AI Cyber Damage: Bounding the Tail
AI Cyber Damage: Bounding the Tail
Probability-weighted synthesis answer to "How likely is AI-enabled cyber damage to exceed 10% of global GDP by year Y?" — pulls from damage estimates, insurance market signals, tail-risk catalog, actor incentives, and incident base rates.
The question
A natural question for AI safety policy is: given the rise of AI-enhanced cyber capabilities, how likely is it that AI-enabled cyber damage becomes catastrophic? This page treats "catastrophic" in economic and institutional terms rather than as human extinction: events large enough to require sovereign-scale response, disrupt core infrastructure, or impose damage that is no longer comparable to ordinary ransomware, fraud, and breach cleanup.
The headline threshold used elsewhere in this cluster is 10% of global GDP in one year. That is intentionally demanding. It is much larger than the largest observed cyber incidents, larger than ordinary cybercrime estimates unless one accepts the broadest top-down cost definitions, and large enough that the relevant scenarios are mostly cascade scenarios rather than high-volume crime.
This page synthesizes four inputs:
- AI Cyber Damage Estimates — methodology comparison across the major damage-estimate sources, including Cybersecurity Ventures↗🔗 webCybersecurity Ventures projectsTangentially relevant to AI safety as AI systems increasingly intersect with cybersecurity; useful for understanding the threat environment in which AI-enabled or AI-targeted attacks may occur, but not directly focused on AI alignment or safety.The Cybersecurity Almanac 2025 by Cybersecurity Ventures compiles key statistics, forecasts, and trends in global cybersecurity, including projections on cybercrime costs, workf...cybersecuritygovernancecritical-infrastructurepolicy+3Source ↗ and the FBI IC3 2024 Internet Crime Report↗🏛️ governmentFBI IC3 2024 Internet Crime ReportThis official FBI report provides empirical baseline data on real-world harms from cyber-enabled fraud, including AI-assisted scams; relevant to AI governance and deployment risk discussions as evidence of societal impact from misuse of AI tools.The FBI's Internet Crime Complaint Center (IC3) 2024 Annual Report documents $16.6 billion in losses from cybercrime and cyber-enabled fraud in the United States, representing t...governancepolicydeploymentred-teaming+3Source ↗.
- Cyber Insurance Market Signals — revealed-preference evidence from premiums, exclusions, reinsurance, and cyber catastrophe bonds.
- Catastrophic Cyber Tail Risk — catalog of systemic single points of failure.
- Seeded cyber incident entities, including NotPetya, WannaCry, SolarWinds, Colonial Pipeline, CDK Global, Change Healthcare, and the Anthropic-disclosed 2025 AI-orchestrated espionage campaign↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackA landmark real-world incident report from Anthropic documenting the first known AI-orchestrated espionage campaign, directly relevant to agentic AI risks, deployment safety, and the intersection of AI capabilities with national security threats.Anthropic reports detecting a sophisticated September 2025 espionage campaign in which a suspected Chinese state-sponsored group weaponized Claude Code as an autonomous agent to...cybersecuritycapabilitiesdeploymentred-teaming+6Source ↗.
Bottom line
P(aggregate AI-enabled cyber damage in some single year through 2035 exceeds 10% of global GDP) ≈ 5-20%, low-to-medium confidence, under a "substantial AI contribution" and economically meaningful damage reading.
This is aggregate damage in a single year — the sum of all AI-attributable cyber events that year — not a single discrete event. The single-event variant is much lower: see line 4 of the calibration table below. For comparison, P(non-AI cyber damage in a single year > 10% of global GDP through 2035) is plausibly 2-7% under the same accounting method — i.e., AI uplift roughly doubles the tail, with most of the difference coming from mid-tier-actor scaling and faster offense-defense iteration rather than from new singular catastrophes.
The lower end corresponds to a world where AI mostly increases the volume and sophistication of existing attacks, while defense at hyperscalers, identity providers, endpoint vendors, and major software platforms scales in parallel. The upper end corresponds to a world where AI materially lowers the floor for mid-tier state and criminal actors, attribution erodes deterrence, and at least one systemic chokepoint (payments, cloud, industrial control, OS/browser monoculture) suffers a multi-week disruption or data-integrity failure.
