Adversarial Intelligence: How AI Powers the Next Wave of Cybercrime

Adversarial Intelligence: How AI Powers the Next Wave of Cybercrime

The adversaries targeting modern enterprises are no longer isolated actors operating from improvised setups. They run structured operations with budgets, deadlines, and performance targets, functioning, as Andres Andreu puts it, as a legitimate business. Artificial intelligence has given these operations an asymmetric advantage that is fundamentally reshaping the threat landscape. Andreu, CEO of Constella Intelligence, presents a comprehensive analysis of how AI has transformed the economics of cyberattacks in a session on 1ArtificialIntelligence hosted by Glenn Tyranski, Partner at 1BusinessWorld and Executive in Residence at King's College. Andreu frames the discussion not around chatbots or large language models in isolation, but around what he calls adversarial intelligence: the combination of intelligence, automation, synthetic content, and workflow support that adversaries are using to improve their outcomes across the full attack lifecycle.

The session covers why AI matters now, how it simultaneously improves facilitation and scale for attackers, the role of dark LLMs and deepfakes, the four-phase attack lifecycle from harvest through monetization, the dark social layer that sustains the cybercrime ecosystem, and the specific changes defenders must make to their operating models to respond to threats that are no longer static, isolated, or human-paced.

Not Magic, Leverage

Andreu opens with a deliberate reframing. AI does not make adversaries magical. There is no black magic involved. What AI provides is leverage, and understanding the nature of that leverage is the starting point for any serious defensive strategy. The leverage manifests in several dimensions. Attackers start faster. Their content is more polished. The code generated by AI engines is strategically sound. And they can operate far more attempts in parallel than was possible when the work was done manually.

The reason this matters now is that AI has lowered the barrier to entry into cybercrime to what Andreu describes as relatively zero. Tasks that previously required significant time, skill, and coordination can now be generated and launched by actors with little to no technical capability, and the quality of the output is higher regardless of the attacker's skill level. At the same time, AI has eroded the human signals that organizations and individuals once relied on to determine what was real. Voice, video, tone, familiarity, urgency, social proof, all of these trust signals can now be synthetically generated and weaponized.

The result is that defenders are being hit from multiple angles simultaneously, facing higher volume, more convincing content, and compounded challenges that are exponentially larger than in the past. The static controls that enterprises traditionally relied upon, including manual reviews, one-time awareness training, and annual penetration tests, are no longer sufficient by themselves. And this is not exclusively a security problem. Andreu positions it explicitly as a finance problem, a customer success problem, a customer trust problem, and a business risk problem.

Facilitation: The Barrier to Entry Drops to Zero

Andreu organizes his framework around two forces: facilitation and scale. Facilitation is how AI makes attacks easier. AI can write code, explain code, and troubleshoot errors, a process that historically consumed significant time and required software engineering expertise. The trial-and-error cycle for identifying vulnerabilities within an ecosystem has been accelerated to what Andreu calls a daunting level. Even when the output of AI engines is imperfect, it still reduces the time needed to produce something usable. Attackers do not need perfection. They need enough capability to get in and move forward.

Andreu illustrates the point with a specific example. If you ask a mainstream AI engine to write malware, most will refuse. But if you ask it to write a function that takes a file and copies it from point A to point B, there is nothing nefarious about that request. That is exactly what an info stealer does. The intent is malicious, but the creation is not, which means that even without dark LLMs, even using standard commercial AI tools, an attacker with no software engineering background can construct functional malware by decomposing the task into individually innocuous components.

Deepfakes, Impersonation, and Vibe Hacking

The cost of creating believable identity abuse has collapsed. Fake voice, fake facial movement, fake language, fake cadence, all of these can now be produced at a cost that is accessible to virtually anyone. Andreu emphasizes that these capabilities operate in real time. A full video interaction, with request and response, can be conducted by a person whose face and voice have been entirely replaced by a synthetic identity. He points to the session itself as an illustration. He and Tyranski are speaking face to face over video, but he could change his face in real time, and Tyranski would have no way to determine that he was interacting with a fraudulent persona.

