2026 CrowdStrike Global Threat Report: AI Accelerates Adversaries and Reshapes the Attack Surface

Key Terms

ecrime technical

eCrime means criminal activity carried out through computers, networks or online services, such as hacking, phishing, ransomware, payment fraud or data theft. It matters to investors because these attacks can steal cash or customer data, disrupt operations, incur regulatory fines and damage reputation – like a digital break-in that interrupts a company’s business and forces costly repairs and legal bills.

genai technical

Generative AI (genai) is a type of artificial intelligence designed to create new content, such as text, images, or music, that resembles human-produced work. It matters to investors because it has the potential to transform industries by automating tasks, enhancing creativity, and enabling new products and services, which can influence company performance and market opportunities.

ransomware technical

Ransomware is malicious software that locks or encrypts a company’s computer files and systems, then demands payment for their release — like a thief changing the locks on a business and asking for a ransom. It matters to investors because attacks can halt operations, trigger large cleanup costs, damage customer trust, lead to regulatory fines or legal claims, and reduce future revenue, all of which can hurt a company’s financial value.

remote code execution technical

Remote code execution is a security flaw that allows an attacker to run their own software on a company's computer or server over a network, like an intruder entering a building and using its equipment. It matters to investors because a successful exploit can disrupt operations, expose sensitive data, trigger regulatory penalties and expensive fixes, and damage reputation — all of which can hurt revenue and share value.

privilege escalation technical

Privilege escalation is when someone gains higher access rights in a computer system than they are supposed to have, for example turning a basic user account into an administrator. Think of it like a visitor finding a master key that opens restricted offices: it can expose sensitive data, disrupt operations, or allow malicious actions. For investors, such breaches can lead to financial losses, regulatory fines and lasting reputational damage that affect a company’s value.

saas technical

SaaS, or Software as a Service, is a way of delivering computer programs over the internet, allowing users to access and use them through a web browser without needing to install or maintain the software themselves. For investors, it highlights a business model where companies generate recurring revenue by providing ongoing access to their software, often leading to predictable income and growth potential.

cryptocurrency financial

Cryptocurrency is a type of digital money that uses special computer codes to secure transactions and control the creation of new units. Unlike traditional cash, it exists only electronically and isn't issued or regulated by any government or bank. For investors, it represents a new form of asset that can be used for transactions or held as an investment, often with the potential for high gains but also significant risks.

AI-enabled attacks surge 89% as breakout time falls to 29 minutes; AI tools and development platforms are actively exploited

AUSTIN, Texas--(BUSINESS WIRE)-- CrowdStrike (NASDAQ: CRWD) today released its 2026 Global Threat Report, revealing that AI is accelerating the adversary and expanding the enterprise attack surface. The average eCrime breakout time fell to just 29 minutes in 2025, with the fastest observed breakout occurring in only 27 seconds. Adversaries are also actively exploiting AI systems themselves, injecting malicious prompts into GenAI tools at more than 90 organizations and abusing AI development platforms. The Global Threat Report makes clear that as innovation accelerates, adversary exploitation follows.

AI-enabled adversaries increased operations by 89% year-over-year, weaponizing AI across reconnaissance, credential theft, and evasion. Intrusions now move through trusted identities, SaaS applications, and cloud infrastructure, blending into normal activity while compressing defenders’ time to respond. AI is both the accelerant and the target.

CrowdStrike Global Threat Report Highlights:

Based on frontline intelligence from CrowdStrike’s elite threat hunters and intelligence analysts tracking more than 280 named adversaries, the report reveals:

• AI Is the New Attack Surface – Prompts are the New Malware: Adversaries exploited legitimate GenAI tools at more than 90 organizations by injecting malicious prompts to generate commands for stealing credentials and cryptocurrency. They also exploited vulnerabilities in AI development platforms to establish persistence and deploy ransomware, and published malicious AI servers impersonating trusted services to intercept sensitive data.
• Fastest Breakout Time on Record: As AI accelerated attacks, the average eCrime breakout time fell to 29 minutes – a 65% increase in speed from 2024 – with the fastest observed breakout ever occurring in just 27 seconds. In one intrusion, data exfiltration began within four minutes of initial access.
• Nation-State and eCrime AI Use Accelerates: AI-enabled adversaries increased their activity by 89%. Russia-nexus FANCY BEAR deployed LLM-enabled malware (LAMEHUG) to automate reconnaissance and document collection. eCrime actor PUNK SPIDER used AI-generated scripts to accelerate credential dumping and erase forensic evidence, and DPRK-nexus FAMOUS CHOLLIMA leveraged AI-generated personas to scale insider operations.
• China- and DPRK-Nexus Operations Surge: China-nexus activity increased 38% in 2025, with the logistics vertical having the greatest increase in targeting up 85%. 67% of all exploited vulnerabilities by China-nexus actors delivered immediate system access, while 40% targeted internet-facing edge devices. DPRK-linked incidents rose more than 130% as FAMOUS CHOLLIMA activity more than doubled. PRESSURE CHOLLIMA’s $1.46B cryptocurrency theft was the largest single financial heist ever reported.
• Zero Day and Cloud Exploitation Grows: 42% of vulnerabilities were exploited before public disclosure as adversaries weaponized zero days for initial access, remote code execution, and privilege escalation. Cloud-conscious intrusions rose by 37% overall, with a 266% increase from state-nexus threat actors targeting cloud environments for intelligence collection.

“This is an AI arms race,” said Adam Meyers, head of counter adversary operations at CrowdStrike. “Breakout time is the clearest signal of how intrusion has changed. Adversaries are moving from initial access to lateral movement in minutes. AI is compressing the time between intent and execution while turning enterprise AI systems into targets. Security teams must operate faster than the adversary to win.”

Additional Resources:

• Download the CrowdStrike 2026 Global Threat Report.
• Visit CrowdStrike’s Adversary Universe for the internet’s definitive source on adversaries.
• Listen to the Adversary Universe podcast to glean insights into threat actors and recommendations to amplify security practices.
• To learn more about the 2026 Global Threat Report, read our blog or visit us online.

About CrowdStrike

CrowdStrike (NASDAQ: CRWD), a global cybersecurity leader, has redefined modern security with the world’s most advanced cloud-native platform for protecting critical areas of enterprise risk – endpoints and cloud workloads, identity and data.

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft, and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting, and prioritized observability of vulnerabilities.

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity, and immediate time-to-value.

CrowdStrike: We stop breaches.

Learn more: https://www.crowdstrike.com/
Follow us: Blog | X | LinkedIn | Instagram
Start a free trial today: https://www.crowdstrike.com/trial

© 2026 CrowdStrike, Inc. All rights reserved. CrowdStrike and CrowdStrike Falcon are marks owned by CrowdStrike, Inc. and are registered in the United States and other countries. CrowdStrike owns other trademarks and service marks and may use the brands of third parties to identify their products and services.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260224017260/en/

Media Contact

Jake Schuster

CrowdStrike Corporate Communications

press@crowdstrike.com

Source: CrowdStrike