How AI Agents Are Being Weaponized by Hackers
Posted on by Manuel Fernandez

How AI Agents Are Being Weaponized by Hackers

AI agents cyberattacks are no longer a lab concern: attackers are using autonomous workflows to scout targets, draft code, triage stolen data, and speed up intrusion steps that used to need more human time. The practical risk is acceleration, not magic. In 2025, Anthropic said one China-linked operation used Claude Code for roughly 80–90% of tactical work against about 30 targets, with humans still making key decisions.

AI agents cyberattacks: what has actually changed?

The search intent here is informational: you want to know how AI agents are being weaponized, how real the threat is, and what defenders can do without panic. The short version is that agentic systems turn AI from a chat box into an operator that can plan, call tools, remember context, and iterate across a campaign.

Traditional AI-assisted hacking might mean asking a model to rewrite a phishing email or explain a vulnerability. Agentic cyber activity is different. The agent can chain tasks: enumerate assets, summarize exposed services, suggest next steps, sort credentials, and prepare reports for the human running the operation.

Anthropic’s 2026 analysis of 832 accounts banned for malicious cyber activity between March 2025 and March 2026 is one of the better public datasets. It found that 560 accounts, or 67.3%, used AI for malware-related preparation. That doesn’t mean 560 successful intrusions. It means misuse is broad enough to stop treating it as anecdotal.

A useful comparison: if an analyst spends 10 minutes reviewing each suspicious host across 30 targets, that’s five hours of triage before lunch. If an agent drafts the first-pass assessment in two minutes per host and a human spends three minutes reviewing each one, the same task falls to about two and a half hours. Scale is the point. So is fatigue reduction for the attacker.

The Claude Code case and the 80–90% claim

In 2025, Anthropic reported disrupting a China state-sponsored cyber-espionage campaign it designated GTG-1002. According to the company, the operation used Claude Code in an agentic workflow against roughly 30 targets in technology, finance, chemical manufacturing, and government.

The headline figure was stark: Anthropic said AI performed about 80–90% of tactical operations, including reconnaissance, vulnerability research, credential handling, lateral-movement support, and data analysis. Humans, however, still intervened at key decision points. That detail matters. Fully autonomous cyber campaigns make better headlines, but most real abuse still looks like human-led orchestration with machine-speed staff work.

Some experts questioned whether the case deserved to be called the first AI-orchestrated cyberattack, and that skepticism is healthy. Vendors have incentives to dramatize what they stop. Even so, the described pattern matches what defenders are starting to see: more automation in the boring middle of an attack, where persistence and repetition matter more than genius.

If you want the background on that reported espionage operation, DualMedia has a focused breakdown of the AI-driven cyber espionage case. Read it as a warning about workflow, not as proof that humans have left the loop.

See also  Cybersecurity Insights to protect your personal and professional data

Where hackers get the most value from agents

Attackers don’t need a science-fiction robot hacker. They need a system that reduces waiting, organizes findings, and makes low-skill work passable. Honestly, that’s enough to cause trouble.

Anthropic’s banned-account dataset mapped AI-enabled activity to MITRE ATT&CK and found a narrowing skill gap. Low-skill actors used about 16 distinct ATT&CK techniques on average, compared with about 20 for the most skilled actors. That four-technique difference is smaller than many security teams would like.

The most valuable agentic uses are not always the flashiest ones. They are the repeatable chores that help an operator move faster without fully understanding each step.

  • Reconnaissance triage: summarizing exposed domains, services, leaked credentials, and public documentation into target notes.
  • Vulnerability research support: explaining advisories, comparing software versions, and drafting test plans without providing guaranteed exploit success.
  • Credential handling: sorting, labeling, and checking the context of stolen or phished material.
  • Malware preparation: helping with scaffolding, obfuscation ideas, or packaging, which is why the 67.3% malware-related preparation figure is concerning.
  • Data analysis after access: classifying documents, finding high-value files, and turning messy exfiltrated data into leverage.

There’s a pitfall many board-level briefings miss: agent speed can make alerts look less suspicious individually. A login, a file listing, a service query, a short script. Nothing cinematic. The weirdness appears in the tempo and coordination across systems.

Numbers that put the risk in perspective

AI agents cyberattacks land inside a threat environment that was already getting faster. CrowdStrike’s 2026 Global Threat Report said average eCrime breakout time fell to 29 minutes in 2025, with the fastest observed breakout at 27 seconds. Breakout time measures how quickly an intruder moves beyond the initial compromised machine.

Microsoft’s Digital Defense Report 2025 also identified increased AI use by threat actors, infostealer growth, cybercrime-as-a-service, and nation-state activity as major themes. Those categories feed each other. Infostealers supply credentials. Cybercrime services package access. AI helps more actors process what they bought or stole.

Here is a compact view of the public figures that matter most for defenders in 2026.

Source Year covered Reported figure Why it matters
Anthropic malicious-use analysis 2025–2026 832 banned accounts analyzed; 560 used AI for malware-related preparation Shows broad abuse beyond isolated demos
Anthropic GTG-1002 report 2025 Roughly 30 targets; AI used for about 80–90% of tactical operations Shows agentic workflows in espionage, with human control points
Anthropic MITRE mapping 2025–2026 Low-skill actors averaged about 16 ATT&CK techniques; skilled actors about 20 Suggests AI narrows operational skill gaps
CrowdStrike Global Threat Report 2025 Average eCrime breakout time of 29 minutes; fastest observed at 27 seconds Shows why machine-speed response matters
Cognyte LUMINAR report announcement 2025 incidents, reported 2026 More than 2,300 cyber incidents analyzed using generative-AI-assisted threat intelligence Indicates AI is also shaping defensive analysis
See also  Exploring Vermont's dual-enrollment program for cybersecurity certification

One counter-argument deserves space: most attackers still fail often. Agents hallucinate, misread context, trip controls, and generate noisy artifacts. But failure is cheap when the system can try variations quickly, and cheap failure is exactly what changes the economics of cybercrime.

