Cybercrime is entering a new phase where machines, not humans, increasingly run the attacks.
A new 2026 Global Threat Intelligence Report from Flashpoint suggests that threat actors are rapidly adopting AI-powered automated systems to execute entire cyberattack chains with minimal human input.
Threat actors adopt AI tools as cyberattacks become cheaper to automate
One of the report’s most striking findings is a significant spike in underground conversations about using AI for cybercrime.
Flashpoint tracked a 1,500% increase in illicit AI-related discussions between November and December 2025, a signal that attackers are moving from experimenting with AI tools to building fully automated attack frameworks.
These so-called “agentic” systems can conduct reconnaissance, create phishing lures, rotate infrastructure credentials, and automatically test stolen credentials.
“When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold,” said Ian Gray, Flashpoint’s VP of cyber threat intelligence operations.
3.3 billion stolen credentials make identity the new cyber battleground
The report also highlights that cybercriminals are increasingly relying on stolen login credentials rather than traditional hacking techniques.
Flashpoint observed more than 11.1 million machines infected with information-stealing malware in 2025, producing a motherlode of 3.3 billion stolen credentials, session cookies, and cloud tokens.
“Attackers do not need to escalate privileges or deploy custom malware to gain access; they simply log in,” the report states, pointing to a fundamental shift in how breaches now occur.
In a concerning development, researchers warn these stolen identity stores are being fed into emerging agentic AI systems that can autonomously test credentials against corporate VPNs, SaaS platforms, and cloud providers simultaneously, all without human intervention.
Exploit timelines shrink as vulnerability disclosures surge
The report also warns that defenders are losing the race against vulnerability exploitation.
In 2025 alone, 44,509 vulnerabilities were disclosed, up 12% year over year, and roughly one-third now have publicly available exploit code, making it easier for attackers to weaponize newly discovered flaws.
Some zero-day vulnerabilities are now being exploited within as few as 24 hours of discovery, significantly shrinking the window for organizations to patch affected systems.
“This systemic instability makes it a business requirement to move beyond generic feeds,” the report advises, noting that the CVE program’s contract expiration in March 2026 could trigger “catastrophic downstream risks” if public databases stall.
Ransomware groups target human trust instead of software flaws
Ransomware attacks surged 53% in 2025, with ransomware-as-a-service operations responsible for 87% of incidents.
But the tactics are shifting: rather than hunting for software flaws, groups like Scattered Spider are now targeting “human trust and identity” through social engineering and insider recruitment.
Flashpoint documented more than 91,000 instances of threat actors discussing or advertising malicious insiders in 2025, a cheap workaround for bypassing multi-million-dollar security stacks.
Flashpoint Co-Founder and CEO, Josh Lefkowitz, said the convergence of AI, identity theft, and automated attacks is creating a rapidly evolving threat environment.
“As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind,” Lefkowitz said.
“To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”