This headline hides the biggest crux: what counts as damage, and what counts as AI-enabled? Under a broad Cybersecurity Ventures↗🔗 webCybersecurity Ventures projectsTangentially relevant to AI safety as AI systems increasingly intersect with cybersecurity; useful for understanding the threat environment in which AI-enabled or AI-targeted attacks may occur, but not directly focused on AI alignment or safety.The Cybersecurity Almanac 2025 by Cybersecurity Ventures compiles key statistics, forecasts, and trends in global cybersecurity, including projections on cybercrime costs, workf...cybersecuritygovernancecritical-infrastructurepolicy+3Source ↗-style accounting method, total cybercrime cost is already near $10T/year before the AI-attribution question is asked. Under a narrower direct-loss-plus-business-interruption method, $10T before 2030 requires either a major geopolitical/cascade scenario or extremely rapid AI-driven acceleration.
Two nearer-term estimates are useful for calibration:
| Threshold | Illustrative estimate | Why this threshold matters |
|---|---|---|
| Single cyber event causing >$500B by end-2028 | ≈8-15% | Roughly 50x NotPetya; large enough to be a global macro event but below the 10% GDP threshold |
| Cumulative incremental AI-cyber damage >$5T by 2030 | ≈2-5% | Captures multi-year acceleration from AI without requiring one mega-event |
| AI-attributable cyber damage >$10T in a year before 2030, broad cost method but substantial AI attribution | ≈7-10% | Mostly a definition-and-attribution question, not a pure catastrophe question |
| Single-year AI-cyber damage >10% of global GDP by 2035 | ≈5-20% | Main "catastrophic economic disruption" threshold used by this page |
These are judgmental synthesis estimates, not outputs of an actuarial model. They are meant to keep the page honest about scale: a $100B-$1T cyber event is much more plausible than a $10T+ cyber event, and arguments that address one threshold often do not address the other.
The four rows are not independent and their probabilities should not be summed. Most paths to row 4 (10% GDP in a single year) run through row 1 (a $500B warning shot) plus continued AI-driven scaling — i.e., the headline interval mostly compounds row 1 with a sustained acceleration in baseline cybercrime. The single-event analogue of row 4 is row 4 in the definitional table below: P(single discrete cyber event >$10T in one year before 2030) ≈ 1-5%. The gap between that single-event number and the 5-20% aggregate headline is meant to capture the cumulative-from-many-events path — many $10B-$100B incidents in one year summing to >10% of GDP — which dominates the upper half of the headline interval.
How the numbers are calibrated
The estimates above use a simple anchor-and-adjust method rather than a formal Monte Carlo model. The anchors are:
| Anchor | Implication for this page |
|---|---|
| Observed incident record: NotPetya, WannaCry, Change Healthcare, CDK, MOVEit, and the CrowdStrike outage analogue are mostly $1B-$10B-class events, with NotPetya as the canonical destructive state-backed case.123 | A $500B event requires roughly a 50x jump from the strongest destructive precedent; a $10T event requires roughly a 1000x jump |
| Lloyd's/Cambridge payments scenario estimates trillion-scale five-year GDP losses, including a $16T extreme scenario spread over multiple years.4 | Trillion-scale cyber cascades are model-plausible, but a $10T single-year loss should be below the probability of the published multi-year extreme scenario |
| Insurance and ILS markets are adding capacity and cyber cat-bond issuance, while still treating systemic cyber as a difficult accumulation risk.567 | Market behavior is inconsistent with a high near-term probability of insured cyber-trillion events, but weak evidence about uninsured wartime/state-scale losses |
| Government, AI-lab, and academic evidence shows clear AI uplift in cyber tasks, but strongest evidence is still bounded tasks, known-vulnerability exploitation, social engineering, and one documented AI-orchestrated espionage campaign.891011 | AI raises the hazard, especially for $100B-$500B events, but current public evidence does not justify treating $10T+ autonomous cyber loss as the central near-term case |
The rough calculation is therefore: start from a low single-event cyber-catastrophe base rate implied by historical incidents and Lloyd's/Cambridge-style scenario modeling; increase it for AI capability progress, state-crisis risk, and ordinary cybercrime acceleration; decrease it for defender telemetry, patch/revocation advantages, attacker monetization bottlenecks, and insurance-market revealed preference. For the 2035 headline, that yields a broad 5-20% interval rather than a point estimate: the lower half comes from ordinary extrapolation plus one or two $100B-$500B warning-shot events, while the upper half requires a state-crisis or infrastructure-cascade branch. For the before-2030 definitional estimates, the range is dominated by the damage methodology and AI-attribution standard, so this page reports separate rows instead of averaging incompatible definitions.
