While working on the Transparent Tribe’s vibeware research, we have encountered two distinct camps, the optimists and the skeptics. What makes the current dialogue unique is that both sides can be right at the same time. There is, however, a clear operational reason why we encounter "AI attacks" primarily on professional social media feeds rather than within our own telemetry logs. In this article, we analyze the factors explaining why Skynet is not here yet, and how, much like a shark, AI does not need to be innovative to be dangerous.
LLM Architecture Bias
LLMs are mathematically optimized to predict the most likely outcome, while hacking is the art of identifying the statistical anomaly.
LLMs are designed to predict the most statistically probable next token. They are excellent at the average, but poor at the exceptional. A hacker, by contrast, is a practitioner of statistical anomaly, actively seeking the low-probability, unpredictable flaw - the single, unconventional entry point that breaks established conventions.
Asking an LLM to "hack" is architecturally counter-intuitive. You are requesting a system optimized for statistical probability to find a statistical anomaly. Because LLMs prioritize the "most likely" path, they naturally gravitate toward derivative, well-documented techniques, while genuine innovation in exploitation requires navigating improbable logic errors that the models are trained to smooth over.
It is like using a GPS to find a shortcut. The GPS (the AI) will always give you the most common, standard route that everyone takes. A hacker knows you can cut through a broken fence behind the gas station to save ten minutes. The AI will never suggest the fence because it isn't in the "average" training data.
Yes, but while the core architecture is probabilistic, modern reasoning models with extended context windows are starting to find complex vulnerabilities in disconnected parts of code that simple pattern-matching tools often miss.
The Requirement for Determinism
You cannot build a multi-billion-dollar criminal enterprise on an encryptor that hallucinates its own file paths or encryption keys.
In the context of malware, hallucinations are a mathematical certainty, rather than just a bug to be patched. A hallucinated IP address or file path breaks the kill chain. Because the model is probabilistic, you can never guarantee 100% determinism, which is the one thing malware developers require.
If a ransomware encryptor hallucinates an exfiltration server or corrupts the encryption key generation even 5% of the time, the entire operation fails. You cannot build a business model on that level of unreliability.
Yes, but whilepurely AI-generated malware is plagued by probabilistic hallucinations, an AI-assisted approach allows a human to rapidly generate mostly reliable (albeit easily detectable) code.
Optimization for the Wrong Objective
If you want to break into a house, you do not want 1,000 people banging on the front door.
There is a misconception that "AI doing 1,000x more operations than humans" is an advantage. In data exfil operations, volume is often a liability, and false positives are fatal. An autonomous agent that aggressively scans a honeypot or stumbles into a decoy server will burn infrastructure that took months to build. AI lacks the intuition to "stop and think."
If you want to break into a house, you don't want 1,000 people banging on the front door. You want one person silently picking the back lock. Volume is great for spam or DDoS, but counterproductive for stealthy lateral movement.
This principle of minimalism extends from the operation to the malware itself. Professional APT toolsets are defined by a modular architecture where discrete components work in concert to minimize the forensic footprint. The EggStreme malware framework is a prime example of this philosophy. It prioritizes a low profile by using specialized, lightweight modules rather than a single, all-encompassing binary. In contrast, we are seeing a trend of malware that treats code volume as a metric of sophistication. These AI-generated samples often boast tens of thousands of lines of code as if the sheer size is a technical "flex." In reality, this bloat is a massive disadvantage. It increases the detection surface for EDR sensors and makes the malware easier to signature. For a professional, a 50kb modular stager is a weapon, whereas a 50mb AI-generated monolith is an elephant in the porcelain shop.
Yes, but operational noise is only a liability if someone is actually watching. Post-incident investigations frequently show that clear signs of intrusion were logged but ignored due to a lack of active monitoring.
Market Solvency and Trust
Criminal extortion is built on business trust.
The Ransomware-as-a-Service economy is built on a fragile paradox: criminal extortion requires business trust. Victims do not pay for encryption; they pay for restoration. This multi-billion dollar industry hinges entirely on the market's confidence that payment guarantees a working decryptor.
AI introduces a fatal variable: non-determinism. If an AI-generated encryptor "hallucinates" and the data becomes irretrievable (even to the attacker), the word spreads that paying a ransom no longer guarantees recovery. The entire industry's conversion rate collapses. Therefore, established RaaS cartels likely view unreliable AI not as an innovation, but as a liability. In an ecosystem where reputation is currency, participants who deploy buggy, AI-generated malware that "poisons the well" put the entire ecosystem in danger and may find themselves targeted by the very syndicates they are trying to emulate.
Yes, but someemerging groups like 0APT are already effectively scamming both victims and other criminals regardless of long-term market trust.
The Intent-Capability Disconnect
Writing "Win the lottery" on a napkin does not make you a millionaire.
It is easy to look at a line of code asking an AI to exploit a vulnerability and assume the attack is successful. But a prompt is a request, not a capability.
We often see that an agent asks an AI to perform a task, but we rarely scrutinize the reliability of the answer. When we do, the results are often operationally useless – the good demonstration is in a PromptLock analysis titled “I tested the world’s first AI ransomware… And it was a disaster”.
Finding a script that says response = model.generate("Hack the Planet ") is like finding a piece of paper that says "Win the lottery." Just because you wrote down the instruction doesn't mean the outcome will happen.
Yes, but the rapid evolution of agentic workflows means AI is becoming increasingly capable of self-correcting and troubleshooting its own code, narrowing the gap between intent and execution.
Reporting Distortion
The headline claims an AI breakthrough, but the technical "asterisk" reveals it only works when target’s defenses are manually turned off.