This leads to what Andreu calls vibe hacking. AI has strong capabilities in sentiment analysis, and those capabilities can be turned toward manipulating the emotional variables of a target: urgency, response to authority, empathy, familiarity, embarrassment, and fear. Once the AI determines what makes a specific target responsive, it can craft communications that exploit those triggers. The result is that social engineering is no longer a craft practiced by skilled human operators. It is an automated, scalable, and continuously improving system.

Dark LLMs: The Attacker's Toolkit

Andreu describes the ecosystem of dark LLMs, purpose-built language models that operate the same way as ChatGPT or Gemini but from a nefarious perspective. WormGPT, FraudGPT, and Kawaii GPT are among the tools that have emerged, trained on cybercriminal content to deliver the same leverage that mainstream AI provides to legitimate users. Some are accessible only on the dark web, while others operate on the surface web. Some are scams themselves, charging for access but delivering nothing functional. But the ones that work, Andreu says, are quite effective, and the output is, in his words, pretty disturbing.

He describes demonstrations he has given in which three strategically worded prompts generate an entire ransomware campaign, and another demonstration that produces a functional info stealer. Zero skill is involved. The user needs only to know how to interact with the engine and frame the request.

Scale: From Campaign to Operating System

If facilitation makes attacks easier, scale makes operations bigger. Andreu describes how agentic AI models can be chained into workflows, assigned subtasks that execute in parallel, and used to coordinate reconnaissance, lure creation, translation, triage, and follow-ups simultaneously. In a distributed model, agents communicate with each other and adapt in real time. He uses the example of a distributed denial-of-service attack in which sub-agents are attacking a target, and when the target identifies a pattern and deploys a defense, any one of the agents can detect the countermeasure, communicate the change to the other agents, and all of them adjust accordingly. The DDoS attacks that are coming, Andreu warns, are intelligent and adaptive.

The real advantage is not speed alone. It is concurrency. Adversaries can run more experiments, send more messages, target more identities, create more attackable profiles from extremely large datasets, and pursue more attack pathways without growing a human team. The hyper-personalization that vibe hacking enables can now be fully automated and continuously improved. A generic campaign can target a thousand different people, with content modified automatically based on each target's title, role, geography, company context, and public content, without the attacker doing anything beyond creating the initial campaign properly.

Tyranski connects this to a concept from his management teaching. Michael Porter's five forces framework treats barrier to entry as a source of competitive advantage for incumbents. In cybercrime, those barriers have entirely collapsed. All of those curtains have come down, Tyranski observes. Andreu's response is direct: it is literally zero.

The Dark Social Layer and the Cybercrime Ecosystem

None of this operates in a vacuum. Andreu describes the dark social layer as the connective tissue around cybercrime: private Telegram channels, semi-open communities, marketplaces, brokers, and ephemeral or burner identities that enable actors to create campaigns, share playbooks, distribute tools, and trade data. Without the data, many of these attack campaigns would not be possible.

What makes these ecosystems powerful is not their reach but their resilience. Privacy-first design, easy account turnover, and rapid reformation of communities mean that takedowns are less decisive than defenders would hope. These environments behave like growth operations. They learn, they adapt, they attract users, they segment communities, they push updates, and they distribute services. Cybercrime, Andreu argues, is no longer a technical activity. It is an organized distribution challenge.

The Attack Lifecycle: Harvest, Persuade, Breach, Monetize

Andreu breaks down the end-to-end operationalization of AI-enabled cybercrime into four phases. In the harvest phase, AI-supported open source intelligence interactions pull details together on targets, executives, and employees from disparate sources, assembling them in automated form with greater consistency than manual research could produce. In the persuade phase, that context becomes the lure. Emails, chats, SMS, voice, and video can all be weaponized against a target, and the content adjusts dynamically rather than relying on static messages. In the breach phase, AI does not need to replace every technical step. It only needs to reduce friction enough to be successful, through code assistance, troubleshooting, the creation of droppers and loaders, session hijack support, and the theft of active session objects. Monetization is the end goal: cash or leverage through business email compromise, invoice fraud, credential resale, extortion, and identity abuse.

