The rise of AI-powered cyber threats

But as with any new internet connected technology, cyber criminals are already exploiting AI tools to help facilitate attacks and scams. They also don’t need to think about data privacy or ethical considerations in how the tech is used – or abused.

“The bad guys are definitely using this. They’re unconstrained in how they’re using it – and it’s almost zero cost for them to have some very sophisticated capabilities to pretend they’re someone else or run interactive programs to break into things,” says Mahony.

One example of attackers exploiting AI is what he describes as “a huge uptick in synthetic identity” particularly from North Korea. These campaigns see North Korean citizens – at the behest of the regime in Pyongyang – exploiting AI tools to apply for remote jobs at technology suppliers, cryptocurrency firms and even cyber security companies. Not only do they use AI to help send off CVs and covering letters for their initial applications, they’re also using live deepfake technology to alter their image and voice on video calls to hide who they really are. 

“They need these synthetic identities to get jobs and money. They also want to use these identities to get into places and exfiltrate information,” says Mahony.

But where nation-state cyber threat operations go, cyber criminal groups don’t take long to follow – and they’re already abusing AI to illicitly make money. Just look at how cyber criminals have exploited deepfakes to pose as company executives steal millions with wire fraud, or using voice cloning to pose as high-profile individuals to facilitate scams against the general public.

“The commoditisation of these tools is already happening. You don’t necessarily need the backing or purse of a nation-state – you can do it with tools that are almost free to use,” says Mahony. 

But while malicious cyber attackers can – and do – exploit the latest technologies to conduct campaigns, Mahony points out how so many hacks scams still occur through tried and tested tools, techniques and procedures – particularly those targeting cloud-based services and login credentials.

“When we look at corporate credentials that are exposed, when you trace back where the exposure occurred, most often it comes from the home computer of the person, which isn’t up-to-date with security,” he says.

It could be as simple as someone using their personal laptop to quickly check emails. But their personal computer isn’t likely to have security controls which are as strong as those on their corporate device, making it less difficult for them to accidentally follow a phishing link or install malware. But that’s something which could compromise the whole company.

“There’s nothing intentional about it, but someone made a decision about what to do and that decision might have compromised the information,” adds Mahony.

The importance of getting cyber security basics right

Mahony recommends that organisations should follow standard cyber security procedures to ensure their accounts, employees, customers and partners are defended against cyber threats.

“Sometimes, people forget about the basics – but you’ve got to do those things,” he says. “Turn on two-factor authentication for everything – there should be nothing you’re logging into without it.”

Mahony also stresses the importance of regularly making backups of critical data and storing it offline: “It seems so basic, but if you have a clean backup, if you get attacked with ransomware, then you have your data – you can still operate.” 

“2025 has been the year of the mid-market ransomware. It’s not all these big companies that you hear about – the ransomware gangs have gone after mid-market and lower market victims”

Colin Mahony, Recorded Future

Ransomware has remained a major cyber security issue throughout 2025 with significant incidents affecting major companies including Marks & Spencer and Jaguar Land Rover. But while these attacks against well-known corporations have created headlines – and had significant economic impacts – Mahony argues that more attention needs to be focused on ransomware attacks against smaller targets.

“2025 has been the year of the mid-market ransomware. It’s not all these big companies that you hear about – the ransomware gangs have gone after mid-market and lower market victims, extorting them, even for lower amounts of money,” he says.

While these attacks might not be as lucrative as “big-game hunting” campaigns, they still cause significant damage and disruption. Smaller businesses could be more tempted to pay a ransom, because the alternative is going out of business. Mahony expects this trend to continue into 2026. “I think we will see more of these attacks,” he warns.

Defending networks and keeping unauthorised intruders from breaking in is understandably a key focus of cyber security. But with attackers increasingly turning to social engineering and deepfakes to get hold of legitimate login credentials, detecting an active intrusion is getting harder. 

“There’s a realisation that the bad guys are already in,” says Mahony. “The next 12 months are going to be about working across environments and technologies to leverage autonomous capabilities to get ahead of it – to find what’s in the systems and to root them out.”

He believes playbooks should be prepared to help identify and remediate threats which are already inside the network. “One of the best things that organisations can do is run different exercises and drills. Every security team can run capture-the-flag exercises to find the threats and know what they’re going to do when there is a threat.”

Mahony argues that incident response isn’t something that the information security team alone should be prepared for – business operations and leadership should be involved to ensure that everyone knows their role in the event of a cyber attack as it could save the business.

“Running simulations and exercises to make sure the leadership organisation can function well can be the difference between a company that gets shut down or a company that keeps operating,” he says. “That’s not just a technology thing, it’s a ‘Do we have a properly functioning crisis capability?’ thing. It’s great to practice this for cyber attacks – but if you do practice that, it’s great practice for any crisis management situation you may encounter. Every organisation should do that.”