CrowdStrike has published its annual Global Threat Report, which finds that cyber attacks are becoming faster and more reliant on widely available artificial intelligence tools.
The average eCrime breakout time fell to 29 minutes in 2025, a 65% increase in speed from the previous year. The fastest observed breakout took 27 seconds, while in one intrusion data exfiltration began within four minutes of initial access.
The findings point to a shift in how attackers operate, with AI tools used not only for reconnaissance and credential theft but also to help evade detection. AI-enabled adversaries increased their activity by 89% year on year.
Attackers are also targeting AI systems directly. Adversaries injected malicious prompts into generative AI tools at more than 90 organisations to generate commands for stealing credentials and cryptocurrency, while vulnerabilities in AI development platforms were used to establish persistence and deploy ransomware.
Discussion of mainstream AI tools is also spreading across criminal forums. References to ChatGPT were 550% higher than mentions of any other model, suggesting attackers were exploring how to use common tools and circumvent safeguards.
Broader activity
CrowdStrike is now tracking 281 nation-state and eCrime groups after identifying 24 new adversaries in 2025. The report also recorded a 563% increase in incidents involving fake CAPTCHA lures, a 141% increase in spam emails and a rise of more than 130% in incidents linked to North Korea.
State-linked activity remained a major part of the picture. China-linked activity rose 38% in 2025, with the logistics sector seeing the largest increase in targeting at 85%. Of the vulnerabilities exploited by China-linked actors, 67% gave immediate system access, while 40% targeted internet-facing edge devices.
North Korea-linked operations also intensified. Activity by FAMOUS CHOLLIMA more than doubled, contributing to the broader increase in DPRK-linked incidents, while PRESSURE CHOLLIMA was tied to a cryptocurrency theft worth USD $1.46 billion, described in the report as the largest single financial heist ever reported.
Cloud and zero day
Cloud environments and previously unknown software flaws also featured heavily in the report. It found that 42% of vulnerabilities were exploited before public disclosure, as attackers used zero-day techniques for initial access, remote code execution and privilege escalation.
Cloud-focused intrusions rose 37% overall, including a 266% increase among state-linked actors targeting cloud environments for intelligence collection. The trend reflects a wider move towards identities, software-as-a-service applications and cloud infrastructure, where malicious activity can blend into normal user behaviour.
The report also cited examples of AI use by named groups. Russia-linked FANCY BEAR deployed LLM-enabled malware known as LAMEHUG to automate reconnaissance and document collection, while eCrime actor PUNK SPIDER used AI-generated scripts to speed up credential dumping and remove forensic evidence. FAMOUS CHOLLIMA also used AI-generated personas to scale insider operations.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, said the reduction in breakout time was a key sign of how intrusions have changed.
“This is an AI arms race,” Meyers said. “Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”