Headlines and social media posts often ignore technical caveats to tell a better story. Many AI breakthroughs only work if security features like sandboxing are disabled, or require noisy, constant LLM connections that make them operationally useless. Some reported attacks were even entirely hallucinated, where agents claim successes that never occurred. Following a series of intense internal debates regarding the validity of some claims, we even decided to look at the fine print of four different AI threat reports in our recent webinar, "What the heck even is an AI-attack".
Yes, but even with those asterisks, we are seeing continuous evolution. This constant hyperbole creates threat fatigue and a dismissal of AI threats, which may cause defenders to ignore a genuine, low-noise breakthrough because it is lost in a sea of previous distortions.
The Industrialization of Mediocrity
All AI attacks that we've analyzed are technical regression compared to even average attackers. After reading this, you might conclude that we are AI skeptics. We are not. We are AI realists. We recognize that AI is a transformative technology that will reshape the threat landscape.
AI does not need to be innovative or highly sophisticated to deliver significant results for attackers. While LLMs are optimized for convention rather than the unconventional mindset of a hacker, they excel at industrialization and standardization. This capability allows them to drive the marginal cost of an attack down, with potential of turning cybercrime into a high-volume numbers game. As we concluded in the APT36 research: “The reality is not a breakthrough in malware sophistication, but an optimization of the mediocre.”
In short-term (next three years), we can expect to see the exploitation of the Infrastructure Monoculture. While AI agents struggle with complexity and novelty, they thrive on pattern recognition and standardization. This creates a specific vulnerability for modern, standardized environments, often paired with substandard security. These are organizations running "out of the box" tech stacks, such as default Microsoft 365 environments, standard AWS configurations, or uncustomized SaaS platforms. For decades, small and medium businesses relied on the illusion of 'security by obscurity.' The internal logic was comforting: 'We are too small to be targeted.' The external reality was much harsher: 'Your breach was just too small to make the headlines.' They were never safe from attacks, they were only safe from the news cycle.
Because these environments look identical across thousands of companies, they are the perfect hunting ground for AI agents. If your infrastructure is a commodity, your breach will be a commodity. The limiting factor for cybercrime has always been human bandwidth. Human hackers have only so many hours in the day, so they naturally prioritize targets with the highest payout. AI removes this constraint. An automated AI loop does not care if a target only yields a $500 ransom. If the attack costs $5 to execute, a $500 payout is a massive return on investment. We face a potential future where the "floor" for victimization is raised suddenly, and we can expect “WannaCry 2.0” moment that will act as a harsh filter that separates the diligent from the negligent.
For our long-term speculative prediction, we look to the structural evolution of the ransomware economy. A common misunderstanding is that RaaS operates like a software subscription. It does not. It operates like the gig economy. Ransomware groups are the platforms, similar to car sharing operators, while affiliates are the drivers who perform the actual work and retain most of the profit, typically around 80%. This creates a massive financial incentive for operators to cut labor costs and replace expensive human affiliates/hackers with AI agents to capture 100% of the revenue. However, do not expect this in the near future. Just as self-driving cars have faced technical and regulatory stalls, autonomous ransomware will face many challenges before it becomes viable business model.
Conclusion & Recommendations
We have reached a point where we can accurately evaluate the risks of AI threats and see where they are heading, yet the reality remains that AI currently benefits defenders more than attackers. While many recommendations call for speculative future technologies to counter fictional AI threats, everything we have seen so far is effectively stopped by existing technology. If anyone claims that companies need to stop relying on signatures and adopt AI to "catch up with attackers," they are nearly two decades late, as this transition happened in our industry a long time ago.
- Catch up with basic cybersecurity hygiene: Most AI-driven attacks target low-hanging fruit and standardized environments. The security best practices are not obsolete; they remain the most effective way to raise the cost of an attack beyond what an automated script can profitably execute. Defense-in-depth, multilayered security remains highly effective against both human and AI attackers.
- Make your environment hostile to automated playbooks: AI-driven attacks and ransomware affiliates both rely on predictable endpoints and documented MOs to navigate. Introducing unpredictability across every device disrupts these standardized scripts, forcing attackers into manual, detectable actions. This secures systems against today’s threats and future AI risks. If you want to see how this dynamic hardening would look in your environment, take our free assessment here.
- Deploy EDR/XDR sensors with SOC/MDR: AI-driven attacks are noisier than the stealthy "Living off the Land" techniques favored by human operators. This increased signal makes EDR and XDR sensors more effective at identifying automated campaigns. Maintaining consistent visibility is the primary challenge for lean security teams. If internal resources are struggling with a 24/7 monitoring cycle, an optimized EDR/XDR platform or Managed Detection and Response (MDR) model provides the necessary oversight. This approach ensures that the telemetry generated by automated tools is analyzed in real time, rather than sitting in a queue until a breach has already occurred.
About the Author: Martin Zugec works as the Technical Solutions Director at Bitdefender, helping to protect the world from cybercrime. He has over 20 years of field experience, working as an architect on virtualization projects and traveling around the world. Combining his passion for storytelling with real-world experiences, Martin is a regular speaker at major industry conferences and a cybersecurity blogger. His talks span an array of subjects, encompassing everything from the tactics of threat actors and the evolving ransomware landscape to enhancing efficacy within security operations.
Martin Zugec — Technical Solutions Director at Bitdefender https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtB44Z82ub9HU2rEah-aXtgQGkW4OZuJ0s5IRVAowBMnUMaVqEW-_VEZ2vfUOwWGOdjEOx7JcFGnUH3wWDlLmNtFBGe74_nsso6EA1i2s7oeeia4yyMsNUAoTYZ3gifDG34HvV-Kx0v7VgHZTePReU1pzX92pIrm5z_gTEI9SLyZDZ6W4g5GuwYjEtbIo/s1600/martin.png
