The landscape of cybercrime has undergone a fundamental shift, evolving from disparate, opportunistic attacks into a full-scale industrial operation. Modern cybercriminals now employ the same principles of efficiency, scalability, and specialization that define legitimate businesses. This transformation has been supercharged by artificial intelligence (AI), automation, and an underground economy that thrives on shared data and tools. The result is a threat environment where attacks are faster, more sophisticated, and more likely to succeed.
According to the latest Global Threat Landscape Report from FortiGuard Labs, the era of the lone hacker is fading. Instead, organized cybercrime syndicates operate like corporations, complete with supply chains, quality assurance, and even customer service. Key to this shift is the use of AI-enabled malicious tools that act as force multipliers, drastically reducing the time and skill required to execute attacks. Tools such as WormGPT, FraudGPT, HexStrike AI, APEX AI, and BruteForceAI are now openly traded on underground forums. These tools allow attackers to craft convincing phishing emails, generate malicious code, and automate reconnaissance with human-like behavior patterns.
AI Accelerates Every Phase of the Attack
Derek Manky, Chief Security Strategist at FortiGuard Labs, notes that malicious actors are beginning to leverage agentic AI for more sophisticated attacks. The report details how these AI tools are used across the entire attack chain. For example, FraudGPT and WormGPT excel at creating compelling phishing lures that bypass traditional filters. HexStrike AI automates reconnaissance and attack-path generation, while APEX AI simulates advanced persistent threat (APT) tactics, including automated OSINT and kill-chain generation. BruteForceAI identifies login forms and executes multi-threaded attacks that mimic human behavior.
These tools do not necessarily create new vulnerabilities, but they accelerate the exploitation of existing ones. The time-to-exploit, which once averaged nearly a week, has collapsed to just 24 to 48 hours for most critical vulnerabilities. In some cases, exploitation begins within hours of public disclosure. Douglas Santos, director of advanced threat intelligence at FortiGuard, warns that as AI continues to speed up reconnaissance, weaponization, and execution, we will soon see attacks in 'hours or even minutes, not days.'
Automated Scanning and Data Sharing
The industrialization of cybercrime is also evident in how attackers find their targets. Global scanning using commercial tools like Qualys, Nmap, Nessus, and OpenVAS is automated and continuous. This allows attackers to identify vulnerable software versions, misconfigurations, and open ports at scale. Moreover, much of the groundwork is already done by others. Databases, credentials, validated access paths, and attacker tooling are continuously advertised and exchanged on underground markets. Infostealers such as RedLine, Lumma, and Vidar harvest credentials, which are then sold by access brokers. The most commonly advertised access types include corporate VPNs and RDP.
The report highlights that 656 vulnerabilities were actively discussed on the darknet in 2025. Of these, 344 had publicly available proof-of-concept exploit code, and 176 had working exploit code. When vulnerabilities are packaged with scripts, modules, guides, and operational playbooks, they become 'industrial'— ready for repeatable exploitation rather than bespoke attacks.
The Impact on Organizations
The effects of this industrialization are stark. Ransomware remains the most profitable attack type, with 7,831 confirmed victims globally in 2025. The most active groups were Qilin, Akira, and Safepay, with the United States suffering the most incidents (3,381 victims), followed by Canada and Europe. The global attack surface is already mapped, continuously refreshed, and maintained in an operational readiness state. This means that for many organizations, a breach is not a matter of if, but when.
Defending Against Industrialized Cybercrime
To counter this threat, defenders must adopt a similar industrial approach. Speed is critical; detection and response must operate at machine speed. FortiGuard recommends prioritizing identity-centric detection, exposure reduction, and automation. Organizations need to invest in AI-driven security operations that can match the pace of AI-powered attacks. This includes using AI for threat hunting, incident response, and vulnerability management.
International cooperation is also vital. FortiGuard has engaged with several global disruption efforts, including INTERPOL Serengeti 2.0, Operation Red Card 2.0, the Cybercrime Atlas initiative with the World Economic Forum, and the Cyber Threat Alliance. Additionally, new initiatives like the Cybercrime Bounty program with Crime Stoppers International aim to disrupt cybercriminal operations at their source.
As cybercrime continues to industrialize, the only viable path for defenders is to industrialize their own defenses. AI and automation are no longer optional; they are essential to survive in a landscape where attackers move at machine speed.
Source: SecurityWeek News