Cybercriminals have for the first time weaponised artificial intelligence to discover and exploit an unknown software vulnerability, Google's Threat Intelligence Group has said.
The company revealed that hackers used AI to identify a so-called "zero-day" flaw (a previously unknown software bug requiring urgent action) and leveraged it to bypass two-factor authentication (2FA) on a widely used platform. The attack was intercepted before it could cause widespread harm, but Google warned that the incident signals a dangerous new era in cybercrime.
Two-factor authentication, which requires users to verify their identity through a second method such as a text message code or an app like Google Authenticator, has long been considered one of the most reliable defences against unauthorised account access. Google declined to name the affected software or vendor, but confirmed the vulnerability has since been patched.
John Hultquist, chief analyst at Google Threat Intelligence Group, said: "We believe this is the tip of the iceberg. If criminals are doing it, then state actors with significant resources probably are too."
Google's broader AI threat tracker report found that hackers are now using AI to industrialise cyberattacks, from hunting for software flaws and writing malicious code to automating attacks that can run around the clock without human intervention. Google does not believe the criminals involved used cutting-edge AI systems such as its own Gemini or Anthropic's recently unveiled Mythos model, but rather an older AI system, suggesting even legacy AI tools now pose a significant threat.
In April, AI provider Anthropic restricted access to its latest model, Mythosrestricted access to its latest model, Mythos, claiming that its advanced capabilities in software analysis and vulnerability discovery coud be subject to misuse by hackers and systemic cyber risk.