Definitional crux
The same world can look like "threshold already met" or "threshold is extremely unlikely" depending on methodology. This page therefore separates three questions:
| Question | Approximate answer before 2030 | Interpretation |
|---|---|---|
| Any AI involvement + broad all-in cost accounting | High, plausibly 35-60%+ | If AI-generated phishing, AI-assisted coding, or AI-assisted targeting counts, then the question mostly becomes whether AI is now in the cyber kill chain at scale |
| Substantial AI contribution + broad all-in cost accounting | ≈7-10% | Best match for "AI-enabled" as a counterfactual contributor while still using Cybersecurity Ventures-style cost scope |
| Substantial AI contribution + direct loss / business interruption only | <2% | Requires a large cascade, wartime state cyber operation, or multiple simultaneous systemic failures |
| Single discrete cyber event >$10T in one year | ≈1-5% before 2030 | Dominated by payments, cloud/identity, and state-crisis scenarios; Lloyd's/Cambridge-type scenarios are usually multi-year GDP-loss estimates, not one-year loss estimates |
The methodological spread is larger than the empirical spread. Cybersecurity Ventures-style estimates include productivity, IP theft, reputational harm, legal costs, recovery, and defensive spending. Academic and bottom-up methods generally treat some of those categories as indirect, double-counted, or not equivalent to lost output.1213 For policy, both views matter: broad cost accounting tracks total burden, while narrow accounting is closer to "catastrophic economic damage."
What existing literature says
The current literature is surprisingly aligned on the near-term direction but not on the catastrophic tail. Government and threat-intelligence reports mostly say AI will increase the frequency, speed, and intensity of cyber intrusions through 2027, especially reconnaissance, vulnerability research, exploit adaptation, social engineering, and processing stolen data. They generally do not say fully automated end-to-end catastrophic attacks are the central near-term case.8 AI-lab reports and academic papers are more worried about capability acceleration, but the empirical evidence still clusters around one-day exploitation, website hacking, CTF-style tasks, and a small number of real-world AI-orchestrated campaigns rather than $1T+ damage events.910111415
| Source family | Representative sources | What it supports | What it does not establish |
|---|---|---|---|
| Government cyber assessments | NCSC 2025 AI cyber threat assessment↗🏛️ government★★★★☆UK GovernmentImpact of AI on Cyber Threat from Now to 2027 – NCSC AssessmentThis NCSC assessment evaluates how AI will amplify cyber threats through 2027, relevant to AI safety as it addresses misuse risks, proliferation of offensive AI tools, and vulnerabilities in critical infrastructure from AI deployment.The UK National Cyber Security Centre assesses that AI will almost certainly increase the frequency and intensity of cyber intrusion operations by enhancing threat actors' recon...governancepolicycapabilitiesdeployment+4Source ↗ | AI almost certainly increases cyber threat frequency and intensity; VRED and known-vulnerability exploitation are central through 2027 | Fully automated end-to-end advanced attacks by 2027; 10% GDP loss probabilities |
| Offense-defense balance analysis | CSET 2025↗🔗 web★★★★☆CSET GeorgetownAnticipating AI's ImpactA 2025 CSET policy-analytical report relevant to AI safety practitioners concerned with dual-use AI capabilities, cyber threat landscapes, and governance of AI in national security contexts.This CSET report by Andrew Lohn (May 2025) analyzes how AI will reshape the cybersecurity offense-defense balance across five domains: digital ecosystem changes, environment har...cybersecuritycapabilitiespolicygovernance+4Source ↗, CNAS 2025↗🔗 web★★★★☆CNASTipping the Scales: How Emerging AI Capabilities Could Disrupt the Cyber Offense-Defense BalancePublished by the Center for a New American Security (CNAS), this report is relevant for researchers and policymakers examining dual-use AI risks, particularly how offensive AI capabilities intersect with national security and critical infrastructure protection.This CNAS report examines how advancing AI capabilities may shift the balance between cyber offense and defense, potentially giving attackers new advantages in exploiting vulner...cybersecuritygovernancepolicycapabilities+4Source ↗ | AI helps both sides; autonomy may later tilt toward offense if defenders fail to adapt | A single stable offense-defense coefficient |
| AI-lab capability and incident reports | OpenAI cyber-resilience update↗🔗 web★★★★☆OpenAIStrengthening Cyber Resilience as AI Capabilities AdvanceOpenAI's December 2025 post outlines their approach to managing rapidly advancing AI cybersecurity capabilities, including safeguards for models approaching 'High' capability levels (zero-day exploits, enterprise intrusion), relevant to AI safety's dual-use risk management and deployment safety.OpenAI describes how their models' cybersecurity capabilities have rapidly improved (27% to 76% on CTF benchmarks from August to November 2025) and outlines a defense-in-depth s...ai-safetycapabilitiesdeploymentred-teaming+6Source ↗, Anthropic espionage disclosure↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackA landmark real-world incident report from Anthropic documenting the first known AI-orchestrated espionage campaign, directly relevant to agentic AI risks, deployment safety, and the intersection of AI capabilities with national security threats.Anthropic reports detecting a sophisticated September 2025 espionage campaign in which a suspected Chinese state-sponsored group weaponized Claude Code as an autonomous agent to...cybersecuritycapabilitiesdeploymentred-teaming+6Source ↗ | Cyber capabilities are rising quickly; real-world agentic misuse has occurred | That agentic misuse already reliably defeats hardened targets or creates macroeconomic damage |
