When news broke late last year that Anthropic had disrupted what it described as the first AI-orchestrated cyber espionage campaign via Claude, it marked a shift in tone. For months, the dominant concern had been jailbreaks, clever prompts, and the cat-and-mouse game between model safeguards and those trying to bypass them. But that framing is already dated. The real story now is far less theoretical and far more operational: criminals are not trying to break these systems, they are using them. And they are using them effectively.
Across the ecosystem, we are seeing a steady move from experimentation to integration. Off-the-shelf large language models from providers like OpenAI and Anthropic are being folded into everyday cyber criminal workflows. Not as a novelty, but as a utility. They draft phishing lures at scale, translate scams into fluent local languages, generate scripts to automate reconnaissance, and help triage stolen data. None of this requires sophisticated prompting. It requires access, and a willingness to iterate.
That matters, because it changes the nature of the risk. If the barrier to entry is low and the tools are widely available, the focus shifts from rare, high-end misuse to persistent, low-friction abuse. In other words, it becomes a volume problem.
Take phishing as a simple example. The difference between a poorly written email and a convincing one has always mattered. With modern LLMs, that gap has narrowed dramatically. Criminals can now produce context-aware messages that reference real companies, mimic internal tone, and adjust for cultural nuance in seconds. We are also seeing models used to generate variations of the same lure, helping attackers evade detection systems that rely on pattern matching.
Then there is data handling. Once inside a network, attackers often need to sift through large volumes of files to find what is valuable. LLMs can assist with classification, summarisation, and extraction. They can identify sensitive documents, pull out credentials or financial information, and even suggest next steps based on what they find. This is not glamorous work, but it is exactly the sort of task where automation delivers real gains.
None of this has gone unnoticed by the major providers. OpenAI and Anthropic, to their credit, are investing heavily in detection, monitoring, and enforcement. Accounts are being suspended. APIs are being cut off. Safeguards are improving. From a defensive standpoint, this is both necessary and welcome.
But it is also having an unintended effect.
Criminals are rational actors. They will use the best tools available to them for as long as those tools remain accessible. Frontier models offer clear advantages in reasoning and capability, so they are the first choice. But they also come with constraints. They cost money. They operate under terms of service. And, crucially, they can be switched off.
If an attacker builds part of their operation around a commercial API and that access is revoked, the disruption is immediate. Workflows break. Campaigns stall. Revenue is lost. That creates an incentive to look elsewhere.
We are already seeing what that “elsewhere” looks like. For the majority of actors, they are happy to play the cat-and-mouse game in order to maintain access to frontier models. With their ability to steal valid credentials from victims using their existing mature identity theft ecosystem, they have effectively an infinite pool of accounts they can keep using. Frontier providers have to then cancel these hacked accounts once detected, but then face the customer service overhead that comes with that
Some other actors will turn to models developed in jurisdictions where enforcement is less likely to affect them, including offerings such as DeepSeek. Others are experimenting with open or locally deployable models like Qwen. The appeal is straightforward: control.
A locally hosted model cannot be taken away by a provider. It does not rely on an external API. It can be tuned, modified, and integrated without oversight. For certain types of activity, that is more than enough.
There is a tendency to assume that these models are inherently weaker, and therefore less of a concern. That is only partly true. If the task is cutting-edge research or complex reasoning, frontier systems still have the edge. But much of cyber crime does not require that level of sophistication. Parsing files, generating scripts, rewriting text, analysing logs, these are well within the capabilities of today’s local models.
In our own testing, the gap is narrower than many expect. For a range of “bread and butter” malicious tasks, locally run models perform perfectly adequately. They may be slower. They may require more setup. But they get the job done.
And this is where the trajectory becomes clear.
The models criminals are using today are the worst they will ever have. Performance will improve. Costs will fall. Tooling around deployment and fine-tuning will become more accessible. What feels like a compromise now will look like a default choice in a relatively short space of time.
This does not mean we are about to see a wholesale reinvention of cyber crime. Claims that AI will completely overhaul criminal business models should be treated with a degree of scepticism. The fundamentals remain the same: access, persistence, monetisation. What is changing is the efficiency with which those goals can be pursued.
AI is an accelerant, not a replacement.
It is also worth remembering that the criminal ecosystem tends to lag behind cutting-edge research. There is a natural delay between what is possible and what is widely adopted. But once a technique proves useful, it spreads quickly. We are at that inflection point now with LLMs and Agentic AI.
So what should the industry take from this?
First, focusing solely on jailbreaks and prompt injection misses the bigger picture. The more pressing issue is legitimate access being used for illegitimate ends. Detection and response strategies need to reflect that reality.
Second, clampdowns by major providers are necessary, but they are not a silver bullet. They will push some activity out of reach, but they will also push some actors towards alternatives that are harder to monitor.
Finally, we need to think in terms of ecosystems, not individual tools. As capabilities diffuse and decentralise, visibility becomes more challenging. Defenders will need to invest in understanding how AI is being used across the attack chain, not just at the point of entry.
The shift to a hybrid of hacked frontier model access in parallel to local models is not a distant possibility. It is already under way. The question is not whether criminals will make that move, but how quickly, and how prepared we are when they do.
