Malicious cyber attackers increasingly used artificial intelligence (AI) and got much faster at executing their attacks in 2025, according to the 2026 Global Threat Report from CrowdStrike.

The report—which provides an in-depth analysis of the adversaries, tradecraft, and trends that arose during the previous year—found that there was an 89 percent increase in attacks where the attackers leveraged AI in 2025.

AI was able to help adversaries accelerate their phishing and automated reconnaissance on targets. “It elevated less sophisticated threat actors and amplified the most advanced ones. It compressed the time between intent and execution,” the report said. Analysts found that threat actors used AI to create malware, code, and exploits faster than before.

The most common ways that AI was used in attacks included resource development, such as using generative AI to create a fake persona; execution of an attack; defense evasion, such as using an AI coding assistant to evade detection; discovery, such as identifying security gaps; and data collection.

Attackers also leveraged AI in attacks that involved social engineering and information operations, proving that they are becoming increasingly fluent in the ways that AI tools can be used. Analysts found that AI tools helped threat actors create, organize, and scale phishing attacks by accelerating reconnaissance operations, creating convincing phishing messages and webpages, carrying out spamming activity, and circumventing safeguards that other AI tools may have to prevent the creation of illicit content.

For example, a foreign intelligence service used AI to help target former U.S. government employees on job recruiting websites, the report said.

A focus on phishing, social engineering, and similar attack vectors indicated that threat actors are increasingly targeting trusted relationships to gain access and do harm. They used valid credentials, trusted identity flows, approved SaaS integrations, and inherited software supply chains to blend into an organization’s normal activity, with an estimated 82 percent of detected attacks in 2025 lacking the use of malware.

“As defenses became more sophisticated, threat actors increasingly exploited the inherent trust in supply chain partners, legitimate software, internal systems, and employees to gain initial access and move undetected,” the report noted.

One of the “defining tactics” of 2025 was supply chain attacks, with threat actors increasingly compromising upstream providers, development ecosystems, and public code repositories to gain a wider and quieter access to downstream organizations.

For example, in February 2025, the North Korean-linked Lazarus Group carried out the largest single financial theft ever reported, stealing $1.46 billion worth of the cryptocurrency Ethereum. The theft occurred during a transaction the cryptocurrency exchange regularly carries out once every two to three weeks, thanks to trojanized software introduced into the exchange’s supply chain.  

CrowdStrike identified the top 10 industries targeted by intrusions that rely on abusing trusted relationships instead of malware:

• Technology
• Manufacturing
• Retail
• Financial services
• Healthcare
• Telecommunications
• Government
• Industrials and engineering
• Academic
• Media

Attackers also abused the legitimate AI tools of more than 90 organizations, exploiting these tools to generate malicious commands and steal sensitive data.​

Besides becoming more effective in carrying out cyberattacks, threat actors are also getting faster. In fact, “speed is now the defining characteristic of intrusion, and it has fundamentally reshaped how adversaries evade detection. …The window to detect, decide, and respond has narrowed dramatically,” according to the report.

In 2025, the average amount of time it takes for a cyberattacker to move from an initial compromised point in a network to other systems, especially high-value assets, was 29 minutes—65 percent faster than in 2024. This time, commonly referred to as “breakout time,” ultimately decides how fast someone defending against an attack must identify and respond to an attack to mitigate the cost and the damage from an incident.

“Breakout time has been steadily decreasing over the past five years, roughly a 70 percent reduction from 2021 to 2025,” according to the report. It also noted that the fastest breakout time in 2025 only took 27 seconds.

 

MOST POPULAR ARTICLES

1. Trade Secret Theft: The Overlooked Fault Line in Modern Security

2. Gang Violence in Haiti Remains High as Armed Men Kidnap Security Expert and Family

3. 2 CPTED Must-Haves for Multitenant Buildings