TAMPA, Fla. — June 23, 2026– ReliaQuest today detailed how AI is now at the heart of threat actor attacks at every step, dramatically accelerating the pace and lowering the cost of cybercrime attacks against organizations.
The third ReliaQuest annual AI-powered cybercrime report specifically details how threat actors are integrating AI across their attack workflows; in the same way everyday workers are using in their own day-to-day desk jobs. From writing more convincing phishing pages at scale, building web shells, harvesting credentials and improving the fluency of social-engineering content, AI is making cyber attacks more efficient and effective.
In one example, AI-assisted web shells were deployed in just 60 seconds – far faster than a human alone can match. The research also uncovered a thriving marketplace on the dark web for AI attacker tools, ranging from deepfake face-swap tools to end-to-end AI attack software.
“AI has changed the game of cybersecurity, making it cheaper, faster and easier than ever for threat actors to do real damage to large organizations,” said ReliaQuest founder and CEO Brian Murphy. “But the defensive side has an AI advantage too. Agentic defense is the new frontier for security operations, allowing us to move within seconds to detect and contain cyber threats. The organizations winning this fight are those leaned in and taking full advantage of these powerful tools.”
Cyber defenders remain a step ahead. Threat actors routinely complain about being hampered by guardrails on frontier models such as Claude, Grok, and ChatGPT. While ‘jail break’ prompts for these models continue to circulate, guardrails break the consistency of attacks with one forum member referring to GPT Models as “unusable for a long time now.” Commenting on the very latest models, referencing GPT 5.5 and Claude Fable 5, another threat actor commented: “even the smartest model will be useless for our purposes if you can’t bypass its restrictions.”
Instead, criminal preference has shifted toward uncensored open-weight models such as Qwen, Dolphin, and Mistral. While these lack the performance ceiling of frontier systems, they are more predictable, can run locally for privacy, and don’t depend on a cloud provider keeping a session alive. Forum users are explicit about the trade-off between models with lower tier models treated as more stable options for offensive or quasi-offensive work because they’re seen as harder to interrupt mid-session.
Attackers are also using demand for AI tools and trust in AI brands to get users to install malicious extensions, run commands, or follow fake setup steps that looked routine enough to pass initial scrutiny. This pattern was observed across sectors and actor type, from “ShinyHunters”-linked social engineering and “ClickFix”-driven malware delivery to DPRK IT-worker fraud. The goal varied, including extortion, access, fraud, or espionage support, but AI consistently enabled these operators to achieve more, faster, with less effort.
Read more at: https://reliaquest.com/campaigns/how-threat-actors-use-ai/executive-summary
About ReliaQuest
ReliaQuest is an agentic AI cybersecurity company whose platform, GreyMatter, serves as the Agentic Defense for the enterprise — defending organizations against AI-accelerated attacks. Any defender can harness that AI to detect threats, run investigations, execute response, and hunt across their entire tech stack in plain language without requiring any tool expertise. GreyMatter makes this possible through three capabilities: the Universal Translator, which automatically normalizes telemetry across any vendor without data centralization; Detection at Source, at Storage, or in Transit, which catches threats where data lives or as it moves before it is ever indexed, parsed, or stored; and Agentic Orchestration, which combines a natural language operating layer, multiple autonomous agentic systems, and an AI Model Broker that continuously selects the best model for every task based on speed, cost, and accuracy. GreyMatter enables organizations to re-architect their security environment for speed, efficiency, and cost control. ReliaQuest has been making security possible since 2007.
