Category: Cybercrime

Part 3 of AI Powered Cybercrime

Sextortion isn’t new. Velocity has increased, personalization has sharpened, and attackers can now run campaigns at industrial scale. This wave is a collision event between the first two posts in this series: facilitation (credible intimidation) and scale (high-volume delivery). AI Powered Cybercrime – How AI Supercharged a Sextortion Wave.

Many security programs have an important blind spot: they treat coercion as a personal problem. In reality, coercion quickly becomes an enterprise problem when it pressures employees into silence, errors, or unsafe, unethical, illegal behavior.

What happened (high level)

Following the large-scale exposure of personal data from a data broker, threat actors began sending extortion emails that included real names, real email addresses, and real home addresses. The goal was not technical proof; it was psychological terrorism. When a recipient of these types of emails and/or files sees real personal details, the scam feels “more real,” even if the core claim is false.

Some variants escalated intimidation by including a photo of the victim’s home sourced from publicly available mapping imagery. That addition is a masterclass in facilitation: it takes something the attacker can generate cheaply and turns it into a credibility anchor that increases stress and compresses decision time.

Why it works: plausibility beats truth under pressure

Most victims don’t evaluate these messages like analysts. They evaluate them like humans under threat, with emotion. The campaign design is built around that reality: shock, shame, urgency, and a narrow window to “fix” the situation. The scam doesn’t need to be technically accurate to be operationally effective; it only needs to feel plausible long enough to trigger payment.

This is the same vibe hacking dynamic we see in enterprise fraud: urgency is used as a control bypass. When the attacker can manufacture plausibility quickly, policy and verification become the only reliable defenses.

Where AI fits (without fluff)

AI does not need to run the entire scheme to increase harm. It only needs to improve the leverage points. First, it enables endless text variation while maintaining a consistent tone and similar messaging. Second, it makes personalization easy by merging templates with leaked data and also seamlessly integrating with Open Source Intelligence (OSINT) sources. Third, it reduces the human effort required to run a campaign, which increases throughput.

The result isn’t “smarter extortion.” It’s cheaper extortion at higher volume paired with sharper intimidation artifacts. That combination is what makes waves like this so disruptive.

Why CISOs should care: coercion becomes a business threat

Even when a victim is targeted “personally,” the downstream effects can land inside a CISOs organization. An employee under threat may avoid reporting, reuse credentials poorly, or comply with nefarious demands. Panic and stress can lead to unsafe behaviors, and this noise can weave its way into an organization distracting security teams from secondary attacks that aim to exploit some of that chaos.

If a resilience program covers ransomware but not coercion-driven fraud and extortion, there could be an operational gap. Sextortion waves are a reminder that the adversary’s true target is often decision-making under pressure.

What organizations should do during a wave

The objective in a wave is speed, clarity, and support. Issue a same-day bulletin that states what is happening, what employees should do, and how to report. Keep it stigma-free. The most important message is this: employees can report safely, and they won’t get in trouble.

Next, harden the identity bridge. Ensure MFA is enforced for email and sensitive applications, watch for anomalous sign-ins, and monitor for new device enrollments. Then improve detection quality by treating this as a campaign: pattern match across inboxes and route messaging to a single owner to reduce confusion and duplicate work.

The resilience lesson

Waves like this are not just security events; they’re leadership events. The organizations that respond well reduce harm by moving fast, communicating clearly, and providing support. They also learn: which workflows were stress-tested, where employees hesitated, and what verification gates were missing.

If you treat coercion as out-of-scope, you will eventually treat it as an incident, under pressure. Build the playbook now.

Key takeaways

• Normalize coercion reporting; activate employee assistance programs immediately to protect people and organizational reputation.
• Instrument wave messaging detection to tune signals and reduce both data fatigue and operational distraction.
• Harden identity ecosystems fast; enforce MFA immediately to prevent panic-driven account takeover actions.
• Operationalize extortion playbooks and drill them regularly to reduce chaos and decision latency.

Part 2 of AI Powered Cybercrime

Once AI facilitates and reduces the skill barrier, the next step is predictable: industrialization. Scale is not simply “more X.” It’s more volume, experiments, parallel campaigns, faster iteration, and lower cost per attempt. Attackers can tolerate failure because machines keeps trying, and keeps learning. AI Powered Cybercrime – Scale.

In practice, scale changes how you risk is experienced. The question stops being “can this attack be blocked?” and becomes “can we withstand continuous throughput without fatigue, mistakes, or control bypass?” If the attacker runs campaigns like a high-volume system, defenders must design controls that behave like high-volume systems too.

Scale is attack throughput based on more attempts, more variation, and faster learning loops than human teams can match.

