Industrialized cybercrime now delivers attacks with greater scale, speed and success. Defenders must match this with a similar use of AI and automation.
The industrialization of cybercrime began in the 1990s. As crime began to mimic the means, methods and motives of other industries, it effectively became a business. Business efficiency requires an efficient organization and more return for less effort; and cybercrime today achieves this through AI, automation and efficient data sharing.
FortiGuard has analyzed the current threat landscape targeted by cybercrime using telemetry from millions of sensors deployed worldwide since 2002. This analysis covers data gathered in 2025 (or the most recent 12-month window available per dataset) across multiple security domains and vectors of compromise.
AI speeds the attack process
Derek Manky, Chief Security Strategist at FortiGuard Labs, comments, “Our latest Global Threat Landscape Report reveals how malicious actors are beginning to leverage agentic AI to execute more sophisticated attacks.”
A range of AI-enabled malicious tools are now available to cybercriminals, such as WormGPT (Official), FraudGPT, HexStrike AI, APEX AI, and BruteForceAI. These are used as force multipliers that reduce skill and time requirements and allow attackers to operate at machine speed.
FraudGPT and WormGPT are used to create compelling phishing attacks. Unhindered by guardrails, these tools allow attackers to refine scams, generate malicious code, and conduct social engineering at scale.
HexStrike AI assists “automated reconnaissance, attack-path generation, and malicious content creation”. APEX AI offers APT-style attack simulation – including automated OSINT, attack chaining, and kill-chain generation to model end-to-end compromise paths up to payload deployment.
BruteForceAI is a pentesting tool that identifies login form selectors and executes multi-threaded attacks with human-like behavior patterns.
Use of these malicious tools do not create new exposure, but they reduce the time required to activate existing exposure – further contributing to an ongoing collapse of predictive security.
Automation finds the vulnerabilities
Finding vulnerabilities to target is automated through global scanning with standard commercial tools: Qualys to locate vulnerable software versions and misconfigurations; Nmap for port scanning and service fingerprinting; and Nessus and OpenVAS for vulnerability enrichment.
Data sharing fine tunes the cybercrime business
In many cases, access to targets is already available on underground markets. “Databases, credentials, validated access paths, and attacker tooling are continuously advertised and exchanged, forming an upstream supply chain that feeds downstream intrusion activity,” reports FortiGuard.
This data is primarily obtained via infostealers such as RedLine (the most prolific), Lumma and Vidar. Access brokers then sell validated access into enterprises. The most frequently advertised access types are corporate VPNs and RDP.
The cybercriminal business is further enhanced by widespread discussion between the business operatives. FortiGuard reports that 656 vulnerabilities were actively discussed on the darknet in 2025. Within these, 344 (52.44%) had publicly available PoC exploit code, 176 (26.83%) had working exploit code, and 149 (22.71%) had both PoC and working exploit code available.
“CVEs become ‘industrial’ when they are sufficiently packaged with scripts, modules, guides, proof code, and operational playbooks, so exploitation can run as a repeatable loop rather than a bespoke intrusion,” warns the report.
The effect of this industrialization of cybercrime
A primary effect of the new cybercrime business has been the collapse of the time-to-exploit.
“Not long ago, time-to-exploit averaged nearly a week. That window has now collapsed to 24 to 48 hours for most critical vulnerabilities, and in some cases, exploitation begins within hours of public disclosure,” comments Douglas Santos, director of advanced threat intelligence at FortiGuard. “The trajectory is clear, though: as AI accelerates reconnaissance, weaponization, and execution, it’s only a matter of time before ‘hours or even minutes, not days’ becomes the norm across the board. The reality is, we’re not approaching that point, we’re already seeing early signs of it.”
Ransomware remains the scariest attack type and most easily monetizable for the criminals. The report notes that globally there were 7,831 confirmed victims in 2025. The three most active ransomware groups were Qilin, Akira and Safepay, and the most targeted geographic areas were the US (3,381 victims), Canada and Europe.
“The global attack surface is already mapped, continuously refreshed, and maintained in an operational readiness state,” says FortiGuard.
Defending against industrialized cybercrime
Business efficiency in the cybercrime sector has increased the speed, scale and success of attacks. Defense must similarly scale – especially in its speed of detection and response. The speed of adversarial AI and automation can only be matched by the use of defensive AI and automation.
FortiGuard specifically recommends prioritizing identity-centric detection, exposure reduction, and automation to match the machine-speed operations of attackers.
Meanwhile, the firm says it will continue to play its own part in the fight against industrial cybercrime. Over the last year it has engaged with several international cybercrime disruption efforts, including: “INTERPOL Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative with the World Economic Forum, working with cybersecurity peers through the Cyber Threat Alliance (CTA), and a new Cybercrime Bounty program launched in partnership with Crime Stoppers International.”
Related: AI-Powered Polymorphic Phishing Is Changing the Threat Landscape
Related: How to 10x Your Vulnerability Management Program in the Agentic Era
Related: Cyber Insights 2026: Malware and Cyberattacks in the Age of AI
Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime
