“AI is industrialising cybercrime”, says Google Threat Intelligence CTO

Traditional phishing consisted of emails with bad grammar, suspicious sender’s addresses, among other telltale signs. Now, it could be a phone call sounding like a bank executive asking for account details or one-time passwords (OTPs) or a fake login page that looks exactly like the real thing.

In a conversation with Fortune India, Shane Huntley, CTO of Google Threat Intelligence, says that the current cyberattacks have evolved and become sophisticated. So, the next cyberattack could begin with a perfectly coherent voice call, a convincing software update notification, or an AI-generated message tailored specifically to its target.

His team at Google Threat Intelligence Group (GTIG) reports that threat actors are now using AI across multiple stages of cyber operations, including reconnaissance, vulnerability research, malware development, social engineering and attack automation. “We are in an arms race,” says Huntley. “What AI is allowing both attackers and defenders to do is operate faster and at greater scale.”

Huntley described AI less as a completely new cyber threat and more as an “acceleration force” that is intensifying existing ones. “Like previous technology revolutions, AI removes constraints and allows people to do things at greater scale and speed,” he said. The implications are already visible in how attacks are evolving. Traditional phishing campaigns, which were once among the most common methods used by attackers, are declining. Huntley said phishing incidents have fallen from roughly 22% of intrusions a few years ago to nearly 6% today as organisations improve detection systems.

Instead, attackers are increasingly turning towards exploit-led intrusions and more sophisticated social engineering techniques. According to Huntley, nearly 33% of incidents handled by Mandiant (a cybersecurity subsidiary of Google) in the Asia-Pacific region stemmed from exploit activity. Mandiant’s broader incident-response data showed that 11% involved voice phishing, 9% stemmed from stolen credentials and 6% came through phishing.

Google’s report warned that AI is helping attackers shorten the timeline between discovering vulnerabilities and weaponising them. Just like how regular users use AI, bad actors seem to use it for similar reasons; they, too, conduct research and troubleshoot tasks. And these interactions lower the barrier to entry for complex, multi-stage operations and enable threat actors to focus their human capital on the higher-order strategic elements of campaigns, the report suggests. 

Huntley said defenders no longer have the luxury of time. “We don’t have days to patch anymore,” he said. “If attackers operate at computer speed while defenders operate at human speed, defenders are going to lose.”

Beyond users and enterprises 

The report also documented what Google believes may be the first observed case of an AI-assisted zero-day exploit intended for mass exploitation. This means that attackers have found a vulnerability known to the company and tried to exploit it. The exploit targeted a widely used open-source administration tool and attempted to bypass two-factor authentication through a logic flaw.  “But our proactive counter discovery may have prevented its use,” the report stated. 

But beyond individual users and enterprises, Google’s findings also point to a growing geopolitical dimension to AI-powered cyber operations. The report noted that state-backed threat actors linked to countries including China, Iran and North Korea are increasingly experimenting with generative AI tools to support cyber espionage, operational research and vulnerability analysis. While Google said it has not yet observed fully autonomous AI cyberattacks by state actors, researchers noted that these groups are actively testing how AI can improve operational efficiency. Huntley said the shift reflects how AI is lowering operational barriers across the threat landscape. “Every type of threat actor is trying to work out how to use AI to get better at what they’re doing,” he said. “Whether that’s exploit research, malware, phishing content or automating operations.”

Huntley said this reflects a broader industrialisation of cybercrime and cyber warfare ecosystems. “We’ve already seen ransomware and cybercrime become very efficient and industrialised,” he said. “AI is now accelerating that trend.” At the same time, Google argues that AI could also become one of cybersecurity’s biggest defensive tools. Huntley said cybersecurity teams globally continue to struggle with an overwhelming volume of threat data and a shortage of trained defenders.

“There’s never been enough defenders,” he said. “AI allows security teams to scale in ways that simply weren’t possible before.” Google itself is increasingly integrating AI into its own security operations through projects focused on identifying vulnerabilities and accelerating patching workflows.

Still, for Huntley, the central concern remains whether defenders can adapt quickly enough to the speed of AI-assisted attacks. “The biggest thing we need to avoid,” he said, “is defenders falling behind attackers in the use of technology.”