| Threat-intelligence reporting | Google Threat Intelligence 2025↗🔗 webGTIG AI Threat Tracker: Advances in Threat Actor Usage of AI ToolsGoogle Threat Intelligence Group's 2025 report documents the first observed use of LLMs embedded within malware during execution, representing a significant escalation in AI misuse by state-sponsored and criminal threat actors relevant to AI safety and deployment risks.Google Threat Intelligence Group (GTIG) identifies a new phase of AI misuse where adversaries deploy 'just-in-time' AI-enabled malware (e.g., PROMPTFLUX, PROMPTSTEAL) that dynam...ai-safetydeploymentred-teamingcapabilities+4Source ↗ | State and criminal actors are incorporating AI across the attack lifecycle; novel AI-enabled malware has appeared | That novel AI malware is mature, widespread, or independently catastrophic |
| Academic cyber-agent papers | LLM agents can hack websites↗🔗 webhuggingface.coSource ↗, LLM agents can exploit one-day vulnerabilities↗🔗 webhuggingface.coSource ↗, teams of LLM agents and zero-days↗🔗 webhuggingface.coSource ↗, Google DeepMind evaluation framework↗📄 paper★★★☆☆arXivA Framework for Evaluating Emerging Cyberattack Capabilities of AIRelevant to AI safety researchers and policymakers concerned with dual-use risks; provides concrete evaluation methodology for tracking dangerous AI cyber capabilities as models become more capable.Mikel Rodriguez, Raluca Ada Popa, Four Flynn et al. (2025)27 citationsThis paper proposes a structured framework for assessing the offensive cybersecurity capabilities of AI systems, focusing on how to evaluate whether AI can assist in or autonomo...capabilitiesevaluationcybersecurityred-teaming+5Source ↗ | Frontier agents can perform meaningful offensive tasks in bounded environments | Robust real-world autonomous intrusion across heterogeneous enterprise environments |
| Insurance and catastrophe modeling | Munich Re 2025↗🔗 webCyber Insurance: Risks and Trends 2025 – Munich ReThis Munich Re industry report on cyber insurance risks and trends 2025 is relevant to AI safety as it documents systemic risks from software dependencies, AI-enabled cyber threats, and large-scale digital infrastructure vulnerabilities that intersect with AI deployment safety concerns.Munich Re's 2025 cyber risk report analyzes the evolving cyber threat landscape, projecting the global cyber insurance market to reach USD 16.3bn. It highlights major loss drive...governancedeploymentpolicycoordination+2Source ↗, Howden 2025↗🔗 webwww.howdengroup.comSource ↗, RAND catastrophic cyber insurance↗🔗 web★★★★☆RAND CorporationInsuring Catastrophic Cyber Risk | RANDSource ↗ | Systemic cyber and protection gaps are real; markets model tens-of-billions accumulation scenarios and worry about war/infrastructure exclusions | Market pricing of uninsured wartime or sovereign-scale cyber losses |
| Systemic cyber scenario modeling | Lloyd's/Cambridge payments-system scenario↗🔗 webLloyd's Systemic Risk Scenario: Global Economy Exposed to $3.5trn from Major Cyber AttackThis Lloyd's press release models systemic cyber risk from a major financial payments system attack, estimating $3.5trn in global losses. Relevant to AI safety as AI systems increasingly manage critical infrastructure, amplifying potential cascading failures from cyber attacks.Lloyd's of London, in partnership with the Cambridge Centre for Risk Studies, published a systemic risk scenario modeling the global economic impact of a hypothetical cyber atta...governancepolicyexistential-riskdeployment+2Source ↗ | A major payments-system cyberattack could plausibly impose trillions in five-year GDP losses | That $10T single-year cyber loss is a central case |
| Autonomous-cyber policy analysis | IAPS autonomous cyber attacks↗🔗 web★★★★☆Institute for AI Policy and StrategyThe Emergence of Autonomous Cyber Attacks: Analysis and Implications — Institute for AI Policy and StrategySource ↗ | Agentic cyber could let capable actors run more continuous operations and scale across targets | That current agents bypass robust controls rather than exploiting existing gaps |
The strongest update from this literature is not "catastrophe is likely." It is that the relevant threshold question should be decomposed by attack stage and actor type. The strongest evidence for near-term AI uplift is in vulnerability discovery/exploit development, social engineering, reconnaissance, and malware/tooling iteration. The evidence is weaker for reliable persistence, operational coordination across many heterogeneous targets, OT impact, and recovery denial. That pattern supports a higher probability of $100B-$500B events than of 10% global-GDP events.
