CrowdStrike Report Reveals Alarming Surge in AI-Driven Cyber Threats
CrowdStrike’s latest Global Threat Report highlights a dramatic acceleration in cyber intrusions, with attackers leveraging AI to shrink the window between initial access and lateral movement. In 2025, the average "breakout time" for eCrime actors dropped to just 29 minutes a 65% improvement from the previous year. The fastest observed intrusion saw data exfiltration begin within four minutes, while one attack achieved lateral movement in 27 seconds.
AI has become a cornerstone of modern cyber operations, with adversaries increasing AI-enabled attacks by 89% year-on-year. Underground forums show a 550% surge in discussions about ChatGPT, as threat actors experiment with mainstream AI tools to bypass safeguards. Beyond tooling, attackers are directly targeting AI systems: malicious prompts were injected into generative AI platforms at over 90 organizations, enabling credential and cryptocurrency theft. Vulnerabilities in AI development platforms have also been exploited to deploy ransomware and establish persistence, while rogue AI servers impersonate trusted services to intercept sensitive data.
The report ties faster breakout times to attackers abusing trusted identities, SaaS applications, and cloud infrastructure, which blend into legitimate activity and reduce defenders’ response windows. Cloud-conscious intrusions rose 37%, driven largely by state-linked actors, with intelligence-gathering operations in cloud environments surging 266%. Pre-disclosure exploitation remains a critical threat, with 42% of vulnerabilities weaponized before public disclosure often via zero-days for initial access, remote code execution, or privilege escalation.
CrowdStrike identified 24 new adversary groups in 2025, bringing the total tracked to 281, spanning nation-state and eCrime actors. Social engineering tactics have also evolved, with a 563% increase in fake CAPTCHA lures and a 141% rise in spam emails.
State-linked activity saw significant growth, particularly from China and North Korea. China-nexus operations increased 38%, with the logistics sector facing an 85% spike in targeting. 67% of vulnerabilities exploited by these actors provided immediate system access, and 40% targeted internet-facing edge devices. North Korea-linked incidents surged 130%, with the group FAMOUS CHOLLIMA more than doubling its activity. DPRK actors used AI-generated personas to scale insider operations, while PRESSURE CHOLLIMA was linked to a $1.46 billion cryptocurrency theft the largest single financial heist on record.
Other notable threats include Russia-nexus FANCY BEAR, which deployed LLM-enabled malware (LAMEHUG) for automated reconnaissance, and the eCrime actor PUNK SPIDER, which used AI-generated scripts to accelerate credential theft and erase forensic evidence. CrowdStrike warns that the AI arms race is compressing attack timelines, turning enterprise AI systems into both tools and targets for adversaries. The report is based on intelligence from 280+ tracked adversaries, forecasting continued acceleration in AI-driven intrusions and direct exploitation of AI platforms.
Source: https://securitybrief.co.uk/story/ai-fuelled-cyber-attacks-hit-in-minutes-warns-crowdstrike
PRESSURE CHOLLIMA TPRM report: https://www.rankiteo.com/company/polyswarm
CrowdStrike TPRM report: https://www.rankiteo.com/company/crowdstrike
"id": "cropol1771965526",
"linkid": "crowdstrike, polyswarm",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Technology',
'Logistics',
'Finance (cryptocurrency)',
'Cloud services'],
'type': ['Organizations using generative AI platforms',
'Cloud service providers',
'Logistics sector (targeted by China-nexus '
'actors)',
'Cryptocurrency platforms']}],
'attack_vector': ['AI-enabled attacks',
'Malicious prompts in generative AI platforms',
'Exploitation of AI development platforms',
'SaaS applications',
'Cloud infrastructure abuse',
'Zero-day vulnerabilities',
'Social engineering (fake CAPTCHA lures, spam emails)',
'Insider operations (AI-generated personas)'],
'data_breach': {'data_encryption': 'Yes (ransomware deployment via AI '
'platform vulnerabilities)',
'data_exfiltration': 'Yes (observed in fastest intrusion case '
'within 4 minutes)',
'personally_identifiable_information': 'Yes (via AI-generated '
'personas and '
'credential theft)',
'sensitivity_of_data': 'High (PII, financial data, '
'cryptocurrency keys)',
'type_of_data_compromised': ['Credentials',
'Cryptocurrency',
'Personally identifiable '
'information (via AI-generated '
'personas)',
'Sensitive organizational data']},
'date_publicly_disclosed': '2025',
'description': 'CrowdStrike’s *Global Threat Report* highlights a dramatic '
'acceleration in cyber intrusions, with attackers leveraging '
'AI to shrink the window between initial access and lateral '
