AI is making cyber-attacks cheaper, faster to scale, easier to customize and harder to spot, but it’s not fundamentally changing the tradecraft of intrusions, a new ReliaQuest report has revealed.

The threat intelligence specialist has been tracking the progress of the technology on the cybercrime underground over the past two years.

In 2024, AI was mainly used for “polishing” phishing emails, generating basic scripts, and in malicious tools like FraudGPT. By mid-2025, that picture had expanded to include “deepfake services, AI-assisted scripts, and a growing underground market for AI-enabled tools,” it said.

Today, AI has moved “closer into the heart of the offensive workflow,” according to ReliaQuest.

Read more on AI threats: AI Accelerates Attacker Breakout Time to Just Four Minutes

In the incidents ReliaQuest reviewed, AI appeared in two main roles.

“First, it was embedded in the attack workflow: clues pointed to attackers using it to it generate phishing pages, build web shells and credential harvesters, pad code to frustrate static analysis, and improve the fluency of social-engineering content,” the report noted.

“Second, AI was the lure itself. Attackers used demand for AI tools and trust in AI brands to get users to install malicious extensions, run commands, or follow fake setup steps that looked routine enough to pass initial scrutiny.”

It’s being used by all types of threat actor, from ShinyHunters to North Korean hackers, with goals as varied as extortion, initial access, fraud and espionage. The central theme is that it “consistently enabled these operators to achieve more, faster, with less effort,” the report explained.

AI is treated as operational infrastructure – something to buy, tune and slot into existing workflows – and as such the focus for threat actors is on balancing efficiency with reliability and cost, ReliaQuest said.

Six Ways AI Is Being Used for Cyber-Attacks 

The report revealed six key ways AI is used in intrusions today:

• Phishing at industrial scale: Lowering the barrier to entry for cybercriminals by enabling mass generation of phishing pages and lures and ensuring campaigns can be launched, adjusted, and repeated at speed
• Malicious tools produced faster: Generating key components like web shells and credential harvesters, as well as “varying or padding code to frustrate static analysis”
• Social engineering polish: Erasing the typos, awkward phrasing, poor grammar, and clumsy design which used to be tell-tale signs of phishing
• Identity fabrication: Making North Korean worker fraud easier to scale, and harder to spot thanks to rapid development of fake profiles and convincing deepfakes for meetings and interviews
• Initial-access acceleration: Moving targets from “interaction to compromise” via AI-generated obfuscation in ClickFix attacks and AI-assisted pages in device-code phishing campaigns
• AI-branded tools as the lure: Tricking users into running malicious installation commands or extensions disguised as Claude or other branded downloads

An Action Plan to Tackle AI Threats

“Security teams don’t need a new strategy built around AI as a category," the report explained. "But AI does change the pace of attacks, so they do need strong fundamentals, defense-in-depth, and AI and automation wherever operationally possible to match the new pace."

With that in mind, CISOs should consider actioning the following:

• Use behavioral detection across endpoint, identity, network, and cloud, especially after access is granted
• Automate containment to keep pace with machine-speed attacks
• Retrain users on the full range of what AI can fake (eg voice, video, profile photos, and polished text), and require out-of-band verification for sensitive requests such as installs, approvals and payments
• Invest in threat research to track the volume and timing patterns that AI-scaled campaigns create
• Use external threat intelligence to spot AI-enabled tradecraft before it reaches your environment and route it to the right teams