Hackers use AI to automate phishing campaigns, crack passwords, generate deepfake audio, discover zero-day vulnerabilities, and evade security tools at speeds no human attacker could match. You need to understand these offensive AI techniques because they are actively reshaping the threat landscape in 2026.
How Hackers Use AI to Scale Phishing Attacks
Large language models now generate personalised spear-phishing emails that reference a target’s job title, recent projects, and LinkedIn activity. A 2025 SlashNext report found that AI-powered phishing attacks bypass traditional content filters at rates three to five times higher than human-written campaigns. IBM X-Force documented a case where attackers generated 12,000 unique phishing emails targeting one financial institution, each customised to the recipient’s department.
Open-source models like WormGPT and FraudGPT, sold on dark web forums for $200 per month, strip away safety guardrails and let anyone generate convincing social engineering content in any language.
AI-Powered Password Cracking
PassGAN, a generative adversarial network built for password cracking, guesses 51% of common passwords in under one minute and 71% within 24 hours. Unlike dictionary attacks, PassGAN learns patterns from leaked datasets and generates candidates that mirror real human behaviour. Home Security Heroes confirmed these figures against 15.6 million passwords from the RockYou dataset. Your standard complexity requirements are far less effective when AI predicts the patterns your users actually choose.
Deepfake Voice and Video in Social Engineering
In February 2024, attackers used deepfake video to impersonate a CFO during a live call and convinced a finance employee at Arup to transfer $25.6 million. Voice cloning now requires just three seconds of sample audio, as Microsoft’s VALL-E research demonstrated. The FBI reported a 300% increase in deepfake fraud complaints between 2024 and 2025. Understanding the broader AI security risks helps you see how deepfakes fit into an expanding offensive toolkit.
AI-Assisted Vulnerability Discovery and Exploit Generation
Google’s Project Zero demonstrated in 2024 that an LLM-based tool discovered a previously unknown vulnerability in SQLite, the first confirmed zero-day found by AI. Carnegie Mellon researchers showed that fine-tuned models generate working exploit code for known CVEs with a 72% success rate, cutting the window between disclosure and exploitation from weeks to hours. The same prompt injection techniques used in defensive red teaming are weaponised by attackers to manipulate AI-powered security tools from the inside.
AI-Driven Malware That Evades Detection
BlackMamba, a proof-of-concept AI keylogger demonstrated at Black Hat 2023, used an LLM to rewrite its payload at runtime and evaded every major endpoint detection platform tested. Hyas researchers showed in 2025 that AI-generated polymorphic malware reduced detection rates from 95% to below 30% against commercial antivirus products. When malware rewrites itself on every execution, signature-based detection fails.
Defending Against Offensive AI
Your defence strategy must assume attackers have the same AI capabilities as your security team. Multi-layered detection combining content analysis, behavioural monitoring, and sender verification catches 96 to 98% of AI-generated phishing. Implement voice verification protocols for financial transactions requested over phone or video. Deploy endpoint detection that updates adversarial training continuously. Red team your systems quarterly using offensive AI tools so you understand what attackers can do before they target you.
Frequently Asked Questions
What AI tools do hackers use most frequently?
Hackers primarily use large language models for phishing, generative adversarial networks for password cracking and deepfakes, and fine-tuned models for vulnerability discovery. Dark web tools like WormGPT and FraudGPT provide unrestricted LLM access for around $200 per month.
Can AI-generated phishing emails be detected by traditional security tools?
Traditional filters catch AI-generated phishing at lower rates. SlashNext’s 2025 data shows AI phishing bypasses standard filters three to five times more often. Detection requires multi-modal analysis combining behavioural signals, sender reputation, and contextual anomalies.
How can organisations protect against deepfake social engineering?
Implement out-of-band verification for any financial request received via phone or video. Establish code words for high-value transactions, train staff on deepfake indicators, and deploy AI-based detection tools. Never authorise transfers based solely on a voice or video call.
Read the complete guide: AI Security in 2026: Threats, Defences, and What Every Organisation Must Know