Andreu grounds this in a case study. The National Public Data breach, which began in late 2023 and extended into 2024, exposed a massive volume of identity-rich data that became the raw material for a sextortion campaign that affected large numbers of individuals. The case illustrates a critical principle: a breach is no longer an isolated incident. It is the beginning of a larger downstream attack chain, because breaches are now industrialized against other breach sets, and the attacker ends up with a much richer dataset than any single breach would provide. AI amplifies the value of that exposed data by refining targeting, supporting impersonation, personalizing coercion, and scaling the campaign to levels that would have been impossible manually.

Content Is Code: The Expanding Attack Surface

Andreu introduces a concept that reframes how defenders should think about AI-connected environments. Content is code. In environments where AI systems process prompts, documents, messages, memory dumps, and retrieved content, all of these inputs can influence system behavior in ways that feel closer to execution than to static data. AI worms that move horizontally through connected systems represent an emerging threat vector that defenders must instrument and monitor.

The attack surface now extends well beyond the AI model itself. Andreu emphasizes that defenders cannot focus exclusively on securing the model and prompt engineering. They must secure the entire system around the model: the APIs, the integrations, memory stacks, retrieval layers, control pathways, ingress and egress pathways, and identity checks. AI-powered assistants that are connected to memory, tools, and actions have access to capabilities that can empower malicious workflows, and they can move through trusted channels in ways that human attackers cannot. Synthetic identities, complete with forged media and simulated background history, mean that identity-proofing workflows and business decisions are now part of the battleground.

The Defender Operating Model Has Changed

Andreu outlines the specific changes that defenders must make. Human verification is no longer a courtesy or a nice-to-have. It is essential. High-impact actions such as financial transfers must incorporate safe callbacks, out-of-band confirmation, and multiple levels of approval. Any workflow that relies on familiarity alone is now exposed. Andreu makes the point that executives who previously found verification procedures annoying must come to terms with the reality that digital trust has fundamentally shifted.

AI applications must be hardened with the same rigor applied to any production system: architectural review, logging, segmentation, testing, red teaming, secrets handling, change control, and clear ownership. In many environments, Andreu notes, it is not clear who owns these applications because enterprises rushed into deploying AI technologies without establishing proper controls.

The shift from static signatures and indicators of compromise toward behavioral anomaly detection is no longer optional. AI-enabled attacks mutate and adapt, which means defenders need instrumentation for anomalies in processes, sequences, accesses, workflows, and decision behavior. Content isolation for high-trust actions creates an opportunity not just to block, but to study and instrument adversarial behavior, turning attacker automation into an early warning system and a teaching mechanism for security operations.

Tyranski brings up a defensive concept from the session: AI honeypots. Andreu describes them as intelligent digital twins that can be created dynamically, replicating the crown jewels of an organization with decoy content, pushing them to an isolated area of the network, and using them as a lure to redirect attackers. He notes that deception engineering is one of the mechanisms that genuinely empowers defenders against AI-powered attacks, and that he is traveling the following day to present an entire session dedicated to the topic.

Key Takeaways: What Executives Must Understand

Andreu closes with four points that he frames as essential for organizational leaders. First, AI-enhanced adversaries are not winning because anything is automagical. They are winning because AI has improved facilitation and scale simultaneously, creating an asymmetric advantage. Understanding that gives defenders a starting point for building protective mechanisms.

Second, synthetic trust signals are now weaponized. Voice, tone, facial expressions, and context can no longer be treated as reliable by default. Traditional verification methods are dead. Any workflow that depends on those older signals is now vulnerable.

Third, the system around AI models is part of the attack surface. Leaders who focus only on the model and ignore the integrations, identity, memory, and surrounding infrastructure are missing the actual targets that could lead to a catastrophic breach.

Fourth, there is a real defensive opportunity. Organizations that learn to convert attacker automation into an early warning and teaching system will not just absorb information better. They will create decision advantage from the activity being directed against them.

Tyranski closes with a reflection that captures the weight of the session. Having spent years at the New York Stock Exchange working in regulation and governance, and having served on boards, he asks whether digital trust, once eroded, can be recovered. Andreu's answer is direct: we cannot go back to the old days. What organizations can do is build new mechanisms to enhance trust, but the signals that once served as the foundation of digital confidence are permanently compromised. The imperative now is not recovery. It is adaptation.