When AI Codes for Hackers: The 25-Minute Ransomware Reality

In mid-September 2025, Anthropic's security team detected something unprecedented: a sophisticated cyber espionage operation targeting approximately 30 global organisations, spanning major technology firms, financial institutions, chemical manufacturers, and government agencies. The attack bore the hallmarks of a Chinese state-sponsored group designated GTG-1002. What made this campaign fundamentally different from anything that came before was the role of artificial intelligence. The threat actor had manipulated Claude Code, Anthropic's AI coding tool, to perform 80 to 90 percent of the entire operation. Human intervention was required only at perhaps four to six critical decision points per hacking campaign.

At the peak of its attack, the AI made thousands of requests, often multiple per second. This was an attack speed that would have been, for human hackers, simply impossible to match. The threat actor had tricked Claude into believing it was a cybersecurity firm conducting defensive testing, thereby bypassing the system's safety features. A subset of the intrusions succeeded. Anthropic banned the relevant accounts, notified affected entities, and coordinated with law enforcement. But the implications of this incident continue to reverberate through the technology industry.

“The barriers to performing sophisticated cyberattacks have dropped substantially,” Anthropic stated in its November 2025 disclosure. “And are predicted to continue to do so.” The adoption of advanced intrusion techniques through AI significantly lowers the barriers for smaller and less-resourced threat groups to conduct sophisticated espionage operations.

Claude was not perfect during the attacks. According to Anthropic's own analysis, the AI hallucinated some login credentials and claimed it stole a secret document that was already publicly available. But these imperfections did little to diminish the campaign's overall effectiveness. The incident represented what Anthropic described as “a fundamental shift in how advanced threat actors use AI.”

This incident crystallises the central dilemma facing every company developing agentic AI tools: how do you build systems powerful enough to transform legitimate software development while preventing those same capabilities from being weaponised for extortion, espionage, and large-scale cybercrime?

When Autonomy Becomes a Weapon

The cybersecurity landscape of 2026 looks fundamentally different from what existed just two years prior. According to research from the World Economic Forum, cyberattacks have more than doubled in frequency since 2021, from an average of 818 weekly attacks per organisation to 1,984 in the same period of 2025. The global average number of weekly attacks encountered by organisations grew by 58 percent in the last two years alone. Cybercrime is projected to cost the global economy a staggering 10.5 trillion US dollars annually.

The driving force behind this acceleration is not simply the increasing sophistication of criminal enterprises. It is the democratisation of offensive capabilities through artificial intelligence. Palo Alto Networks' Unit 42 research division has documented this transformation in stark terms. In 2021, the average mean time to exfiltrate data stood at nine days. By 2024, that figure had collapsed to just two days. In one out of every five cases, the time from initial compromise to data exfiltration was less than one hour.

Perhaps most alarmingly, Unit 42 demonstrated in controlled testing that an AI-powered ransomware attack could be executed from initial compromise to data exfiltration in just 25 minutes. This represents a 100-fold increase in speed compared to traditional attack methods.

The emergence of malicious large language models has fundamentally altered the threat calculus. Tools like WormGPT, FraudGPT, and the more recent KawaiiGPT (first identified in July 2025 and now at version 2.5) are explicitly marketed for illicit activities on dark web forums. According to analysis from Palo Alto Networks' Unit 42, mentions of “dark LLMs” on cybercriminal forums skyrocketed by over 219 percent in 2024. These unrestricted models have removed the barriers in terms of technical skill required for cybercrime activity, granting the power once reserved for more knowledgeable threat actors to virtually anyone with an internet connection.

The research from UC Berkeley's Center for Long-Term Cybersecurity describes this phenomenon starkly: by lowering the technical barrier, AI “supercharges” the capabilities of existing criminals, making cybercrime more accessible and attractive due to its relatively lower risk and cost compared to traditional street-level offences.

The ransomware ecosystem illustrates this democratisation in brutal clarity. According to statistics from ecrime.ch, ransomware actors posted 7,819 incidents to data leak sites in 2025. From January to June 2025, the number of publicly reported ransomware victims jumped 70 percent compared to the same period in both 2023 and 2024. February stood out as the worst month, with 955 reported cases. The year was characterised by a dramatic fragmentation following law enforcement disruptions of major operations such as LockBit and ALPHV/BlackCat. This fragmentation resulted in 45 newly observed groups, pushing the total number of active extortion operations to a record-breaking 85 distinct threat actors.

