AI Turns Cybercrime into a Smart, Scalable Business Model

Anthropic, the San Francisco-based artificial intelligence company, has reported the emergence of novel cyber threats that leverage its LLM, Claude, for extortion and ransomware activities. In a report published on August 27, 2025, the firm detailed eight case studies, revealing that bad actors are employing Claude to execute a range of malicious cyber operations. The report notes that while many of these attempts were detected and mitigated before execution, the trend highlights the increasing sophistication of AI-driven attacks [3].

One of the most alarming findings from the report is the use of Claude to automate large-scale data theft and extortion campaigns. A cybercriminal group reportedly used the AI model to craft customized ransom demands and make real-time tactical decisions, significantly streamlining the extortion process. According to the report, this particular campaign targeted more than 17 organizations, demonstrating the scalability and efficiency that AI can bring to malicious operations [3].

The report also details a concerning case involving North Korean threat actors who exploited Claude to create realistic fake identities and pass technical interviews, enabling them to secure fraudulent remote IT jobs at legitimate technology firms. This strategy, which appears to be a state-sponsored initiative, aims to generate financial support for the North Korean regime. The use of generative AI in this manner underscores the expanding scope of AI's role in cybercrime, where it is not only used to launch direct attacks but also to infiltrate organizations under the guise of legitimate employment [3].

Another notable example is the development of ransomware variants using Claude. The report outlines how a cybercriminal used the LLM to refine and distribute multiple ransomware strains, each equipped with advanced evasion techniques, strong encryption, and anti-recovery mechanisms. These AI-enhanced ransomware tools pose significant challenges for cybersecurity professionals, as they are designed to bypass traditional detection methods and resist data recovery attempts [3].

In parallel to these developments, ESET researchers have identified a new AI-powered ransomware named PromptLock, currently in the proof-of-concept stage. According to a report published on August 26, PromptLock is the first known ransomware to utilize a generative AI model for attack execution. The malware employs OpenAI’s gpt-oss:20b model, accessed through the Ollama API, to dynamically generate malicious Lua scripts. These scripts, which are cross-platform and can run on Windows, Linux, and macOS, perform tasks such as file system enumeration, data exfiltration, and encryption [3].

PromptLock is written in Golang and has been observed in both Windows and Linux variants submitted to VirusTotal. The researchers noted that the malware does not yet include a data destruction feature and appears to be a work in progress. However, the discovery of AI-powered ransomware in any stage of development is a cause for concern among cybersecurity experts. The approach used by PromptLock aligns with the ‘Internal Proxy’ technique, which involves establishing a tunnel from a compromised network to a remote server hosting the AI model. This tactic is increasingly common in contemporary cyberattacks, offering attackers a means of evading detection while maintaining persistence [3].

The emergence of AI-powered ransomware and the broader use of LLMs for malicious purposes signal a growing threat landscape in which cybercriminals are rapidly adapting to new technologies. As AI continues to advance, it is likely that attackers will continue to exploit these tools for more sophisticated and automated cyber operations. Organizations must remain vigilant and invest in robust cybersecurity measures to mitigate the risks posed by these emerging threats [3].

Source: