The past year marked a turning point in global cybercrime, as artificial intelligence moved from a supporting role to actively shaping how attacks are planned, executed, and scaled. Long-standing warnings from security experts came true in 2025, with confirmed cases of AI automating critical stages of cyberattacks.
A recent industry report noted that “Hands-on-keyboard intrusions still dominated” in 2025, “but the year delivered the first confirmed cases of AI-orchestrated attacks—alongside deepfake-enabled social engineering and AI agents that outperformed humans at discovering vulnerabilities.”
Looking ahead, the report warned that AI’s pace is accelerating. It predicted that in 2026, AI’s “emerging capabilities will mature into fully autonomous ransomware pipelines that allow individual operators and small crews to attack multiple targets simultaneously at a scale that exceeds anything seen in the ransomware ecosystem to date.”
Several findings highlighted the growing role of AI in cybercrime. An industry study found that 16% of breaches involved AI, with 33% of those cases linked to deepfake media. In another milestone, an autonomous vulnerability-reporting agent topped a major global bug bounty leaderboard, becoming the first AI model to do so. Separately, researchers identified how cybercriminals were misusing advanced AI tools to support attacks.
Experts also raised alarms over the use of the Model Context Protocol (MCP), which allows AI agents to connect with other tools. A 2025 academic study showed that an AI model using MCP “achieved domain dominance on a corporate network in under an hour with no human intervention, evading endpoint detection and response (EDR) measures through on-the-fly tactic adaptation.”
While such tools can help defenders test systems, the report warned they also create “a path for cyberattacks that are faster, more adaptive, and far more scalable than anything achievable through hands-on-keyboard intrusions.” It added that “in 2026, MCP-based attack frameworks will become a defining capability of cybercriminals targeting businesses.”
Ransomware trends added to the concern. In 2025, 86% of ransomware incidents involved “remote encryption,” where attackers encrypted entire networks from a single unprotected system. “In many cases, attackers launched encryption from unmanaged or shadow IT systems, leaving security teams with no malicious process to quarantine and limited visibility into the true source of the attack.”
Ransomware attacks rose 8% year-on-year, making 2025 the worst year on record. One strain accounted for 37% of detections, followed by others at 15%, 6%, and 6%. The US saw 48% of attacks, while Canada and Germany recorded 5% each, and the UK 4%. In total, attacks hit 135 countries.
“Companies from Russia, China, and much of the Global South were largely absent from leak sites,” the report said, pointing to long-standing geopolitical and economic factors.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