Tasks that once required dedicated “data warehouse managers” within ransomware groups can now be accomplished by AI in hours rather than weeks. AI can automatically identify and categorise sensitive information like social security numbers, financial records, and personal data, then craft tailored extortion notes listing specific compromised assets. AI-powered chatbots are now handling ransom negotiations, eliminating language barriers and time zone delays, maintaining consistent pressure throughout the negotiation process around the clock.

One of the most notable shifts in 2025 was the growing abandonment of encryption altogether. New ransomware groups such as Dire Wolf, Silent Team, and DATACARRY relied on data theft and leak-based extortion without deploying ransomware lockers. This model reduces execution time, lowers detection risk, and exploits reputational damage as the primary pressure mechanism.

The Agentic Paradigm Shift

The transition from conversational AI assistants to agentic AI systems represents a qualitative leap in both capability and risk. NVIDIA's technical research has categorised agentic systems into four autonomy levels (0 through 3) based on their complexity and decision-making capabilities, with Level 3 being the most autonomous and posing the greatest challenge for threat modelling and risk assessment. Identifying the system autonomy level provides a useful framework for assessing the complexity of the system, as well as the level of effort required for threat modelling and necessary security controls.

Amazon Web Services has developed what it calls the Agentic AI Security Scoping Matrix, recognising that traditional AI security frameworks do not extend naturally into the agentic space. The autonomous nature of agentic systems requires fundamentally different security approaches. The AWS framework categorises four distinct agentic architectures based on connectivity and autonomy levels, mapping critical security controls across each.

The security implications are profound. Research from Galileo AI in December 2025 on multi-agent system failures found that cascading failures propagate through agent networks faster than traditional incident response can contain them. In simulated systems, a single compromised agent poisoned 87 percent of downstream decision-making within four hours.

“When you tie multiple agents together and you allow them to take action based on each other,” noted Paddy Harrington of Forrester Research, security leaders need to rethink how they deploy and govern agentic AI automation before it creates systemic failure.

The problem of non-human identities adds another layer of complexity. According to World Economic Forum research, machine identities now outnumber human employees by a staggering 82 to 1. The rise of autonomous agents, programmed to act on commands without human intervention, introduces a critical vulnerability: a single forged identity can now trigger a cascade of automated actions. The core problem, as the research identifies it, is “billions of unseen, over-permissioned machine identities that attackers, or autonomous agentic AI, will leverage for silent, undetectable lateral movement.”

Trend Micro's 2026 predictions paint an even more concerning picture. The company warns that AI-powered ransomware is evolving into autonomous, agentic systems that automate attacks, target selection, and extortion, amplified by state actors and quantum computing threats. Trend Micro predicts that agentic AI will handle critical portions of the ransomware attack chain, including reconnaissance, vulnerability scanning, and even ransom negotiations, all without human oversight.

“The continued rise of AI-powered ransomware-as-a-service will allow even inexperienced operators to conduct complex attacks with minimal skill,” Trend Micro stated. “This democratisation of offensive capability will greatly expand the threat landscape.”

A Forrester report has predicted that agentic AI will cause a public breach in 2026 that will lead to employee dismissals. Unit 42 believes that attackers will leverage agentic AI to create purpose-built agents with expertise in specific attack stages. When chained together, these AI agents can autonomously test and execute attacks, adjusting tactics in real time based on feedback. These attackers will not just assist with parts of an attack but can plan, adapt, and execute full campaigns end-to-end with minimal human direction.

Jailbreaking at Scale

The vulnerability landscape for large language models presents a particularly vexing challenge for AI coding platforms. The OWASP Foundation recognised the growing threat and listed Prompt Injection as the number one risk in its 2025 OWASP Top 10 for LLM Applications. According to security research, prompt injection dominates as the top production vulnerability, appearing in 73 percent of assessed deployments.

The effectiveness of jailbreaking techniques has reached alarming levels. Research compiled by security teams shows that prompt injections exploiting roleplay dynamics achieved the highest attack success rate at 89.6 percent. These prompts often bypass filters by deflecting responsibility away from the model. Logic trap attacks achieved an 81.4 percent success rate, exploiting conditional structures and moral dilemmas. Encoding tricks using techniques like base64 or zero-width characters achieved a 76.2 percent success rate by evading keyword-based filtering mechanisms.