Actor taxonomy
Cyber risk is easy to overstate when "attackers" are treated as one category. Capability, motivation, risk tolerance, and AI uplift differ sharply by actor type.
| Actor type | Current motivation | AI uplift | Catastrophic pathway | Main constraint |
|---|---|---|---|---|
| Major state actors | Espionage, coercion, wartime disruption, pre-positioning | Strong: faster recon, exploit development, translation across toolchains, operator leverage | Wartime or crisis cyber operation against payments, telecoms, ports, energy, or cloud | Escalation risk; attribution; need for access prepared before crisis |
| State proxies and contractors | Plausible deniability, regional conflict, intelligence support | Strong if supplied with frontier tools and scaffolding | Lower-attribution destructive action during geopolitical crisis | Command-and-control discipline; capability leakage |
| Ransomware and cybercrime groups | Money, extortion, resale of access | High for phishing, vulnerability triage, malware adaptation, victim negotiation | Ransomware-at-scale against many trailing-edge organizations or a shared service provider | Monetization bottleneck; desire not to destroy paying victims |
| North Korea-style revenue teams | Money plus state objectives | High: AI lowers labor needs for intrusion and laundering workflows | Large theft or destructive action if crisis incentives change | Access to frontier tools; sanctions pressure; operational security |
| Hacktivists and ideological actors | Signaling, disruption, retaliation | Medium: AI helps targeting and social engineering more than deep exploitation | DDoS, leaks, or destructive use of leaked tools against vulnerable infrastructure | Usually lack persistence, stealth, and OT expertise |
| Insiders | Personal grievance, coercion, espionage | Medium: AI can help find abuse paths and automate exfiltration | Compromise of privileged cloud, identity, or model-weight infrastructure | Monitoring, separation of duties, limited blast radius |
| Lone actors | Status, ideology, curiosity, crime | Medium locally, lower for systemic harm | Opportunistic exploitation of widely deployed zero-days | Operational complexity; lack of infrastructure and patience |
| Autonomous/agentic systems | Instrumental subgoal or delegated objective | Speculative but potentially high | Machine-speed exploitation and persistence if connected to tools and credentials | Current agents remain brittle; human approval and sandboxing matter |
The most relevant near-term threat model is not "a teenager gets superpowers." It is a mid-tier state, state-backed team, or professional criminal group using frontier or near-frontier AI to do more of what capable operators already do. That matters because the baseline actor already has infrastructure, targeting discipline, and post-exploitation experience.
Scenario decomposition
The right probability estimate depends heavily on the scenario. Arguments that are strong against one scenario can be weak against another. The key pattern is that the most likely pathways are usually not the highest single-year-damage pathways.
| Scenario | Damage scale | Near-term likelihood | Why it could happen | Why it may be bounded |
|---|---|---|---|---|
| Wartime state cyber disruption | $50B-$1T+ | Medium | NotPetya↗🔗 web★★★☆☆WIREDThe Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIREDThis investigative piece documents the NotPetya cyberattack of 2017, a state-sponsored Russian cyberweapon that caused ~$10B in global damage. It illustrates catastrophic risks from offensive cyber capabilities, systemic infrastructure vulnerabilities, and how AI-enabled or state-sponsored cyberattacks could cause civilizational-scale disruption.This WIRED longform investigation details the 2017 NotPetya cyberattack, a Russian state-sponsored malware disguised as ransomware that devastated global infrastructure includin...governanceexistential-riskdeploymentcoordination+3Source ↗ showed destructive state action can spill globally; Volt Typhoon-style pre-positioning is explicitly worrying for crisis scenarios16 | States usually avoid uncontrolled escalation; access must be prepared and maintained |
| Criminal ransomware-at-scale | $50B-$500B | Medium-high | AI lowers phishing, triage, exploit adaptation, and negotiation costs; Munich Re expects AI to drive ransomware scale, speed, and precision17 | Criminals usually want payment, not maximum real-world destruction |
| AI-agentic end-to-end intrusion | $10B-$500B initially; larger if it scales | Medium | Anthropic reported AI performing most tactical steps↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackA landmark real-world incident report from Anthropic documenting the first known AI-orchestrated espionage campaign, directly relevant to agentic AI risks, deployment safety, and the intersection of AI capabilities with national security threats.Anthropic reports detecting a sophisticated September 2025 espionage campaign in which a suspected Chinese state-sponsored group weaponized Claude Code as an autonomous agent to...cybersecuritycapabilitiesdeploymentred-teaming+6Source ↗ in a 2025 espionage campaign; agents can operate at machine speed | Current bottlenecks are target validation, persistence, and human supervision |