'movement. AI-enabled attacks increased by 89% year-on-year, '
'with a 550% surge in discussions about ChatGPT in underground '
'forums. Attackers are targeting AI systems, injecting '
'malicious prompts into generative AI platforms at over 90 '
'organizations, and exploiting vulnerabilities in AI '
'development platforms to deploy ransomware. The report also '
'notes a 37% rise in cloud-conscious intrusions and a 266% '
'surge in intelligence-gathering operations in cloud '
'environments. Pre-disclosure exploitation of vulnerabilities '
'(42% weaponized before public disclosure) and the emergence '
'of 24 new adversary groups (totaling 281) were key trends. '
'State-linked activity, particularly from China and North '
'Korea, saw significant growth, with China-nexus operations '
'increasing 38% and North Korea-linked incidents surging 130%.',
'impact': {'data_compromised': ['Credentials',
'Cryptocurrency',
'Sensitive data intercepted via rogue AI '
'servers'],
'financial_loss': '$1.46 billion (largest single cryptocurrency '
'theft on record)',
'identity_theft_risk': 'High (AI-generated personas for insider '
'operations, credential theft)',
'operational_impact': ['Accelerated intrusion timelines (breakout '
'time as low as 27 seconds)',
'Lateral movement within 29 minutes on '
'average',
'Data exfiltration within 4 minutes in '
'fastest observed case'],
'payment_information_risk': 'High (cryptocurrency theft, '
'credential theft)',
'systems_affected': ['AI development platforms',
'Cloud environments',
'Internet-facing edge devices',
'SaaS applications']},
'initial_access_broker': {'entry_point': ['Zero-day vulnerabilities',
'SaaS applications',
'Cloud infrastructure',
'AI development platforms'],
'high_value_targets': ['Cloud environments',
'Cryptocurrency platforms',
'Logistics sector']},
'investigation_status': 'Ongoing (based on 280+ tracked adversaries)',
'lessons_learned': 'AI is compressing attack timelines, turning enterprise AI '
'systems into both tools and targets for adversaries. '
'Defenders must adapt to faster breakout times, increased '
'cloud-conscious intrusions, and the weaponization of AI '
'platforms. Pre-disclosure exploitation of vulnerabilities '
'remains a critical threat, requiring proactive threat '
'intelligence and patch management.',
'motivation': ['Financial gain (e.g., $1.46 billion cryptocurrency theft)',
'Intelligence gathering (cloud environments)',
'Espionage',
'Disruption',
'Credential theft',
'Data exfiltration'],
'post_incident_analysis': {'corrective_actions': ['Deploy AI-driven threat '
'detection and response '
'capabilities.',
'Improve visibility into '
'cloud and AI platform '
'environments.',
'Enhance vulnerability '
'management for zero-days '
'and edge devices.',
'Strengthen insider threat '
'programs to counter '
'AI-generated personas.',
'Collaborate with industry '
'and government to share '
'threat intelligence.'],
'root_causes': ['Exploitation of AI platforms and '
'tools by threat actors.',
'Abuse of trusted identities and '
'cloud infrastructure for lateral '
'movement.',
'Pre-disclosure exploitation of '
'zero-day vulnerabilities.',
'Evolution of social engineering '
'tactics (e.g., AI-generated '
'personas, fake CAPTCHA lures).',
'Increased state-linked cyber '
'operations (China, North Korea, '
'Russia).']},
'ransomware': {'data_encryption': 'Yes (via exploitation of AI development '
'platforms)',
'data_exfiltration': 'Yes'},
'recommendations': ['Enhance monitoring for AI-driven threats and malicious '
'prompts in generative AI platforms.',
'Implement robust identity and access management (IAM) to '
'mitigate abuse of trusted identities.',
'Strengthen cloud security posture to detect and respond '
'to cloud-conscious intrusions.',
'Prioritize patch management for zero-day vulnerabilities '
'and internet-facing edge devices.',
'Adopt AI-driven defense mechanisms to counter AI-enabled '
'attacks.',
'Educate employees on evolving social engineering tactics '
'(e.g., fake CAPTCHA lures, AI-generated personas).',
'Collaborate with threat intelligence providers to stay '
'ahead of emerging adversary groups and tactics.'],
'references': [{'source': 'CrowdStrike Global Threat Report 2025'}],
'threat_actor': ['FAMOUS CHOLLIMA',
'PRESSURE CHOLLIMA',
'FANCY BEAR (Russia-nexus)',
'PUNK SPIDER (eCrime)',
'China-nexus actors',
'North Korea-linked actors'],
'title': 'Surge in AI-Driven Cyber Threats and Accelerated Intrusion '
'Timelines',
'type': ['AI-driven cyber threats',
'Ransomware',
'Data exfiltration',
'Credential theft',
'Cryptocurrency theft',
'Social engineering',
'Zero-day exploitation'],
'vulnerability_exploited': ['Zero-day vulnerabilities (42% weaponized before '
'public disclosure)',
'Vulnerabilities in AI development platforms',
'Internet-facing edge devices (40% targeted by '
'China-nexus actors)']}