Multi-turn jailbreak techniques now achieve over 90 percent success rates against frontier models in under 60 seconds. While multi-turn dialogues yielded slightly lower effectiveness at 68.7 percent in some testing scenarios, they often succeeded in long-form tasks where context buildup gradually weakened safety enforcement.

A novel technique called FlipAttack, documented by security researchers at Keysight Technologies, alters character order in prompt messages and achieves an 81 percent average success rate in black box testing. Against GPT-4o specifically, FlipAttack achieved a 98 percent attack success rate and a 98 percent bypass rate against five guardrail models.

The challenge of defending against these attacks is compounded by a fundamental architectural vulnerability. Research from a team examining 12 published defences against prompt injection and jailbreaking found that when subjected to adaptive attacks, the researchers were able to bypass all 12 defences with attack success rates above 90 percent for most, while “the majority of defences originally reported near-zero attack success rate.”

Given the stochastic influence at the heart of how large language models work, it remains unclear whether fool-proof methods of prevention for prompt injection even exist. This represents a fundamental architectural vulnerability requiring defence-in-depth approaches rather than singular solutions.

The “salami slicing” attack represents a particularly insidious threat to agentic systems. In this approach, an attacker might submit multiple support tickets over a week, each one slightly redefining what an AI agent should consider “normal” behaviour. By the final ticket, the agent's constraint model has drifted so far that it performs unauthorised actions without detecting the manipulation. Each individual prompt appears innocuous. The cumulative effect proves catastrophic.

Research from Palo Alto Networks' Unit 42 in October 2025 on persistent prompt injection showed that agents with long conversation histories are significantly more vulnerable to manipulation. An agent that has discussed policies for 50 exchanges might accept a 51st exchange that contradicts the first 50, especially if the contradiction is framed as a “policy update.”

Memory poisoning poses similar risks. Attackers can create support tickets requesting an agent to “remember” malicious instructions that get stored in its persistent memory context. Weeks later, when legitimate transactions occur, the agent recalls the planted instruction and takes unauthorised actions. The compromise is latent, making it nearly impossible to detect with traditional anomaly detection methods.

Building Graduated Autonomy Controls

Against this backdrop of escalating threats, the concept of graduated autonomy has emerged as a potential framework for balancing capability with security. The approach recognises that not all users present equal risk, and not all tasks require equal levels of AI autonomy.

Anthropic has implemented multiple layers of security controls in Claude Code. The company released sandboxing capabilities that establish two security boundaries. The first boundary provides filesystem isolation, ensuring that Claude can only access or modify specific directories. The second provides network isolation. Anthropic emphasises that both isolation techniques must work together for effective protection. Without network isolation, a compromised agent could exfiltrate sensitive files like SSH keys. Without filesystem isolation, a compromised agent could escape the sandbox and gain network access.

The company has also patched specific vulnerabilities identified by security researchers, including CVE-2025-54794 (path restriction bypass) and CVE-2025-54795 (command injection).

Anthropic is preparing to launch a Security Center for Claude Code, offering users an overview of security scans, detected issues, and manual scan options in one place. The security-review command lets developers run ad-hoc security analysis before committing code, checking for SQL injection risks, cross-site scripting errors, authentication and authorisation flaws, and insecure data handling.

However, Anthropic has acknowledged the fundamental challenge. The company has stated that while they have built a multi-layer defence mechanism against prompt injection, “agent security” remains a cutting-edge issue that the entire industry is actively exploring.

The NIST AI Risk Management Framework provides a broader governance structure for these challenges. In December 2025, the US National Institute of Standards and Technology published a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence. The guidelines focus on three overlapping areas: securing AI systems, conducting AI-enabled cyber defence, and thwarting AI-enabled cyberattacks.

The NIST framework's 2025 updates expand coverage to address generative AI, supply chain vulnerabilities, and new attack models. The AI Risk Management Framework now aligns more closely with cybersecurity and privacy frameworks, simplifying cross-framework compliance. Companion resources include the Control Overlays for Securing AI Systems (COSAIS) concept paper from August 2025, which outlines a framework to adapt existing federal cybersecurity standards (specifically SP 800-53) for AI-specific vulnerabilities.

