The industrialization of cybercrime, which began in the 1990s, has now entered a new phase driven by artificial intelligence and automation. Criminal operations are mimicking legitimate business practices, focusing on efficiency, scalability, and return on investment. The result: attacks with greater speed, scale, and success.

AI Speeds the Attack Process

According to Derek Manky, Chief Security Strategist at FortiGuard Labs, the latest Global Threat Landscape Report reveals how malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks. A range of AI-enabled tools are now available to cybercriminals, including WormGPT, FraudGPT, HexStrike AI, APEX AI, and BruteForceAI. These tools reduce skill and time requirements, allowing attackers to operate at machine speed.

FraudGPT and WormGPT are used to create compelling phishing attacks, unhindered by guardrails. They allow attackers to refine scams, generate malicious code, and conduct social engineering at scale. HexStrike AI assists with automated reconnaissance, attack-path generation, and malicious content creation. APEX AI offers APT-style attack simulation, while BruteForceAI executes multi-threaded attacks with human-like behavior patterns.

Automation Finds Vulnerabilities

Attackers automate the discovery of vulnerabilities using standard commercial tools: Qualys for identifying vulnerable software versions and misconfigurations, Nmap for port scanning, and Nessus and OpenVAS for vulnerability enrichment.

Data Sharing Fine-Tunes the Cybercrime Business

Access to targets is often already available on underground markets. Databases, credentials, validated access paths, and attacker tooling are continuously advertised and exchanged, forming an upstream supply chain. This data is primarily obtained via infostealers such as RedLine, Lumma, and Vidar. Access brokers then sell validated access into enterprises, with corporate VPNs and RDP being the most advertised types.

FortiGuard reports that 656 vulnerabilities were actively discussed on the darknet in 2025. Among these, 344 had publicly available proof-of-concept exploit code, 176 had working exploit code, and 149 had both. Vulnerabilities become 'industrial' when packaged with scripts, modules, guides, and operational playbooks, enabling exploitation as a repeatable loop.

The Effect: Collapsing Time-to-Exploit

The primary effect of this industrialization is the collapse of time-to-exploit. Douglas Santos, director of advanced threat intelligence at FortiGuard, notes: "Not long ago, time-to-exploit averaged nearly a week. That window has now collapsed to 24 to 48 hours for most critical vulnerabilities, and in some cases, exploitation begins within hours of public disclosure." He warns that as AI accelerates reconnaissance and weaponization, the norm may soon become hours or even minutes.

Ransomware remains the most easily monetizable attack type. Globally, there were 7,831 confirmed ransomware victims in 2025, with Qilin, Akira, and Safepay being the most active groups. The US was the most targeted geographic area, with 3,381 victims, followed by Canada and Europe.

Defending Against Industrialized Cybercrime

Defenders must scale their efforts accordingly. The speed of adversarial AI and automation can only be matched by defensive AI and automation. FortiGuard recommends prioritizing identity-centric detection, exposure reduction, and automation to match the machine-speed operations of attackers.

The firm has engaged in several international cybercrime disruption efforts over the past year, including INTERPOL Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative with the World Economic Forum, the Cyber Threat Alliance, and a new Cybercrime Bounty program with Crime Stoppers International.

As cybercrime becomes more industrialized, the need for defenders to adopt similar efficiencies grows urgent. The global attack surface is already mapped and maintained in an operational readiness state. Only by matching the speed, scale, and automation of adversaries can organizations hope to stay ahead.

Source: SecurityWeek News