's why I'm not panicking. In general, we have reached a stage where the old way of discovering bugs is gone, and it will now all be LLM-assisted. It will take a little while before the consequences of this get shaken out,' he said.
However, if AI is helping ambitious hackers reach their productivity goals, doubts remain about whether it is bolstering the broader economy. The Ada Lovelace Institute (ALI), an independent AI research body, has cautioned against assumptions of a multibillion-pound public sector productivity boost from AI. The UK government has estimated a £45bn gain in savings and productivity benefits from public sector investment in digital tools and AI.
Concerns Over Productivity Estimates
In a report published on Monday, the ALI said most studies of AI-related productivity increases refer to time savings or cost reductions but do not look at outcomes such as better services or improved worker well-being. Other problematic aspects include whether projections of AI-related efficiency in a workplace really succeed in the real world; headline figures obscuring varying results for using AI in different tasks; and failing to account for the impact on public sector employment and service delivery.
'The productivity estimates shaping major government decisions about AI sometimes rest on untested assumptions and rely on methodologies whose limitations are not always appreciated by those using figures in the wild,' said the ALI report. 'The result is a gap between the confidence with which productivity claims are presented and the strength of the evidence behind them.'
The report's recommendations include encouraging future studies to reflect uncertainty over the impact of the technology, ensuring government departments measure the impact of AI programmes 'from the start', and supporting longer-term studies that measure productivity gains over years rather than weeks.
