A new analysis found that, rather than relying on traditional hacking that exploits vulnerabilities to break into systems, hackers are increasingly using artificial intelligence (AI) to log in like legitimate users or employees and secure internal access privileges.
Cloudflare stated accordingly in its Threat Intelligence Report 2026, published on the 5th, that recent cyberattack patterns are changing. The report was compiled from information gathered as Cloudflare blocks an average of 230 billion threats a day.
The report said, "Recently, instead of persistently targeting traditional weak points such as email to 'break in' to systems, attacks that 'log in' like legitimate users to secure internal access privileges are spreading," adding, "They use AI technology to stealthily infiltrate payroll systems or trick software into recognizing them as legitimate users."
It added, "Security is expanding beyond focusing solely on blocking external intruders to continuously verifying whether users inside the network are actually trustworthy."
Cloudflare assessed that advances in AI have lowered the barrier to entry for attacks by enabling anyone to attempt sophisticated cyberattacks. According to the report, attackers are using large language models (LLMs) to analyze networks in real time to find vulnerabilities and to generate realistic deepfakes.
It also confirmed signs that China state-backed hacking groups are shifting from broad, indiscriminate campaigns to precision strikes. Notably, state-supported actors such as "Salt Typhoon" and "Linen Typhoon" are targeting telecommunications companies, government agencies, and IT services in North America as primary targets. The report said, "They are moving away from traditional espionage and adopting a 'persistent pre-positioning' strategy, in which they plant code in rival nations' networks or systems in advance, even aiming at critical U.S. infrastructure."
In particular, it detected cases in which North Korean hackers used AI-generated deepfakes and forged IDs to bypass hiring verification and then take jobs under false pretenses at corporations in advanced economies. The report said they are hiding their actual locations by using "laptop farms" set up in the United States.
Unprecedented-scale distributed denial-of-service (DDoS) attacks are also on the rise. The report stressed, "Large botnets like 'Aisuru' have now reached a threat level capable of paralyzing entire country-level networks," adding, "Fully autonomous defense systems have become necessary to counter these ultra-high-speed attacks."
Matthew Prince, Cloudflare chief executive officer (CEO) and co-founder, said, "Attackers are exploiting security gaps caused by fragmented and outdated threat intelligence."
Blake Darché, head of Cloudflare's Cloudforce One threat intelligence, said, "Attackers relentlessly change tactics, find new vulnerabilities, and look for ways to overwhelm victim organizations," advising, "To avoid responding too late to such threats, organizations must move away from a reactive security posture and shift to a response framework based on intelligence that can be used in real time."