AI is Changing the Economics of Cybercrime

Crime can occur in broad daylight, as the world recently saw with the audacious Louvre theft of the French crown jewels. Yet other felons don’t even need to leave their desks. Cybercriminals operate from the shadowy digital realm, with the ability to reach victims across the globe with a few keystrokes.

With the help of AI, these criminal enterprises are now increasing the scope and impact of their operations. AI is fundamentally transforming the cybercrime landscape, making illegal operations easier to execute, faster to deploy, and cheaper to maintain than ever before.

The incentives of cybercrime

Individuals usually act in ways that are economically incentivized, and criminals are no different. For cybercriminals, the economic incentives have improved dramatically thanks to AI, and the risk-reward calculation has shifted decidedly in their favor.

AI has significantly reduced the costs of committing cybercrime, which has historically required significant administrative and intellectually complex work. AI helps attackers automate these tasks. All criminals need is access to dark web AI tools, or even regulated AI like Anthropic’s Claude, and they will have the ability to “commit large-scale theft and extortion of personal data,” according to an August 2025 report from Anthropic.

The speed of this change has been rapid: by November 2025, Anthropic reported a large-scale cyberattack in which about 30 global organizations were targeted. “While we predicted these capabilities would continue to evolve, what has stood out to us is how quickly they have done so at scale,” they wrote in the report. According to their estimates, 80-90% of the attack was automated by AI.

Not only is AI reducing the costs of committing cybercrime, it is also increasing the “value” of each cyberattack. AI is helping attackers to monetize the information they uncover in attacks. Cyberattacks can now be more adaptive — for example, malware that flexibly searches across a laptop to find exploitable information. There is a history of new technologies helping to enable cyberattacks: cryptocurrency made it more feasible for attackers to get money from their victims, because it allowed them to obscure their transactions more effectively. AI is the latest such technology to alter the cyber threat landscape.

The phishing revolution

A study from the Harvard Kennedy School and Avant Research Group has recently shown that AI has dramatically lowered the barriers to committing the most prevalent form of cybercrime. Traditional phishing — the indiscriminate approach to email impersonation — can now be refined to enable far more effective spear phishing campaigns. Spear phishing targets specific organizations and their employees with customized messages designed to access sensitive information or install malware. AI helps attackers make these messages seem even more real, through enhanced personalization and targeting.

According to the study, AI can cut costs by 90% and increase profitability for spear phishing campaigns by up to 50 times for larger audiences. The study also discovered that AI-assisted spear phishing emails achieved a staggering 54% click-through rate, matching the performance of emails crafted by human experts. By contrast, only 12% of the control group clicked on links in generic, arbitrary phishing emails. And the success of these AI-assisted emails has improved drastically even in the last year.

This represents a seismic shift in the threat landscape. Cybercriminals no longer need years of experience to learn the tricks of the trade or to gain advanced social engineering skills. AI democratizes criminal expertise, placing professional-grade attack capabilities in the hands of any bad actor.

The all-encompassing scope

Zooming out for a moment: cybercrime has surged alongside internet adoption and has grown to be highly sophisticated. According to a CFO survey, an overwhelming 85% of cybersecurity professionals attribute the recent proliferation of attacks directly to generative AI technologies. Anne Neuberger, the former US Deputy National Security Advisor for cyber and emerging technologies, projects that the annual average cost of cybercrime will exceed $23 trillion by 2027.

The stakes are high at the level of national security, but the threat is also rising for much smaller enterprises. In addition to lowering the required effort, AI is expanding the reach of cyberattacks. Small businesses often lack robust security infrastructure, which makes them particularly vulnerable to attacks. As the cost of attacking small businesses decreases because of AI, small businesses have increasingly become targets of cybercrime. As of 2024, 60% of small businesses consider cyberattacks to be the biggest threat they face.

Anthropic’s threat intelligence team has seen large cybercrime campaigns — which would typically require an entire team working for months — that can now be executed in mere weeks by a single criminal equipped with AI agents.

The threat exists at every level, down to local communities. The same threat intelligence team found that a malicious user deployed Claude, Anthropic’s AI model, to victimize a church. The AI was able to search and find sensitive donor information to carry out an extortion scheme.

Data breach alarmism?

John Chambers, the former CEO of Cisco, once said, “There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked.” But do data breaches actually cause economic harm?

A study that examined the largest scope of data breaches claims they are “much ado about nothing.” The research concludes that breached and non-breached firms show no significant differences in auditing fees, long-term returns, or future performance. Consider: Walmart has ongoing data security issues, but are you going to shop there less? The authors conclude that only exceptionally large exposures result in significant consequences, like the Equifax hack.

This might seem counterintuitive, because data breaches cost a lot to clean up according to IBM. But a closer look observes that the final cost is marginal. Both Target and Home Depot suffered extensive hacks to their customer data, $105m and $28m bills respectively, yet both were less than 0.1% of revenue for both companies. Small businesses have much less revenue to work with to swallow the costs of a cyberattack.

Up until now, most stolen data hasn’t been heavily exploited because it’s hard to profit from it. AI could change the game with its ability to automate the exploitation. With the ability to identify the most sensitive data to extract and tailor extortion threats to individual psychological profiles, the risks are much higher. Because of the value that attackers could extract from each individual, ordinary people may start to get a level of attention from cyberattackers that was previously only given to millionaires and billionaires.

AI as defense

Regrettably, the international response to cybercrime remains uneven. US law enforcement agencies spend more on combating cybercrime than the next ten countries combined. And most police forces won’t pursue cases where the victims are overseas. Imagine stealing from the Louvre without having to be in France.

However, the same AI technologies which empower criminals could also strengthen defenses. AI systems excel at identifying cyberthreats in real-time. The phishing study found that “Claude 3.5 Sonnet scored well above 90% with low false-positives and detected several seemingly benign emails that passed human detection.”

AI has created a slightly absurd predicament where it can serve as both a weapon and shield. The feedback loop is disconcerting: as AI-enabled attacks improve, AI-powered defenses try to catch up, which in turn drives further innovation to circumvent the defenses.

Even still, there can be asymmetries when it comes to AI’s potential for offense vs. defense. For one, getting small businesses (especially ones run by non-technical individuals) to deploy cutting-edge technology can be difficult. As well, while defense requires protecting all assets from exploitation, offense generally only requires finding a single vulnerability.

We can’t rely on cybersecurity staying ahead of hackers indefinitely. The consequences of falling behind risk significant disruptions to commerce and further distrust in the digital landscape at all levels.