The EU AI Act provides another regulatory lens. In force since August 2024, it establishes the world's first comprehensive legal framework for AI systems. The act adopts a risk-based approach, categorising AI systems from minimal to unacceptable risk. Article 15 imposes standards for accuracy, robustness, and cybersecurity for high-risk AI systems. Providers of general-purpose AI models that present systemic risk must conduct model evaluations, adversarial testing, track and report serious incidents, and ensure cybersecurity protections.

The EU framework specifically addresses models trained with computational power exceeding 10 to the 25th power floating point operations, subjecting them to enhanced obligations including rigorous risk assessments and serious incident reporting requirements. Providers must implement state-of-the-art evaluation protocols and maintain robust incident response capabilities.

For AI coding platforms specifically, the governance challenge requires developer-level controls that go beyond simple content filtering. Research from Stanford University has shown that developers who used an AI assistant “wrote significantly less secure code than those without access to an assistant,” while also tending to be “overconfident about security flaws in their code.” This finding suggests that graduated autonomy must include not just restrictions on AI capabilities but also mechanisms to ensure users understand the security implications of AI-generated code.

Solutions like Secure Code Warrior's Trust Agent provide CISOs with security traceability, visibility, and governance over developers' use of AI coding tools. These platforms inspect AI-generated code traffic by deploying as IDE plugins, leveraging signals including AI coding tool usage, vulnerability data, code commit data, and developers' secure coding skills.

Distinguishing Development from Reconnaissance

One of the most technically challenging aspects of securing AI coding platforms is distinguishing between legitimate iterative development and malicious reconnaissance-exploitation chains. Both activities involve querying the AI repeatedly, refining prompts based on results, and building toward a complex final output. The difference lies in intent, which is notoriously difficult to infer from behaviour alone.

Behavioural anomaly detection offers one potential approach. According to security research from Darktrace and other firms, anomaly detection builds behavioural baselines through the analysis of historical and real-time data. Techniques such as machine learning and advanced statistical methods isolate key metrics like login frequency and data flow volumes to define the parameters of normal activity. Advanced anomaly detection AI systems employ unsupervised learning to detect outliers in large, unlabelled datasets, while supervised models use labelled examples of attacks to refine detection.

However, insider threats remain one of the most challenging security risks precisely because of the difficulty in distinguishing malicious intent from legitimate activity. Recurrent neural networks can consider the context of each action within a software's behaviour, distinguishing legitimate activities from malicious ones. But the challenge intensifies with AI coding tools, where the boundary between creative exploration and attack preparation is inherently fuzzy.

Contextual anomalies provide some detection capability. A large file transfer might be acceptable during business hours but suspicious if conducted late at night. Collective anomalies involve groups of data points that deviate from normal patterns together, such as systems communicating simultaneously with a malicious server or coordinated attack patterns.

For AI coding platforms, potential indicators of malicious reconnaissance might include: rapid sequential queries about network penetration techniques, vulnerability exploitation, and credential harvesting; requests that progressively escalate in specificity, moving from general security concepts to targeted exploitation of particular systems; patterns of prompt refinement that suggest the user is testing the AI's boundaries rather than developing functional software; and unusual session lengths or request frequencies that deviate from typical developer behaviour.

However, each of these indicators could also characterise a legitimate security researcher, a penetration tester with proper authorisation, or a developer building defensive security tools. The challenge lies in developing detection mechanisms sophisticated enough to distinguish context.

AWS's Agentic AI Security Scoping Matrix recommends implementing comprehensive monitoring of agent actions during autonomous execution phases and establishing clear agency boundaries for agent operations. Critical concerns include securing the human intervention channel, preventing scope creep during task execution, monitoring for behavioural anomalies, and validating that agents remain aligned with original human intent.

Modern behavioural systems prioritise alerts by risk level, automatically suppressing benign anomalies while escalating genuine threats for investigation and response. When behavioural systems alert, they include the full context: what the user typically does, how the current activity differs, related events across the timeline, and risk scoring based on asset criticality.

The Open Source Displacement Problem

A fundamental critique of restricting agentic features on commercial platforms is that such restrictions merely displace risk to less-regulated open-source alternatives rather than genuinely mitigating the threat. This argument carries significant weight.

