In just three months, AI-powered hacking has gone from an early problem to an industrial-scale threat, according to a Google report.
The findings from Google’s Threat Intelligence Group further fuel the global conversation about how modern AI models are becoming better at coding and becoming extremely powerful tools for exploiting vulnerabilities in a wide range of software systems.
It appears that criminal groups, as well as state-affiliated forces in China, North Korea, and Russia, are widely using commercial models, such as tools from Gemini, Claude, and OpenAI, to refine and scale their attacks.
“There’s a misconception that an AI vulnerability race is imminent, when in reality it’s already begun,” said John Hultquist, the group’s principal analyst.
“Threat actors are using AI to increase the speed, scale, and sophistication of their attacks. This allows them to test operations, persistently attack targets, build better malware, and make many other improvements.”
Last month, AI company Anthropic refused to release one of its newest models, Mythos, claiming that it has extremely powerful features and could pose a threat to governments, financial institutions, and the world at large if it fell into the wrong hands.
Specifically, Anthropic said Mythos has discovered zero-day vulnerabilities in “all major operating systems and all major web browsers” (a term used by developers to refer to previously unknown product flaws).
The company said these findings required “substantially coordinated defensive actions across the industry.”
However, a Google report recently revealed that a criminal group was attempting to exploit zero-day vulnerabilities to conduct “mass exploitation” campaigns, and that the group appears to be using an AI large-scale language model (LLM) that is not Mythos.
The report also revealed that the group was “experimenting” with OpenClaw. The AI tool made headlines in February for its lack of guardrails and unfortunate tendency to delete email inboxes, giving users the ability to hand over large parts of their lives to AI agents.
Stephen Murdoch, a professor of security engineering at University College London, said AI tools could help not only hackers but also cybersecurity defenders.
“That’s why I’m not panicking. In general, we have reached a stage where the old ways of finding bugs are gone, and from now on everything will be supported by LLM. It will take some time for this impact to dissipate,” he said.
But even if AI is helping ambitious hackers achieve their productivity goals, questions remain about whether it is supporting the economy as a whole.
The Ada Lovelace Institute (ALI), an independent AI research institute, has warned against the assumption that AI will increase public sector productivity by billions of pounds. The UK Government estimates that public sector investment in digital tools and AI could save £45bn and improve productivity.
In a report released Monday, ALI said most research on productivity improvements related to AI mentions time savings and cost reductions, but not outcomes such as improved service or happier workers.
There are other problematic aspects of such studies. Whether predictions of AI-related efficiency in the workplace are really successful in the real world. Headline numbers obscure the different outcomes of using AI for different tasks. and does not take into account the impact on public sector employment and service delivery.
“Productivity estimates that shape key government decisions regarding AI are based on untested assumptions and rely on methodologies whose limitations are not necessarily recognized by those using the actual numbers,” the ALI report states.
“The result is a gap between the credibility of productivity claims and the strength of the evidence behind them.”
The report’s recommendations include: Encourage future research to reflect uncertainty regarding the impact of technology. Enabling government departments to measure the impact of AI programs “from the beginning.” And it supports long-term studies that measure productivity gains over years rather than weeks.