| Infrastructure cascade through payments, cloud, or identity | $500B-$10T | Low-medium | These systems are highly coupled to the real economy; data-integrity failures are harder to recover from than outages | Major operators have exceptional telemetry, redundancy, and incident-response capacity |
| Supply-chain or platform monoculture | $100B-$2T | Low-medium | CrowdStrike showed how one trusted software channel can disrupt millions of machines; AI may help find or weaponize shared dependencies3 | Vendor concentration also gives defenders central patch and revocation powers |
| Model-weight or AI data-center compromise | $20B-$500B | Medium | Frontier weights, training clusters, and AI supply chains are high-value targets | Direct GDP damage is usually indirect unless the compromise enables broader attacks |
| Ordinary cybercrime acceleration | $100B-$5T cumulative | High | AI improves social engineering and scales low-skill attacks | Much of the measured "cost" is transfers, defensive spending, and friction rather than net destruction |
Why ordinary extrapolation probably does not reach 10% of GDP
The first question is whether ordinary cyber damage can simply grow into catastrophe. The answer is probably no, unless one accepts the broadest cybercrime-cost estimates as direct GDP losses.
P(annual baseline >10% GDP without a catastrophic single event) ≈ 1-3% by 2030, rising to 3-8% by 2035.
Reasoning:
- The methodology-credible upper bound for current annual damage is Cybersecurity Ventures' top-down forecast↗🔗 webCybersecurity Ventures projectsTangentially relevant to AI safety as AI systems increasingly intersect with cybersecurity; useful for understanding the threat environment in which AI-enabled or AI-targeted attacks may occur, but not directly focused on AI alignment or safety.The Cybersecurity Almanac 2025 by Cybersecurity Ventures compiles key statistics, forecasts, and trends in global cybersecurity, including projections on cybercrime costs, workf...cybersecuritygovernancecritical-infrastructurepolicy+3Source ↗: $10.5T/yr in 2025, or roughly 9.5% of world GDP.18 On that broad definition, total cyber damage is already at or near the threshold, so the relevant question becomes "what fraction is substantially AI-enabled?" rather than "can cyber damage ever reach $10T?" But that figure includes productivity loss, IP theft, reputational harm, legal costs, and other indirect categories that are not the same thing as direct destruction of economic output. AI Cyber Damage Estimates explains why Anderson, Romanosky, FBI IC3, IBM, Munich Re, and Cybersecurity Ventures are measuring different objects.1213
- Complaint registries and documented incident datasets put directly observed losses far lower. FBI IC3 reported $16.6B in US losses in 2024↗🏛️ governmentFBI IC3 2024 Internet Crime ReportThis official FBI report provides empirical baseline data on real-world harms from cyber-enabled fraud, including AI-assisted scams; relevant to AI governance and deployment risk discussions as evidence of societal impact from misuse of AI tools.The FBI's Internet Crime Complaint Center (IC3) 2024 Annual Report documents $16.6 billion in losses from cybercrime and cyber-enabled fraud in the United States, representing t...governancepolicydeploymentred-teaming+3Source ↗; Romanosky's empirical work found documented losses in the single-digit billions annually for the period studied.13 These are undercounts, but the gap between documented losses and 10% of world GDP is enormous.
- AI helps attackers with volume, personalization, and automation, but the 2025 Anthropic-disclosed campaign↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackA landmark real-world incident report from Anthropic documenting the first known AI-orchestrated espionage campaign, directly relevant to agentic AI risks, deployment safety, and the intersection of AI capabilities with national security threats.Anthropic reports detecting a sophisticated September 2025 espionage campaign in which a suspected Chinese state-sponsored group weaponized Claude Code as an autonomous agent to...cybersecuritycapabilitiesdeploymentred-teaming+6Source ↗ still involved about 30 targets and a small number of confirmed breaches despite high tactical automation. That points to bottlenecks in target validation, access maintenance, privilege escalation, and monetization rather than raw request speed.
- NCSC's 2025 assessment is a useful check on extrapolation: it expects increased volume and impact through 2027, but says fully automated end-to-end advanced cyber attacks are unlikely by 2027 and skilled actors will need to remain in the loop.8
- A large fraction of cybercrime is redistributive: stolen money, extortion payments, and fraud are transfers plus friction costs. Transfers can still be socially costly, but they do not scale like destroyed factories, lost energy generation, or multi-week payment-system failure.