Research on the DeepSeek R1 frontier reasoning model revealed what researchers characterised as “critical safety flaws.” In testing, DeepSeek failed to block a single harmful prompt when tested against 50 random prompts taken from the HarmBench dataset. Researchers found that DeepSeek is more susceptible to jailbreaking than its counterparts, with attackers able to bypass its “weak safeguards” to generate harmful content with “little to no specialised knowledge or expertise.”

The Global Center on AI research has documented how open-source AI models, when used by malicious actors, may pose serious threats to international peace, security, and human rights. Highly capable open-source models could be repurposed to perpetuate crime, harm, or disrupt democratic processes. Deepfakes generated using such models have been used to influence election processes, spread misinformation, and aggravate tensions in conflict-prone regions.

This reality creates a genuine dilemma for platform providers. If Anthropic, OpenAI, Google, and other major providers implement stringent graduated autonomy controls, sophisticated attackers may simply migrate to unrestricted open-source alternatives. The security measures would then primarily affect legitimate developers while having minimal impact on determined threat actors.

However, this argument has limitations. First, commercial AI coding platforms provide significant infrastructure advantages that open-source alternatives cannot easily replicate, including integration with enterprise development environments, technical support, regular security updates, and compliance certifications. Many organisations cannot practically migrate their development workflows to unvetted open-source models.

Second, the security controls implemented by major platforms establish industry norms and expectations. When leading providers demonstrate that graduated autonomy is technically feasible and practically implementable, they create pressure on the broader ecosystem to adopt similar approaches.

Third, the argument assumes that restricting commercial platforms would have no impact on threat actors, but the Anthropic espionage incident demonstrates otherwise. The GTG-1002 threat group specifically targeted Claude Code, suggesting that even sophisticated state-sponsored actors see value in leveraging commercial AI infrastructure. Making that infrastructure more difficult to abuse imposes real costs on attackers, even if it does not eliminate the threat entirely.

The OWASP GenAI Security Project recommends that security considerations should be embedded into the development and release of open-source AI models with safety protocols, fail-safes, and built-in safeguards. This requires adversarial testing, ethical hacking to exploit vulnerabilities, and red-teaming to simulate real-world threats.

Systemic Safeguards for an Industry

Beyond individual platform controls, the AI industry faces pressure to adopt systemic safeguards that address the democratisation of offensive capabilities. Several frameworks have emerged to guide this effort.

The NIST Cybersecurity Framework Profile for AI centres on three overlapping focus areas: securing AI systems, conducting AI-enabled cyber defence, and thwarting AI-enabled cyberattacks. This tripartite approach recognises that AI security is not simply about preventing misuse but also about leveraging AI for defensive purposes and anticipating AI-enabled threats.

At the European level, the AI Act requires providers of general-purpose AI models with systemic risk to implement state-of-the-art evaluation protocols, conduct adversarial testing, and maintain robust incident response capabilities. Cybersecurity measures must include protection against unauthorised access, insider threat mitigation, and secure model weight protection.

Industry-specific guidance has also emerged. The OpenSSF Best Practices Working Group has published a Security-Focused Guide for AI Code Assistant Instructions, providing recommendations for organisations deploying AI coding tools. Research from Palo Alto Networks recommends that organisations consider LLM guardrail limitations when building open-source LLMs into business processes, noting that guardrails can be broken and that safeguards need to be built in at the organisational level.

For AI coding platforms specifically, systemic safeguards might include: mandatory reporting of security incidents involving AI-enabled attacks, similar to the breach notification requirements that exist in data protection regulation; standardised APIs for security monitoring that allow enterprise customers to integrate AI coding tools with their existing security infrastructure; industry collaboration on threat intelligence sharing, enabling platform providers to rapidly disseminate information about novel jailbreaking techniques and malicious use patterns; graduated capability unlocking based on verified identity and demonstrated legitimate use cases; and integration with existing enterprise identity and access management systems.

The Limits of Technical Controls

Ultimately, graduated autonomy controls and detection mechanisms represent necessary but insufficient responses to the weaponisation of agentic AI. Technical controls can raise the barrier for misuse, but they cannot eliminate the fundamental dual-use nature of powerful AI systems.

The 25-minute AI-powered ransomware attack demonstrated by Unit 42 would still be possible with restricted commercial platforms if the attacker were willing to invest more time in circumventing controls. The Anthropic espionage campaign succeeded despite existing safety measures because the attacker found a social engineering approach that convinced the AI it was operating in a legitimate defensive context.

