Today’s cybercriminals launch attacks with a scale, speed, and success rate typical of industrial enterprises. To fight back, defenders need to equip themselves with the same level of AI and automation.
The roots of cybercrime’s industrialization trace back to the 1990s. As criminal operations adopted the structure, tactics, and objectives of legitimate industries, they evolved into a full-fledged business. Running a business profitably demands efficiency—more output with less input—and modern cybercrime accomplishes this through AI, automated systems, and the seamless exchange of data.
FortiGuard conducted a comprehensive analysis of the threats dominating today’s cybercrime landscape, drawing on telemetry from millions of sensors deployed across the globe since 2002. This assessment incorporates 2025 data (or the latest 12-month period available for each dataset) spanning numerous security categories and attack vectors.
AI accelerates the attack pipeline
Derek Manky, Chief Security Strategist at FortiGuard Labs, shares, “Our latest Global Threat Landscape Report exposes how threat actors are starting to harness agentic AI to carry out increasingly advanced attacks.”
A growing arsenal of AI-powered hacking tools is now readily accessible to cybercriminals—WormGPT (Official), FraudGPT, HexStrike AI, APEX AI, and BruteForceAI among them. These tools act as force multipliers, lowering skill barriers and shortening attack timelines while empowering adversaries to operate at machine speed.
FraudGPT and WormGPT are employed to craft highly convincing phishing campaigns. Free from the safety guardrails that constrain legitimate AI, these tools enable attackers to polish fraudulent schemes, produce harmful code, and execute large-scale social engineering operations.
HexStrike AI supports “automated reconnaissance, the generation of attack paths, and the creation of malicious content.” APEX AI provides APT-grade attack simulations, including automated OSINT collection, chaining of attacks, and kill-chain development to map out full compromise pathways right up to the point of payload delivery.
BruteForceAI is a penetration testing utility that detects login form elements and launches multi-threaded brute-force attacks while mimicking human-like behavior to evade detection.
While these malicious instruments don’t generate new vulnerabilities on their own, they dramatically shorten the window needed to exploit known ones—pushing predictive security models even closer to obsolescence.
Automation uncovers the weaknesses
Identifying which vulnerabilities to exploit is largely automated through broad-based scanning using widely available commercial tools: Qualys for spotting out-of-date software and configuration errors; Nmap for port scanning and identifying running services; and Nessus and OpenVAS for enriching vulnerability data.
Data exchange sharpens the cybercrime enterprise
In many instances, pathways to potential targets are already readily available for purchase on underground forums. “Databases, credentials, verified access routes, and attacker toolkits are constantly being advertised and traded, creating a upstream supply chain that fuels downstream intrusion campaigns,” according to FortiGuard.
Much of this data originates from infostealers—most notably RedLine, followed closely by Lumma and Vidar. Access brokers then monetize this intelligence by selling verified entry points into corporate networks. The most commonly offered types of access involve corporate VPNs and RDP connections.
The cybercrime marketplace is further fueled by extensive communication among its participants. FortiGuard found that 656 distinct vulnerabilities were actively debated on darknet platforms in 2025. Of those, 344 (52.44%) had public proof-of-concept exploit code available, 176 (26.83%) had functional exploit code in circulation, and 149 (22.71%) had both proof-of-concept and working exploit code at hand.
“CVEs turn into ‘industrial assets’ when they come packaged with scripts, modules, tutorials, demonstration code, and operational guides, allowing exploitation to function as a repeatable cycle rather than a one-off intrusion cautions the report.
The impact of cybercrime’s industrialization
One of the most significant consequences of the modern cybercrime model has been the dramatic compression of the time-to-exploit metric.
“Historically, the average time-to-exploit was close to a week. That gap has now shrunk to just 24 to 48 hours for most critical vulnerabilities, and in certain cases, attacks begin within mere hours of public disclosure,” notes Douglas Santos, director of advanced threat intelligence at FortiGuard. “The trend is unmistakable: as AI speeds up reconnaissance, weaponization, and execution, it’s merely a matter of time before ‘hours or even minutes, not days’ becomes the standard across the board. In truth, we’re not heading toward that reality—early indicators are already here.”
Ransomware continues to represent the most feared attack vector and the most direct path to monetization for adversaries. The report documents 7,831 confirmed victims globally in 2025. The three dominant ransomware syndicates were Qilin, Akira, and Safepay, while the hardest-hit regions were the United States (3,381 victims), Canada, and Europe.
“The global attack surface has already been mapped, is being continuously updated, and remains in a state of operational readiness,” FortiGuard states.
Countering industrialized cybercrime
Efficiency gains within the cybercrime sector have amplified the speed, scale, and effectiveness of attacks. Defensive strategies must scale in lockstep—particularly when it comes to how quickly threats are detected and neutralized. The only way to keep pace with adversarial AI and automation is through equally sophisticated defensive AI and automation.
FortiGuard specifically advises that organizations focus on identity-driven detection, reducing their attack surface, and deploying automation to match the machine-speed tempo of modern attackers.
Alongside these recommendations, the company emphasizes its own ongoing contributions to combating organized cybercrime. Over the past year, it has participated in multiple international disruption initiatives, including: “INTERPOL Serengeti 2.0 and Operation Red Card 2.0, the Cybercrime Atlas initiative in collaboration with the World Economic Forum, cooperation with cybersecurity partners through the Cyber Threat Alliance (CTA), and the introduction of a Cybercrime Bounty program developed in partnership with Crime Stoppers International.”
Related: Polymorphic Phishing Powered by AI Is Reshaping the Threat Landscape
Related: How to Multiply Your Vulnerability Management Program’s Impact Tenfold in the Agentic Era
Related: Cyber Insights 2026: Malware and Cyberattacks in the Age of AI
Related: Infostealers: The Covert Smash-and-Grab Fueling Modern Cybercrime