Autonomous red teams and the uncomfortable dual-use problem

Defensive teams also want agents. In March 2026, Assail announced Ares, an autonomous red-team platform described as using a 14-billion-parameter offensive-security model and up to 100 coordinated agents per target. That claim came from a company announcement, so treat it as reported product positioning, not independently verified performance.

The defensive logic is sound anyway. If attackers can use agentic recon and attack-chain simulation, defenders need controlled ways to test against similar assumptions. The uncomfortable part is obvious: tooling that validates defenses can also teach adversaries what matters.

Academic work in 2026 on “Highly Autonomous Cyber-Capable Agents” defined future systems as agents able to conduct multi-stage campaigns without meaningful human direction. Another 2026 paper on agentic AI runtime supply chains treated the agents themselves as attack surfaces, including tool misuse, runtime supply-chain compromise, and self-propagating “Viral Agent Loop” risks.

For executives tracking vendors, the security market is already shifting toward this problem. DualMedia’s coverage of cybersecurity startups watched by venture capitalists is useful context, as is its look at public cybersecurity companies positioned around cloud, identity, and detection.

Why identity becomes the new blast radius

AI agents cyberattacks are not only about malware. They’re also about permissions. When an agent can read email, query repositories, open tickets, call APIs, or move files, it becomes a software identity with reach.

OWASP’s Top 10 for Agentic Applications 2026 covers planning, tool use, identity, supply chain, code execution, memory, inter-agent communication, cascading failures, human–agent trust, and rogue agents. That list is a practical map of where failures will happen. The identity sections are especially serious because many organizations still grant broad access to automation accounts and then forget them.

Cisco announced 2026 controls aimed at the agentic era, including agent discovery, agentic IAM in Duo, MCP policy enforcement, and adaptive risk protection for agent interactions with enterprise systems. The product names may change, but the direction is right: you need to know which agents exist, what tools they can call, and whether their behavior fits the user, system, and business context.

Machine-driven access also exposes weaknesses in existing MFA assumptions. For a related example of why authentication controls can disappoint in practice, see DualMedia’s analysis of Microsoft 365 MFA limitations. AI doesn’t erase those problems; it can compress the time attackers have to exploit them.

How defenders should respond now

Start with the controls that make agentic abuse expensive. You don’t need to buy every 2026-branded AI security product this quarter. You do need visibility into identities, APIs, automation, and unusual tempo.

See also  Exploitation Expected for Flaw in Caching Plugin in WordPress

Security teams should treat agents as actors, not documents. A prompt is not just text when it can trigger a tool call, write code, or retrieve sensitive memory. That mindset change is more important than most dashboards.

Practical steps include logging agent actions with the same seriousness as human admin actions, applying least privilege to tool access, isolating agent runtimes, and requiring approvals for high-risk operations. Test for cascading failure too. If one agent misclassifies a request, can three downstream systems accept the bad output without challenge?

Zero trust needs more context for autonomous interactions. TechRadar commentary in June 2026 made that point around adaptive controls for machine-driven agent activity, and it matches what practitioners are seeing. Static allowlists age badly when agents can switch tasks, data sources, and tools within one workflow.

For personal and small-business readers, the basics still count. Secure networks, patched devices, and cautious account recovery settings won’t stop state-backed operators alone, but they remove easy paths. DualMedia’s guide to securing your internet connection is the unglamorous layer many incidents still begin without.

The strongest near-term defense is boring by design: inventory agents, restrict tools, monitor behavior, and rehearse response at machine speed. At this stage, buying an “AI firewall” without knowing your automation accounts is putting a lock on the front door while the delivery entrance stays open.

FAQ

Are AI agents already being used in real cyberattacks?

Yes. Anthropic reported in 2025 that the China-linked GTG-1002 campaign used Claude Code in an agentic workflow against roughly 30 targets, with AI handling about 80–90% of tactical operations and humans intervening at key points.

What makes AI agents different from normal hacking tools?

A normal tool performs a defined function. An AI agent can plan, call tools, retain context, evaluate outputs, and choose follow-up steps, which makes it more useful for multi-stage cyber activity.

Can AI agents launch fully autonomous cyberattacks today?

Public evidence in 2026 points more toward human-directed autonomy than fully independent campaigns. Academic work warns that highly autonomous cyber-capable agents could lower barriers further, but real-world operations still appear to rely on human decisions for sensitive steps.

How should companies detect AI agents cyberattacks?

Look for unusual tempo, coordinated low-level actions across systems, abnormal API usage, and automation accounts behaving outside their usual role. Detection should combine identity telemetry, endpoint logs, cloud activity, and tool-call records.

Do AI agents help defenders too?

Yes. Defenders use AI for alert triage, threat intelligence, red-team simulation, and incident analysis. The risk is dual use: the same automation that helps security teams move faster can help attackers do the same.

en_USEN
fr_FRFR es_ESES en_USEN