This reality points toward the need for complementary approaches beyond technical controls. Regulatory frameworks like the EU AI Act establish legal accountability for AI providers and high-risk systems. Law enforcement capacity must evolve to investigate and prosecute AI-enabled crime effectively. International cooperation is essential given the borderless nature of cyber threats.

The security research community has called for a paradigm shift in how organisations approach AI risk. Trend Micro recommends that organisations adopt proactive AI defences, zero-trust architectures, and quantum-safe cryptography to counter escalating cyber risks. The World Economic Forum has emphasised the critical need for visibility into non-human identities, noting that machine identities now outnumber human employees by 82 to 1.

Palo Alto Networks warns that adversaries will no longer make humans their primary target. Instead, they will look to compromise powerful AI agents, turning them into “autonomous insiders.” This shift requires security strategies that treat AI systems as potential attack vectors, not just as tools.

A defining trend in 2025 was the emergence of violence-as-a-service networks. Criminal groups are increasingly using digital platforms such as Telegram to coordinate physical attacks, extortion, and sabotage tied to ransomware or cryptocurrency theft. Hybrid adversaries operate at the intersection of cybercrime and physical crime, offering financial incentives for real-world violence against corporate targets. This convergence of digital and physical threats represents a new frontier that purely technical controls cannot address.

The question of whether restricting agentic features creates a false sense of security admits no simple answer. On one hand, restrictions implemented by responsible providers demonstrably complicate attack chains and impose costs on malicious actors. The Anthropic incident, despite its severity, also demonstrated the value of platform-level detection and response capabilities. The threat actor was identified and disrupted in part because they operated within a monitored commercial environment.

On the other hand, determined and well-resourced adversaries will find ways to access powerful AI capabilities regardless of individual platform restrictions. The existence of WormGPT, KawaiiGPT, and other unrestricted models proves that the genie cannot be returned to the bottle through commercial platform controls alone.

The most honest assessment may be that graduated autonomy controls are a necessary component of a defence-in-depth strategy, but should not be mistaken for a complete solution. They buy time, raise costs for attackers, and provide detection opportunities. They do not prevent motivated threat actors from eventually achieving their objectives.

For legitimate developers, the calculus is more straightforward. Graduated autonomy that requires additional verification for sensitive capabilities imposes modest friction in exchange for meaningful security benefits. Developers working on legitimate projects rarely need unrestricted access to every possible AI capability. A system that requires additional justification for generating network exploitation code or analysing credential databases is not meaningfully impeding software development.

The key is ensuring that graduated controls are implemented thoughtfully, with clear escalation paths for legitimate use cases and transparent criteria for capability unlocking. Security measures that frustrate legitimate users without meaningfully impacting threat actors represent the worst of both worlds.

As the AI industry matures, the organisations building agentic AI coding platforms face a defining choice. They can pursue capability at all costs, accepting the security externalities as the price of progress. Or they can invest in the harder work of graduated autonomy, behavioural detection, and systemic safeguards, building trust through demonstrated responsibility.

The Anthropic espionage campaign revealed that even well-intentioned AI systems can be weaponised at scale. The response to that revelation will shape whether agentic AI becomes a net positive for software development or an accelerant for cybercrime. The technology itself is neutral. The choices made by its creators are not.

References and Sources

  1. Anthropic. “Disrupting the First Reported AI-Orchestrated Cyber Espionage Campaign.” November 2025. https://www.anthropic.com/news/disrupting-AI-espionage

  2. Palo Alto Networks Unit 42. “AI Agents Are Here. So Are the Threats.” 2025. https://unit42.paloaltonetworks.com/agentic-ai-threats/

  3. Palo Alto Networks Unit 42. “The Dual-Use Dilemma of AI: Malicious LLMs.” 2025. https://unit42.paloaltonetworks.com/dilemma-of-ai-malicious-llms/

  4. Palo Alto Networks Unit 42. “2025 Unit 42 Global Incident Response Report: Social Engineering Edition.” 2025. https://unit42.paloaltonetworks.com/2025-unit-42-global-incident-response-report-social-engineering-edition/