The main exception is a world where AI drives a sustained increase in successful attacks faster than defenders can adapt for many years. That is plausible enough to matter, but it is different from a one-off catastrophic cyber event.
Single-event catastrophic risk
P(single cyber event exceeds 10% of global GDP in any year through 2035) ≈ 5-15%.
This probability is dominated by cascade scenarios. Catastrophic Cyber Tail Risk identifies the systems where single-event losses could plausibly reach the $1T scale: payment systems, hyperscaler cloud, industrial control systems, DNS/certificate authorities, major SaaS dependencies, OS/browser monoculture, and concentrated AI compute infrastructure.
Of those, payment systems are the clearest candidate for the 10% GDP threshold. A multi-day disruption of SWIFT, Fedwire, card networks, or settlement infrastructure could freeze payment flows and create rapid supply-chain effects. Cloud, ICS, and OS/browser monoculture can reach $1T+ in aggressive scenarios, but crossing 10% of global GDP generally requires above-aggressive assumptions: multi-week disruption, simultaneous multi-target compromise, and data corruption rather than mere unavailability.
The most useful public systemic-cyber model is Lloyd's and Cambridge Centre for Risk Studies' payments-system scenario.4 It estimates $3.5T in global economic loss as a probability-weighted five-year figure across severity levels, with a range from about $2.2T to $16T over five years. That is strong evidence that trillion-scale cyber cascades are model-plausible. It is weaker evidence for a $10T single-year loss, because even the extreme scenario is expressed as a multi-year GDP-loss path rather than one calendar-year shock.
The historical base rate pushes down hard. The largest known single cyber incidents are orders of magnitude smaller:
- NotPetya↗🔗 web★★★☆☆WIREDThe Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIREDThis investigative piece documents the NotPetya cyberattack of 2017, a state-sponsored Russian cyberweapon that caused ~$10B in global damage. It illustrates catastrophic risks from offensive cyber capabilities, systemic infrastructure vulnerabilities, and how AI-enabled or state-sponsored cyberattacks could cause civilizational-scale disruption.This WIRED longform investigation details the 2017 NotPetya cyberattack, a Russian state-sponsored malware disguised as ransomware that devastated global infrastructure includin...governanceexistential-riskdeploymentcoordination+3Source ↗ is the canonical destructive state-backed incident, commonly estimated around $10B in global damage.
- SolarWinds generated enormous remediation concern, but the largest $100B figures were forward-looking cleanup projections, not realized direct damage.19
- Change Healthcare caused major US healthcare disruption and billions in direct cost to UnitedHealth, but it was still far below global macro-catastrophe scale.2
- CrowdStrike was not a cyberattack, but it is useful as an outage analogue: a trusted software update disrupted millions of Windows machines and still produced losses in the low billions rather than trillions.3
The lesson is not that a $1T cyber event is impossible. It is that the jump from the observed record to 10% of global GDP is very large, and it requires cascade mechanics that ordinary breach/ransomware analogies do not supply.
The skeptical case
The strongest argument against high near-term cyber-catastrophe probability is not "stocks are fine." It is a bundle of empirical and structural claims.
| Argument | Why it lowers the estimate | Main caveat |
|---|---|---|
| Cyber doom predictions have a poor base rate | "Cyber Pearl Harbor" and similar warnings have recurred for decades without civilization-scale events20 | Base-rate arguments fail when a genuinely new capability changes the regime |
| Market signals are not screaming catastrophe | Cyber rates hardened in 2020-2022 but softened afterward; reinsurers and cat-bond investors have added cyber capacity rather than exiting5 | Insurance markets exclude state/war risks and may not price uninsured systemic losses |
| Big Tech defense has structural advantages | Cloud, OS, browser, identity, and endpoint vendors have telemetry from billions of devices and can patch/revoke centrally | Trailing-edge organizations do not share these advantages |
| Most cybercrime is not real-economy destruction | Fraud, extortion, and theft impose costs but are often transfers plus response friction | The exceptions are destructive state operations and infrastructure disruption |
| Catastrophic operations are operationally hard | Taking down "the grid" or global payments is many coordinated attacks, not one exploit | AI may reduce recon/exploit labor while leaving integration and persistence hard |
| Attackers often lack motivation for maximum harm | Criminals want money; states often want intelligence, coercion, or reversible options | War, crisis, or miscalculation can change incentives quickly |
| Defense also gets AI | Detection, triage, reverse engineering, patch generation, and SOC workflows can all improve | Defense must be adopted and integrated; benefits are unevenly distributed |
The market-signal point is especially important. Cyber Insurance Market Signals shows a market that treats correlated cyber tail risk as difficult or impossible to insure under ordinary terms, but not one that is rapidly withdrawing from all cyber exposure. As of the 2024-2026 data on that page, premiums and reinsurance capacity continued to grow while rates softened from the 2022 peak.5 Gallagher Re reported a 32% risk-adjusted rate decline for cyber aggregate excess-of-loss reinsurance at the January 1, 2026 renewals, attributing it to excess capacity and improved terms.6 Cyber catastrophe bonds remain small relative to natural-catastrophe ILS, but issuance has continued rather than frozen.7 That is stronger evidence than broad equity-market performance, because insurers and reinsurers are explicitly writing checks against cyber losses.
