{"id":4581,"date":"2026-02-21T18:38:06","date_gmt":"2026-02-21T18:38:06","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/02\/21\/low-skilled-cybercriminals-use-ai-to-perform-vibe-extortion-attacks\/"},"modified":"2026-02-21T18:38:06","modified_gmt":"2026-02-21T18:38:06","slug":"low-skilled-cybercriminals-use-ai-to-perform-vibe-extortion-attacks","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/02\/21\/low-skilled-cybercriminals-use-ai-to-perform-vibe-extortion-attacks\/","title":{"rendered":"Low-Skilled Cybercriminals Use AI to Perform “Vibe Extortion” Attacks"},"content":{"rendered":"
\n

Unsophisticated cyber threat actors have started delegating key steps of extortion campaigns to large language model (LLM)-powered AI assistants.<\/p>\n

In a report published on February 17, Unit 42, Palo Alto Networks\u2019 research team, shared findings about a low-skilled actor who used an LLM to script a professional extortion strategy, complete with deadlines and pressure tactics.<\/p>\n

This technique has been dubbed by the researchers as \u201cvibe extortion.\u201d<\/p>\n

In one incident investigated by Unit 42, the cybercriminal recorded a threat video from their bed while visibly intoxicated, reading the AI-generated script word-for-word from a screen.<\/p>\n

While the threat lacked technical depth and seriousness, Unit 42 researchers argued that the LLM \u201csupplied the coherence\u201d and could open the door to more serious ways of using AI for low-skilled actors.<\/p>\n

\u201cAI didn\u2019t make the attacker smarter; it just made them look professional enough to be dangerous,\u201d they added.<\/p>\n

AI, A \u201cForce Multiplier\u201d For Cybercriminals<\/strong><\/h2>\n

This case was just one of many examples identified by Unit 42 researchers of cyber threat actors using AI in a novel way to help them achieve their cyber extortion goals.<\/p>\n

In the report, the researchers argued that AI, and especially generative AI (GenAI), has now become a \u201cforce multiplier for attackers.\u201d<\/p>\n

\u201cIn 2025, threat actors moved from experimentation to routine operational use. AI is not an attacker\u2019s \u2018easy button,\u2019 but it is a massive friction reducer,\u201d they wrote.<\/p>\n

Unit 42 observations showed that the cybercrime ecosystem is well beyond the \u201cphishing with better grammar\u201d phase. Attackers are now using GenAI in novel ways to help them scale or speed up the attack lifecycle, iterate more frequently, operate with fewer human constraints or lower the barrier to entry for cybercriminals.<\/p>\n

These include:<\/p>\n

    \n
  • Scanning vulnerabilities faster for rapid exploitation<\/strong>: Unit 42 researchers found that attackers start scanning for newly discovered vulnerabilities within 15 minutes of a CVE being announced, with some exploitation attempts beginning before many security teams have even finished reading the vulnerability advisory<\/li>\n
  • Parallelized targeting<\/strong> with reconnaissance and initial access attempts across hundreds of targets at once<\/li>\n
  • Delegating and automating key ransomware tasks<\/strong>, such as script generation, templating and extortion<\/li>\n
  • Crafting hyper-personalized social engineering<\/strong> (e.g. automating open-source intelligence collection, including professional and organizational context to craft lures that match the target\u2019s role and relationships)<\/li>\n
  • Creating synthetic identities<\/strong>: threat actors like Scattered Spider (tracked by Palo Alto as Muddled Libra) and North Korean IT workers increasingly use deepfake techniques to steal credentials and pass remote hiring workflows<\/li>\n
  • Developing malware<\/strong>: in the Shai-Hulud campaign, Unit 42 assessed that attackers used an LLM to generate malicious scripts<\/li>\n
  • Turning an AI platform into a weapon<\/strong>: threat actors use valid credentials to misuse enterprise AI platforms. For example, recent Unit 42 research on Google Vertex AI demonstrated how attackers could misuse custom job permissions to escalate privileges and use a malicious model as a Trojan horse to exfiltrate proprietary data<\/li>\n<\/ul>\n

    Speaking to Infosecurity<\/em>, Chris George, managing director at Unit 42, said he is especially impressed by how AI can help scale and speed up reconnaissance.<\/p>\n

    \u201cNow that threat actors are fully using AI to fix phishing emails\u2019 grammar and make them more compelling, throwing product names or system names in the mix that were collected through reconnaissance and will sound familiar and specific to the victim adds a level of realism that makes phishing more efficient,\u201d he explained.<\/p>\n

    \u201cWe even use AI for reconnaissance internally, within Unit 42, to support our assessments.\u201d he added.<\/span><\/p>\n

    Haider Pasha, VP and CSO for EMEA at Palo Alto Networks, told Infosecurity<\/em> that he is particularly concerned by how AI has helped shrink the time to infiltrate networks and exfiltrate data.<\/p>\n

    \u201cWhat used to take on average three to four weeks has now dropped down, in certain cases, to under 25 minutes. This is a record time that we didn’t anticipate and that would have been impossible without AI,\u201d he said.<\/p>\n

    Recommendations to Mitigate AI Threats and Threats to AI<\/strong><\/h2>\n

    In their report, Unit 42 researchers provided recommendations to mitigate AI threats in three domains: countering the AI-accelerated attack speed, defending against improved tradecraft and protecting the AI attack surface.<\/p>\n

    Recommendations for countering the AI-accelerated attack speed include:<\/p>\n