How scale happens

Cybercrime at scale is a stack: commodity infrastructure to deliver, automation to orchestrate, and AI to generate convincing content and decision support. That stack allows adversaries to operate like entire sophisticated teams, testing, measuring response rates, iterating on what works, and abandoning what doesn’t.

This matters because “good enough” at massive volume beats “excellent” at low volume. Even if your controls catch 99.9% of attempts, at enough throughput the remaining 0.1% becomes a real business problem.

Agentic workflows: campaigns become orchestrated systems

The most important mental model for scale is orchestration. Instead of one attacker manually working a process, you face workflows that plan tasks, execute in parallel, and adapt based on outcomes. Target research, lure writing, follow-ups, and handoffs can be partially automated, even when a human remains in the loop for high-value steps.

For defenders, this means control gaps are discovered faster, exploited more accurately, and reused more reliably. If your organization has exception-heavy processes (e.g., ad hoc approvals, inconsistent vendor change procedures, unclear escalation paths) those become discoverable cracks that an attacker’s system can exploit repeatedly.

Dark social distribution: coordination at platform speed

Distribution and coordination channels accelerate scale by enabling rapid churn: new templates, new lists, new scripts, and fast feedback loops from peers. The operational consequence is that takedowns and blocks often trail behind the adaptation cycle. If you rely solely on external enforcement or on the hope that a campaign will “fade out,” you will lose the timing battle.

This is why brand and executive impersonation monitoring matters. When attackers can quickly align a pretext with what’s visible about your leadership, partners, or vendors, they can now manufacture credibility in hours.

DDoS and distraction: availability pressure as a cover layer

At scale, disruption is often a tactic, not an outcome. Availability pressure can consume attention, create noise, and induce rushed decisions that enable secondary goals (e.g., fraud, credential abuse, or data theft). The attacker doesn’t need to “win” the DDoS battle; they need to win the operational tempo battle.

The resilience countermeasure is degraded-mode planning. If you pre-stage how the business continues when systems are strained (e.g., what gets paused, what gets routed differently, who approves exceptions) you reduce the attacker’s ability to force mistakes through urgency.

A/B testing on humans: volume plus variation

A subtle but powerful aspect of scale is experimentation. Attackers don’t need a perfect lure. They need a pipeline that generates variants, tests them across segments, measures responses, and doubles down on what works. AI makes this cheap: the cost of a new variant approaches zero.

This turns awareness training into an operational control problem. You’re no longer defending against one “phishing style.” You’re defending against a continuously mutating persuasion engine. The stable defense is workflow integrity, consistent rules for high-risk actions, enforced regardless of how convincing the request appears.

What to do: control throughput with identity and workflow gates

To survive scale, design defenses like you’re protecting a high-traffic API. The objective is not perfect prevention; it’s making irreversible actions rare, gated, and verifiable. Start with the workflows that move money, grant access, or export sensitive data.

Phishing-resistant MFA and risk-based session controls reduce account takeover success. Dual control and out-of-band verification reduce fraud success. Campaign-level detection reduces fatigue by catching patterns across many inboxes or users rather than treating each event as a one-off.

Board-level framing

Scale bends the loss curve upward even if individual success rates decline. Boards should ask a small set of questions that map directly to business continuity: Which workflows are irreversible? Which are gated? How fast can we verify? How quickly can we contain identity-driven compromise?

If you can answer those questions with metrics (e.g., time-to-verify, exception rates, time-to-contain) you can translate a complex threat into operational readiness and financial risk reduction.

Key takeaways

• Assume nonstop attack throughput to model monthly, reduce fraud and downtime exposure.
• Harden approval workflows; the goal is to enforce dual control always while preventing irreversible payment loss.
• Automate identity containment by tuning regularly to cut attacker dwell time and blast radius.
• Instrument dark social risk; that goal is to monitor weekly to reduce brand-driven compromise and extortion.
• Govern exceptions tightly by reviewing regularly to prevent blind-spot failures and audit fallout.

Part 3 of AI Powered Cybercrime

Part 1 of AI Powered Cybercrime

Cybercrime has historically had a skills bottleneck. Someone had to do the research, craft a believable story, write the lure, build the tooling, and then keep the victim engaged long enough for an outcome. Even for seasoned operators, that work takes time, and time is money. AI Powered Cybercrime – Facilitation.

Generative AI has changed the economics of that effort. It acts like a quality assistant that can draft, rephrase, personalize, and refine at machine speed. The net effect is not simply “smarter attackers.” It’s more adversaries that historically could not operate in this space. It is also a set of adversaries that can now perform at a higher baseline, scale larger, with fewer mistakes and more believable artifacts.

In this series, I use “facilitation” to describe the first-order impact of AI on cybercrime: removing friction across the attack lifecycle so that an individual attack becomes easier to execute, easier to adapt, and more likely to succeed.

