Cybersecurity

AI Cybercrime in 2026: What Business Leaders Need to Know About the New Threat Playbook

How generative AI, deepfakes, and LLMs are reshaping the attacker playbook, and what businesses should do about it.

In February 2025, a UK engineering firm named Arup lost roughly $25 million in a single transaction. The employee who authorized the payment believed they were on a video call with their CFO and several members of the senior finance team. Every face on the screen was a deepfake. Every voice was AI-generated. By the time the fraud was caught, the money had moved through multiple offshore accounts and was gone.

The incident is worth understanding in detail, because it captures something the security industry spent two years theorizing about and then had to accept as reality. Generative AI has collapsed the skill floor for cybercrime. The attackers no longer need to be skilled social engineers to run a convincing impersonation. They need a laptop, a few hundred dollars in compute credits, and a working knowledge of publicly available tools.

That shift is the story of AI cybercrime in 2026, and it’s the reason threat models built in 2022 are no longer adequate for the businesses trying to defend against them.

What the 2025 data actually shows

The industry did not lack for warnings about AI-enabled cybercrime. What it lacked was hard data confirming that the theoretical concern had turned into an operational reality. That gap closed last year.

IBM’s 2025 threat intelligence data found that roughly 16% of the breaches its team investigated involved some form of AI assistance. That could mean AI-generated phishing content, AI-assisted reconnaissance on target organizations, AI-scripted social engineering flows, or AI-supported malware development. In most of the confirmed cases, it meant more than one.

Figure 1. Percentage of investigated breaches involving AI-assisted tactics, 2022 to 2025. Source: IBM Threat Intelligence.

Chainalysis tracked a separate but related pattern in ransomware. Payments in 2025 fell to an estimated $820 million, down roughly 8% from the prior year. Attack volumes hit record highs at the same time. The median payment per successful extortion jumped 368%. The industry got smaller in dollars but bigger in impact, and one of the reasons is that AI tooling has made lower-tier ransomware operators viable at a scale they never previously reached.

Proxyrack’s Global Cybercrime Report 2026 pulled these threads together into a single view, drawing on Verizon DBIR, IBM, Chainalysis, and the FBI IC3 unit. The report’s central finding on the AI shift is worth stating plainly. The attacker skill floor has dropped, the attack volume has risen, and the median business impact per successful incident has climbed. That combination is what defines the 2026 threat landscape.

The FunkSec case and why it matters

Of all the data points from 2025, the FunkSec case is the one worth understanding first.

FunkSec is a ransomware group that emerged in late 2024 and scaled aggressively through 2025. Its reported victim count reached 113 in a single year. What made the group notable was not its technical sophistication. It was the opposite. FunkSec’s developers openly acknowledged in forum posts and interviews that they were not experienced coders. They had used AI tools to produce working malware, generate the encryption logic, and script the extortion infrastructure. The group’s public-facing operators appeared to be non-native English speakers using LLMs to draft ransom notes and victim communications.

Read that sequence again. A ransomware group with 113 confirmed victims, run by developers who could not have built the tooling themselves five years ago. The barrier to entry has moved.

The full data breakdown on FunkSec and other AI-assisted ransomware operations is in the Proxyrack report PDF, which includes the timeline of the group’s rise, the tooling it used, and the sectors it targeted most aggressively.

Figure 2. Number of active ransomware groups tracked quarterly, Q1 2023 to Q1 2026. Source: Proxyrack Global Cybercrime Report 2026.

What this means for defenders is not that AI has produced a new class of super-attackers. The high-end operators like Cl0p, Akira, and Qilin remain the ones producing the largest single-incident losses. What AI has done is flood the middle of the market. There are now more capable ransomware operators running at any given time than there were in 2023, and the number is still climbing. Enterprise security operations centers built for a lower baseline of attempted intrusions are going to feel this most acutely.

The FunkSec pattern is not isolated. Threat intelligence teams tracked at least a dozen similar groups emerging through 2025, each following a comparable operational pattern. Small teams, minimal traditional coding skill, heavy reliance on AI-assisted tooling, and rapid targeting of small and mid-market organizations that lack dedicated security functions. The Sophos data cited in the Proxyrack report found that 88% of small and mid-sized businesses do not have a dedicated security function. That statistic explains why AI-enabled ransomware groups are finding so much room to operate at the middle of the market. The targets are less defended, the attack economics work at smaller ransom demands, and the volume of viable targets is orders of magnitude larger than the enterprise segment.

The three attack surfaces where AI is scaling fastest

Business leaders trying to prepare for 2026 should understand where AI is producing the largest operational shift, because it’s not evenly distributed across the threat landscape.

The first surface is impersonation fraud. The Arup case is not an anomaly. Deepfake video and voice cloning have become cheap enough and convincing enough that any organization with published leadership footage on YouTube, LinkedIn Live, or podcast appearances is exposed to CFO impersonation attacks. The tooling costs a few dollars per hour of compute. The source material is public. Financial approval workflows built around verbal authorization or single-approver video confirmation are the primary vulnerability. Insurance underwriters have started asking about payment approval controls in ways they were not asking in 2023, which is a leading indicator that claims frequency is climbing.

