As cyberattacks intensify worldwide, the average breakout time for hackers' cybercrimes was found to be 29 minutes last year, a 65% reduction in one year. The fastest attack took only 27 seconds.
CrowdStrike, a global cloud-based cybersecurity company, tracked and analyzed more than 280 adversary groups in its 2026 Global Threat Report and stated accordingly on the 16th that "artificial intelligence (AI) is accelerating attacks and expanding the attack surface of corporations."
AI-driven attack activity increased 89% from a year earlier. The report said, "Attackers are targeting AI systems themselves as new attack surfaces, inserting malicious prompts into Generative AI tools at more than 90 organizations and even leveraging AI development platforms as infiltration paths," adding, "They exploited vulnerabilities in AI development platforms to establish persistence within systems and deploy ransomware, and they ran malicious AI servers masquerading as trusted services to intercept confidential data."
Attackers are weaponizing AI across reconnaissance, credential theft, and detection evasion, the report analyzed. Intrusions now occur through trusted accounts, software-as-a-service (SaaS) applications, and cloud infrastructure, and they appear to be normal activity on the surface. The report explained, "Security teams have that much less time to respond," and "AI is both a factor accelerating attacks and a new attack target."
As AI speeds up the pace of attacks, the average breakout time for cybercrime was found to be 29 minutes, down 65% from a year earlier. The fastest attack occurred in just 27 seconds, and in one intrusion case, data exfiltration began four minutes after initial access.
By criminal group, North Korea–linked attacks surged 130%. The increase was driven by greater activity from the North Korea–linked group FAMOUS CHOLLIMA. Another hacker group, PRESSURE CHOLLIMA, attacked a software supply chain in Feb. last year and stole about $1.46 billion (about 2.1 trillion won) worth of cryptocurrency in what was the largest single cyber financial crime on record.
China-linked attacks also rose 38%. In particular, attacks targeting the logistics industry increased 85%. Of all vulnerabilities exploited by China-linked attackers, 67% led to immediate system access, and 40% targeted internet-exposed edge devices, the report said.
Elsewhere, the Russia-linked group FANCY BEAR distributed a large language model (LLM)-based malware (Lamehug) to automate reconnaissance and document collection. The cybercrime group PUNK SPIDER used AI-generated scripts to accelerate credential leaks and delete forensic evidence, and FAMOUS CHOLLIMA expanded insider attacks by using AI-generated virtual personas.
As attackers weaponized zero-days for initial access, remote code execution, and privilege escalation, 42% of vulnerabilities were exploited before disclosure. Intrusions targeting cloud environments increased 37% overall, and activity by state-linked threat actors targeting cloud environments for intelligence collection rose 266%.
Adam Meyers, head of counter adversary operations at CrowdStrike, said, "The current situation is reminiscent of an AI arms race," adding, "Breakout time is the clearest indicator of how the attack landscape is changing, and attackers are moving from initial access to lateral movement within just minutes."
He continued, "AI is shortening the time from intent to execution for attacks, while also making corporations' AI systems targets," emphasizing, "Security teams must move faster than attackers to gain the upper hand."