SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
International Women’s Day
267 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Ai cyber attack glowing digital skull binary storm cloud network
#
SaaS
#
Ransomware
#
Cloud Security

AI-fuelled cyber attacks hit in minutes, warns CrowdStrike

Tue, 24th Feb 2026
Author image
By Sofiah Nichole Salivio, News Editor

CrowdStrike reports a sharp acceleration in cyber intrusions, with attackers moving from initial access to lateral movement in less than half an hour on average as widely available artificial intelligence tools become embedded in criminal workflows.

Its latest Global Threat Report puts average eCrime "breakout time" at 29 minutes in 2025, a 65% improvement on the prior year. The fastest breakout it observed took 27 seconds, and in one intrusion data exfiltration began within four minutes of initial access.

The report also points to a rise in AI-linked activity across multiple stages of an attack. AI-enabled adversaries increased operations by 89% year on year in 2025, using AI for reconnaissance, credential theft and evasion.

Mainstream AI tools

Discussion of mainstream AI tools has become common in underground forums. ChatGPT was mentioned 550% more than any other model in those conversations, suggesting attackers are experimenting with widely available tools and looking for ways around safeguards.

Alongside generative AI use in preparation and execution, the report describes attempts to exploit AI systems directly. Adversaries injected malicious prompts into GenAI tools at more than 90 organisations, using them to generate commands associated with credential theft and cryptocurrency theft.

It also highlights attacks on AI development platforms, where adversaries exploited vulnerabilities to establish persistence and deploy ransomware. CrowdStrike says it has also observed malicious AI servers that impersonate trusted services and intercept sensitive data.

Identity and cloud

CrowdStrike links the shorter breakout time to attackers moving through trusted identities, software-as-a-service applications and cloud infrastructure. These paths can blend into normal activity and reduce the time available for defenders to respond.

"Cloud-conscious" intrusions rose 37% overall, driven largely by state-linked actors. Activity targeting cloud environments for intelligence collection rose 266%.

CrowdStrike also highlights pre-disclosure exploitation, with 42% of vulnerabilities exploited before public disclosure. It ties the trend to zero-days used for initial access, remote code execution and privilege escalation.

New adversaries

The report counts 24 new adversaries in 2025, bringing the total tracked by CrowdStrike to 281 groups spanning nation-state and eCrime activity.

It also reports growth in social engineering and spam, with a 563% increase in incidents using fake CAPTCHA lures and a 141% increase in spam emails.

State-linked activity

The report describes higher activity linked to China and North Korea. China-nexus activity increased 38% in 2025, with the logistics sector seeing the largest increase in targeting, up 85%.

It says 67% of vulnerabilities exploited by China-nexus actors delivered immediate system access, and 40% targeted internet-facing edge devices.

Incidents linked to North Korea rose more than 130%, while activity by the group CrowdStrike tracks as FAMOUS CHOLLIMA more than doubled. The report says DPRK-nexus actors used AI-generated personas to scale insider operations.

It also cites a large cryptocurrency theft attributed to the actor it calls PRESSURE CHOLLIMA, valued at USD $1.46 billion and described as the largest single financial heist ever reported.

The report also references AI-linked tooling used by other state and criminal groups. Russia-nexus FANCY BEAR deployed LLM-enabled malware, which it named LAMEHUG, for automated reconnaissance and document collection. The eCrime actor tracked as PUNK SPIDER used AI-generated scripts to speed up credential dumping and erase forensic evidence.

"This is an AI arms race," said Adam Meyers, Head of Counter Adversary Operations, CrowdStrike. "Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win."

CrowdStrike says it based the report on its threat hunting and intelligence work across more than 280 named adversaries, and expects faster intrusions and direct exploitation of AI systems to remain central features of the threat landscape.

Related stories
Bridging the gap: Cybersecurity breakthroughs and imbalances
In a cost-pressured AI race, operational maturity is now the competitive advantage
UK AI budgets shift to data infrastructure & storage
Teramind launches AI governance to tackle shadow AI
AI cyber threats outpace staff readiness, report warns

Top stories

Safe AI needs all voices: Celebrating the women who help drive CSA's AI safety initiative
Autonomous AI 'agentic customers' set to reshape banks
How women in cyber change the conversation at board level
The weight women carry
Preserving our voice: Why women must shape the future of AI and cybersecurity