The second surface is phishing at scale. Generative AI has removed the two most reliable signals defenders relied on to detect phishing content. Broken English is gone. Contextually inappropriate phrasing is gone. Modern phishing email content is written in the tone of the target industry, references current organizational events pulled from public sources, and lands at the exact time a legitimate email from the impersonated sender would have arrived. Volume has scaled alongside quality. Some threat intelligence sources are tracking phishing email volumes up more than 300% year over year, driven almost entirely by AI-generated content pipelines.

The third surface is malware development. This is the one that got the most attention in 2024 and has produced the most measurable change in 2025. AI-assisted malware development has not produced a wave of novel high-sophistication payloads. What it has produced is a much larger volume of functional low-to-medium sophistication variants. Off-the-shelf ransomware families are being modified, rebuilt, and redeployed with variations that defeat signature-based detection at a rate no one anticipated. Endpoint detection systems that lean heavily on behavioral analysis are holding up. Systems that rely on signature matching are losing ground quarter by quarter.

The economics have shifted and defenders are catching up slowly

The most important thing to understand about AI cybercrime in 2026 is that the underlying economics have changed.

For most of the last decade, the cost of running a successful phishing campaign, developing a working ransomware variant, or building convincing social engineering content was a meaningful barrier. Attackers had to invest time and money before they could produce revenue. That barrier is largely gone. A skilled operator can produce more attack content in a day now than a team of five could produce in a week in 2022. The output quality is better. The targeting is more precise.

Figure 3. Ransomware payments fell while attack volumes climbed in 2025. Source: Chainalysis, Proxyrack Global Cybercrime Report 2026.

What this means practically is that the volume of attempted attacks is going to keep rising, and defense strategies built around detecting rare or novel attacks are going to fail. The new baseline assumes that every organization is being probed continuously, that most probes are AI-generated, and that the successful attacks will be the ones that exploit human decision points rather than technical vulnerabilities.

The defensive shift matches the attack shift. Identity and access management is now the largest category of enterprise security spend, up meaningfully from previous years. Multi-factor authentication enforcement without exceptions is becoming the minimum acceptable posture. Payment approval workflows are being restructured to require multiple independent verifications for any transaction over a threshold. None of these are new ideas. What is new is that boards and CFOs are actually approving the budget to implement them at scale, because the loss cases are starting to show up on quarterly reports.

What business leaders should do in the next 90 days

If you own a security budget or you’re on a leadership team trying to figure out where to focus, here’s the honest version of what actually works in the current threat environment.

Audit your payment authorization workflows. Every organization has a version of the “urgent CFO wire transfer” scenario that could get through. Find yours. Test it. Rebuild it if it fails. The Arup case is not a warning about the future. It’s a warning about last year.

Assume AI-generated phishing is landing in your inboxes now. Your email filtering is probably tuned for signals that no longer exist. Update the training material for your employees to reflect what modern phishing actually looks like, which is well-written, contextually appropriate, and timed to seem legitimate. The old advice about spotting bad grammar is worse than useless because it teaches people to trust anything that reads well.

Segment your production systems from your vendor access. The third-party breach category in Verizon’s 2025 DBIR doubled year over year, from 15% of breaches to 30%. Most of the entry points are through legitimate vendor credentials that were compromised elsewhere. If your production environment can be reached by a supplier’s compromised laptop, you’ve built the wrong architecture.

Test your ransomware recovery procedure with an actual exercise, not a tabletop review. The median ransom payment quadrupled in 2025. If recovery from backup is not an operationally viable option within 48 hours, you’re already committed to paying whatever an attacker asks. That’s not a security posture. That’s an accepting-the-loss posture.

Get ahead of the regulatory shift. The EU’s NIS2 Directive is now in full enforcement across member states, and the compliance obligations for reporting incidents within 24 hours have real teeth. The US Cyber Trust Mark rolled out for consumer IoT in 2025. CISA’s shift to more prescriptive guidance on critical infrastructure has changed how sector-specific mandates land. For organizations with cross-border operations, the compliance overhead alone is now a meaningful line item on the security budget. The underlying signal is more important than the mechanics. Regulators have concluded that voluntary cyber standards produced insufficient results, and they’re pushing organizations toward postures that reflect the current AI-enabled threat environment. If your compliance team is still operating on pre-2024 assumptions, you’re going to hit avoidable penalties over the next 12 months.

Where this goes from here

The next 18 months will be defined by whether business leaders treat the 2025 shifts as an inflection point or as a continuation of the previous decade’s trends. The evidence available now suggests they are an inflection.

AI cybercrime is not going to slow down. The tooling is going to get cheaper, more capable, and more accessible. The attacker base is going to grow. The organizations that acknowledge this and adjust their assumptions accordingly will spend proportionally less on incident recovery than the ones still operating on 2022 threat models. That gap is going to keep widening.

Proxyrack’s Global Cybercrime Report 2026 has the underlying data if you want to go deeper on any of the specific findings. The country-level risk rankings, the ransomware group breakdown, and the third-party breach analysis are all worth reading if you’re building a 2026 security roadmap or presenting the current risk picture to a board that hasn’t been in a real cyber briefing since 2023.

The pattern is clear enough now that pretending it isn’t has become the more expensive option.

Comments

TechBullion

FinTech News and Information

Copyright © 2026 TechBullion. All Rights Reserved.

To Top

Pin It on Pinterest

Share This