Facilitation is where AI makes individual attacks better by lowering the skill barrier and improving content and/or persuasion quality.

The Facilitation Lens

A useful way to think about AI-enabled crime is as a pipeline. Attackers rarely win because they have one magic tool; they win because they can move smoothly from one stage to the next, recon, pretext, access, execution, and monetization. AI can assist at every stage, and it doesn’t need to be perfect. It only needs to be good enough to keep the process flowing through its journey.

For defenders, this creates a trap: many programs still focus on blocking discrete artifacts (one phishing email, one payload hash, one suspicious domain). Facilitation shifts advantage to the attacker because artifacts can be generated rapidly and with great volume; but the human processes and identity controls on the defensive side often remain static.

AI-powered malware: from coding to assembling outcomes

“AI malware” may inspire unrealistic notions of a fully autonomous super-virus. The more realistic, and more dangerous, reality is simpler: AI compresses development and iteration cycles. Instead of writing everything from scratch, adversaries can draft components, refactor quickly, generate variants, and troubleshoot faster. That matters because it reduces the time between idea and execution. It also empowers people that would not be operating in cybercrime without AI capabilities.

For defenders, the implication is that static signatures and one-off IOCs degrade faster. The same intent can show up as many slightly different implementations, and the “shape” of attacks changes just enough to evade brittle detection logic.

What can be done about this? Shift emphasis toward behavior and context. Instead of some static defense model we need to become more adaptable. If some payload dynamically changes, attackers will likely still need access to credentials, session tokens, the creation of persistence, or the exfiltration of data. Those are the slivers of opportunity where defenders have a chance of stable detection and containment. Given todays dynamic, the best place to shrink an attacker’s options is identity: the stronger and more tightly governed the identity boundary, the fewer places malicious tooling can successfully land.

Deepfakes: visual presence is no longer identity

Deepfakes move social engineering from “message deception” to “presence deception.” It’s one thing to spoof a sender name; it’s another to appear on a call as someone your team recognizes. That’s why deepfake-enabled fraud is so consequential: it attacks the human verification shortcuts we’ve relied on for decades, voice, face, and confidence.

The operational lesson is straightforward: “I saw them on video” is no longer a control. Nor is it a point of trust. A convincing presence can be manufactured, and group dynamics can be exploited to create social proof. The only reliable protection is to place high-risk actions behind verification steps that synthetic media cannot satisfy, out-of-band callbacks to known numbers, dual control for sensitive payments, and defined escalation rituals when urgency appears.

Social engineering: AI adds memory, consistency, and coordination

The biggest upgrade AI brings to social engineering is not grammar, it’s continuity. AI can maintain context over time, keep a persona consistent across messages and disparate systems, and pivot smoothly when a target makes adjustments. That capability turns many “one-and-done” lures into persistent conversations that wear down defenses.

This is why awareness training that focuses on typos and awkward phrasing is losing relevance. The tell is increasingly a process violation: a new payment path, a new channel, a sudden bypass of normal approvals, or an exception request that tries to compress decision time. If your employees know how to spot workflow bypass, they can defeat even polished, highly personalized lures.

Vibe hacking: weaponizing emotion to bypass analysis

Vibe hacking is the weaponization of emotion as a control bypass. Attackers don’t need you to believe every detail; they need you to act before you verify. Shame, urgency, fear, status, and belonging are some of the levers that move decisions faster than policy comes into play.

The countermeasure is not “tell people to be calm.” The countermeasure is building organizational escape hatches: clear permission to slow down, explicit escalation paths, and operational friction for irreversible actions. If urgency is treated as a trigger for verification, not a reason to move faster, we can turn the attacker’s primary advantage into a liability.

Short term reset

If you want one practical takeaway from facilitation, it’s this: identity and workflow integrity are choke points. AI can generate unlimited persuasion and/or manipulation artifacts, but we have to force it to cross an authorization boundary somewhere.

Start by identifying the three most irreversible workflows in your organization, for example pick from a pool like this one: payments, vendor banking changes, payroll updates, privileged access grants, or large data exports. Then ensure those workflows have step-up verification that cannot be satisfied by sense of urgency, polished messaging, or synthetic media. Finally, run a short blind red-team exercise on a deepfake or coercion scenario and measure how long it takes the organization to verify and contain. Blind = this must mimic reality.

Key takeaways

• Assume high-quality lures and retrain owners monthly to reduce fraud loss and downtime.
• Gate privileged actions and enforce out-of-band checks always; the goal is to prevent unauthorized transactions.
• Detect behavior shifts and tune telemetry regularly to cut dwell time and response costs.
• Standardize escalation and drill managers quarterly; the goal is to reduce coercion-driven errors.
• Institutionalize dissent and review exceptions monthly to avoid governance blind spots and audit fallout.

Part 2 of AI Powered Cybercrime