Google’s Threat Intelligence Group (GTIG) has published a major security report warning that artificial intelligence is now being weaponized by state-linked hackers and criminal threat actors at industrial scale — with autonomous malware, AI-generated zero-day exploits, and credential-targeting operations posing a direct and escalating threat to crypto users relying on standard security measures.
The May 11 report, published on the Google Cloud blog by GTIG and drawing on Mandiant incident response engagements, marks a significant escalation from the group’s February 2026 findings. Where that earlier report identified AI-assisted adversarial activity as nascent and experimental, the latest assessment describes a mature transition — one where generative models are now embedded in offensive workflows at scale, not as a curiosity but as operational infrastructure.
ETH's price records some losses on the daily chart. Source: ETHUSD on Tradingview
AI Writes Its First Zero-Day Exploit
The most significant disclosure in the report is unprecedented. For the first time, GTIG has identified a threat actor using a zero-day exploit believed to have been developed with AI assistance. According to the report, a criminal threat actor had planned to deploy the exploit in a mass exploitation event — a scenario that GTIG’s proactive counter-discovery may have prevented.
The report notes that state-linked actors associated with China and North Korea have separately demonstrated significant interest in using AI for vulnerability discovery. The implications for crypto users are direct: wallet interfaces, exchange login portals, and browser extension-based authentication tools all depend on the same underlying software layers that zero-day exploits target.
Polymorphic Malware And The Limits Of 2FA For Crypto Users
Beyond zero-day development, the report documents AI-accelerated development of polymorphic malware — code that rewrites its own structure to evade detection — linked to suspected Russia-nexus threat actors, per GTIG’s analysis. AI-generated decoy logic is being embedded in malware payloads to defeat signature-based security systems.
The most direct threat to crypto users, however, comes through a capability GTIG calls PROMPTSPY — an AI-enabled malware that signals a shift toward autonomous attack orchestration. According to the report, PROMPTSPY interprets system states dynamically and generates commands in real time to manipulate victim environments. Applied to credential theft, this class of malware can observe and respond to authentication flows in ways that static attack tools cannot — including timing attacks against SMS-based and app-based two-factor authentication systems during live sessions.
Standard 2FA, long considered a reliable security baseline for exchange and wallet access, operates on the assumption that an attacker cannot observe and respond to the authentication window in real time. Autonomous, AI-driven malware capable of interpreting system states changes that assumption materially.
A Threat Environment That Has Shifted
GTIG’s report frames the current moment as a dual-use inflection point — AI is simultaneously becoming a high-value target for attacks and a sophisticated engine driving them. For participants in the nascent digital asset sector, where a single compromised seed phrase or session token represents an irreversible loss, the implications are substantial.
The security practices that adequately protected crypto users two years ago are increasingly insufficient against an adversarial toolkit that now includes AI-generated exploits, self-modifying malware, and autonomous credential-harvesting operations operating faster than human defenders can respond.
Hardware security keys, air-gapped signing devices, and multi-signature wallet architectures represent the current frontier of meaningful protection — and the distance between those measures and standard 2FA has never been wider.
Cover image from Grok, ETHUSD chart from Tradingview
