Estimated reading time: 5 minutes
Cybercrime is changing quickly as automation, stolen identities, and fast-moving attacks become more common. A new Flashpoint report says Agentic AI is speeding up cyberattacks and changing the risks faced by businesses, insurers, and security teams.
Flashpoint’s 2026 Global Threat Intelligence Report shows that attackers are now mixing AI automation, stolen credentials, and ransomware into one fast-moving threat environment.
Flashpoint looked at underground forums, criminal marketplaces, and hacker communities. Their findings show that cybercrime is moving toward automated attacks that need much less human involvement.
“In 2026, cybercrime has reached a point of total convergence,” said Flashpoint CEO Josh Lefkowitz. “The silos separating malware, identity, and infrastructure have collapsed into a single threat engine. Agentic AI is transforming human-led campaigns into machine-speed operations.”
The Rise Of Agentic AI In Cybercrime
Threat actors now deploy autonomous Agentic AI systems that automate entire attack chains, including reconnaissance, phishing, credential testing, and infrastructure rotation.
Flashpoint saw a huge jump in interest in malicious AI tools on underground forums. Discussions mentioning AI went up by 1,500% between November and December 2025, from about 362,000 to over six million. According to the report, attackers now design systems that can:
- Scrape target data automatically.
- Generate tailored phishing messages.
- Rotate infrastructure and evade detection.
- Learn from failed attempts.
These systems reduce cybercriminals’ operational costs and dramatically increase attack speed.
The report notes that AI is acting as a force multiplier across the cybercrime ecosystem, improving the effectiveness of malware, ransomware, and social engineering campaigns.
Security researchers also observed threat actors experimenting with techniques such as prompt injection (tricking an AI into performing unintended actions), AI sidebar spoofing (faking parts of AI interfaces), and slopsquatting (registering similar-sounding names to trick users) to compromise AI tools and developer workflows.
Identity Becomes The Core Attack Vector
Cybercrime mechanics are shifting away from traditional hacking methods. Attackers now rely heavily on stolen credentials and identity artifacts.
Flashpoint recorded more than 11.1 million machines infected with infostealer malware in 2025, generating an inventory of 3.3 billion stolen credentials and cloud tokens. This shift has fundamentally changed how attackers access corporate systems.
Instead of breaking into networks, attackers log in using valid credentials, session cookies, or authentication tokens. These artifacts allow them to bypass many traditional security controls.
The report describes identity data as essential to modern exploitation. Stolen credentials can support multiple attack scenarios, including fraud, espionage, lateral movement, and extortion.
Infostealer malware, a type of malicious software that collects login credentials and other valuable data, has also expanded the modern attack surface beyond corporate networks. Attackers now harvest credentials from:
- Employee browsers
- Personal devices
- SaaS platforms
- Third-party integrations
Flashpoint analysts warn that automated AI systems could soon test stolen credentials across thousands of services simultaneously.
Vulnerabilities Are Exploited Within Hours
Another key finding from the report involves the shrinking window between vulnerability disclosure and exploitation.
Flashpoint found that 44,509 vulnerabilities were reported in 2025, up 12% from the previous year. Almost a third had exploit code available to the public.
Several high-profile flaws were exploited in the wild within hours of disclosure. Examples include critical vulnerabilities such as:
- CitrixBleed2
- React2Shell
- ToolShell SharePoint vulnerabilities
Attackers increasingly target high-value infrastructure and AI development environments, including developer tools and software supply chains.
One vulnerability in the Langflow AI framework, a tool for building AI workflows, was exploited within days to power the Flodrix botnet, a network of compromised computers, according to Flashpoint’s analysis.
This trend creates significant risk for organizations that rely on traditional patching cycles.
Ransomware Evolves Toward Identity Extortion
Ransomware attacks are also changing. Flashpoint saw ransomware incidents rise by 53% in 2025. Ransomware-as-a-service groups, which rent out ransomware tools, were behind over 87% of these attacks.
However, attackers increasingly rely on identity-driven extortion rather than encryption-based attacks. Threat actors are shifting toward tactics that exploit human trust, including:
- Social engineering
- Help-desk impersonation
- Insider recruitment
- Vendor compromise
The report documented over 91,000 discussions on underground forums about recruiting malicious insiders. Once attackers gain access through legitimate credentials or insider cooperation, extortion becomes a negotiation rather than a technical challenge.
Manufacturing, technology, and healthcare industries remain among the most frequently targeted sectors.
Total Threat Convergence Reshapes Cyber Risk
Flashpoint’s report describes the current threat landscape as a state of “total convergence.” Automation, identity compromise, vulnerabilities, and ransomware now form a unified attack ecosystem.
Agentic AI plays a central role in accelerating this convergence by enabling attackers to operate at machine speed. The report warns that organizations relying on fragmented security visibility will struggle to keep pace.
Instead, defenders must adopt intelligence-driven strategies based on real-time monitoring of adversarial environments and illicit marketplaces.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Flashpoint recommends three priorities for security teams:
- Focus on risk-based intelligence instead of raw alert volume.
- Treat identity as the primary security perimeter.
- Build redundancy into vulnerability intelligence and threat monitoring.
Organizations that integrate automation with human-led intelligence analysis will be best positioned to manage the emerging threat environment.
Why This Matters For Cyber Insurance
The rise of Agentic AI-driven cybercrime may significantly affect cyber insurance risk models. Automated attacks lower barriers to entry for cybercriminals and vastly increase the scale of attacks.
Credential-based intrusion (using stolen usernames and passwords) and insider-driven ransomware campaign (where employees help attackers) also complicate incident attribution (figuring out who did what) and response timelines (how quickly defenders can act).
For insurers, these trends may lead to:
- Higher claim frequency from credential compromise
- Increased systemic risk from supply-chain vulnerabilities
- Faster exploitation of newly disclosed vulnerabilities
As automation continues to reshape cybercrime operations, underwriting models may need to account for attack speed and identity-centric risk exposures.
Related Cyber Liability Insurance Posts
- Midmarket Cybersecurity Gap Widens, Intruder Report Finds
- Why Cyber Insurance Underwriting Is Moving Beyond Questionnaires – NEW PODCAST
- Cyber Insurance News Podcast: Willis’ Peter Foster on Pixels, Privacy and Claims
- Cyber Insurance News & Information Podcast
- Cyber Insurance Market Size is Growing Fast But Cyber Insurance Rates Are Shrinking?