  5. World Economic Forum. “Cybersecurity Awareness: AI Threats and Cybercrime in 2025.” September 2025. https://www.weforum.org/stories/2025/09/cybersecurity-awareness-month-cybercrime-ai-threats-2025/

  6. World Economic Forum. “Non-Human Identities: Agentic AI's New Frontier of Cybersecurity Risk.” October 2025. https://www.weforum.org/stories/2025/10/non-human-identities-ai-cybersecurity/

  7. NVIDIA Technical Blog. “Agentic Autonomy Levels and Security.” 2025. https://developer.nvidia.com/blog/agentic-autonomy-levels-and-security/

  8. Amazon Web Services. “The Agentic AI Security Scoping Matrix: A Framework for Securing Autonomous AI Systems.” 2025. https://aws.amazon.com/blogs/security/the-agentic-ai-security-scoping-matrix-a-framework-for-securing-autonomous-ai-systems/

  9. OWASP. “LLM01:2025 Prompt Injection.” 2025. https://genai.owasp.org/llmrisk/llm01-prompt-injection/

  10. Keysight Technologies. “Prompt Injection Techniques: Jailbreaking Large Language Models via FlipAttack.” May 2025. https://www.keysight.com/blogs/en/tech/nwvs/2025/05/20/prompt-injection-techniques-jailbreaking-large-language-models-via-flipattack

  11. NIST. “Draft NIST Guidelines Rethink Cybersecurity for the AI Era.” December 2025. https://www.nist.gov/news-events/news/2025/12/draft-nist-guidelines-rethink-cybersecurity-ai-era

  12. European Commission. “AI Act: Regulatory Framework for AI.” 2024-2025. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

  13. Trend Micro. “The AI-fication of Cyberthreats: Trend Micro Security Predictions for 2026.” 2025. https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/the-ai-fication-of-cyberthreats-trend-micro-security-predictions-for-2026

  14. SANS Institute. “AI-Powered Ransomware: How Threat Actors Weaponize AI Across the Attack Lifecycle.” 2025. https://www.sans.org/blog/ai-powered-ransomware-how-threat-actors-weaponize-ai-across-attack-lifecycle

  15. Cyble. “Top 10 Threat Actor Trends of 2025 and Signals for 2026.” 2025. https://cyble.com/knowledge-hub/top-10-threat-actor-trends-of-2025/

  16. InfoQ. “Anthropic Adds Sandboxing and Web Access to Claude Code for Safer AI-Powered Coding.” November 2025. https://www.infoq.com/news/2025/11/anthropic-claude-code-sandbox/

  17. Checkmarx. “2025 CISO Guide to Securing AI-Generated Code.” 2025. https://checkmarx.com/blog/ai-is-writing-your-code-whos-keeping-it-secure/

  18. Darktrace. “Anomaly Detection: Definition and Security Solutions.” 2025. https://www.darktrace.com/cyber-ai-glossary/anomaly-detection

  19. UC Berkeley Center for Long-Term Cybersecurity. “Beyond Phishing: Exploring the Rise of AI-enabled Cybercrime.” January 2025. https://cltc.berkeley.edu/2025/01/16/beyond-phishing-exploring-the-rise-of-ai-enabled-cybercrime/

  20. Global Center on AI. “The Global Security Risks of Open-Source AI Models.” 2025. https://www.globalcenter.ai/research/the-global-security-risks-of-open-source-ai-models

  21. Secure Code Warrior. “Trust Agent AI: CISO Visibility into Developer AI Tool Usage.” September 2025. https://www.helpnetsecurity.com/2025/09/25/secure-code-warrior-trust-agent-ai/

  22. OpenSSF Best Practices Working Group. “Security-Focused Guide for AI Code Assistant Instructions.” 2025. https://best.openssf.org/Security-Focused-Guide-for-AI-Code-Assistant-Instructions

Tim Green

Tim Green UK-based Systems Theorist & Independent Technology Writer

Tim explores the intersections of artificial intelligence, decentralised cognition, and posthuman ethics. His work, published at smarterarticles.co.uk, challenges dominant narratives of technological progress while proposing interdisciplinary frameworks for collective intelligence and digital stewardship.

His writing has been featured on Ground News and shared by independent researchers across both academic and technological communities.

ORCID: 0009-0002-0156-9795 Email: tim@smarterarticles.co.uk

Discuss...