The worried case
The strongest case for concern is also concrete. It does not require assuming lone actors obtain magical capabilities.
| Argument | Why it raises the estimate | Main caveat |
|---|---|---|
| NotPetya proves destructive state cyber is real | A state operation caused global spillover and roughly $10B damage1 | Still 50-1000x below the thresholds that dominate this page |
| Pre-positioning changes crisis risk | Volt Typhoon-style access in critical infrastructure looks designed for future disruption, not immediate theft16 | Some pre-positioning is detected before use, and use carries escalation risk; detection rates against well-resourced state campaigns remain unclear |
| AI lowers the floor for mid-tier actors | North Korea-style, Iran-style, and proxy teams can automate work that used to require more elite staff | Frontier models and scaffolding may be restricted or monitored |
| Offense scales naturally in some stages | Recon, phishing, vulnerability triage, exploit adaptation, and credential attacks can be automated; Google observed state and criminal misuse across the attack lifecycle in 202521 | Post-exploitation persistence and reliable impact remain harder |
| Attribution may erode deterrence | AI-generated tooling and less distinctive tradecraft can blur actor signatures | States still leave infrastructure, targeting, and intelligence traces |
| Trailing-edge defenders are exposed | Legacy systems, thin security teams, and underpatched infrastructure may not benefit from defensive AI quickly | Catastrophic global damage usually requires more than weak small organizations |
| AI systems become new attack surfaces | Model weights, data centers, tool-using agents, and AI SOC systems are valuable targets | Direct damage is often indirect unless compromise enables broader operations |
| Capability discontinuity | Autonomous AI R&D or scaling could compress the offense-defense iteration cycle faster than defenders can adopt — OpenAI reported its CTF cyber-eval rising from 27% to 76% in three months in 20259 | Single eval results don't generalize to enterprise-realistic intrusion; defenders also benefit from frontier models |
This case implies a specific threat model: capable state or state-backed teams using AI to multiply operator output during a geopolitical crisis, or professional criminal groups using AI to scale attacks against weakly defended shared service providers. It does not imply that every AI-assisted phishing campaign is a global catastrophe precursor.
Offense-defense balance
The offense-defense balance is not one number. AI helps different sides at different stages. CSET's 2025 analysis is a useful anchor: it argues that AI can help both sides and that the net balance depends on whether defenders use AI to automate hardening, monitoring, and response faster than attackers use it to automate exploitation.22 CNAS reaches a more offense-worried version of the same conclusion: it argues that past AI has on net helped defenders more than attackers — a contested claim, since 2024-2026 threat-intelligence reporting documents AI uplift across the attack lifecycle — but that future autonomous systems could tip the balance toward attackers if policy and defensive investment lag.2321
| Attack stage | AI effect on offense | AI effect on defense | Net concern |
|---|---|---|---|
| Reconnaissance | Strong automation of target profiling and scanning | Stronger asset discovery and exposure management | Depends on adoption speed |
| Social engineering | Strong uplift in personalization and language quality | Better detection of campaigns and anomalous workflows | Offense-favoring for weak orgs |
| Vulnerability discovery | Faster triage and exploit prototyping | Faster code review, fuzzing, patch drafting | Unclear; frontier-dependent |
| Exploitation | Potentially large if agents become reliable | Better EDR, sandboxing, and behavior detection | High uncertainty |
| Persistence and lateral movement | AI can plan and adapt playbooks | AI can correlate telemetry and contain faster | Context-dependent |
| Data destruction / physical impact | AI can help operate unfamiliar systems | Segmentation, backups, manual controls still matter | Hard but high impact |
| Recovery | Limited attacker relevance | Strong benefit from automated forensics and restoration | Defense-favoring |
Well-resourced defenders have advantages that the offense narrative often underweights: central telemetry, update channels, credential revocation, incident-response teams, and the ability to deploy ML defenses continuously. But these advantages are concentrated. The median hospital, municipality, school district, small manufacturer, or regional utility is not Microsoft, Google, Amazon, Cloudflare, or CrowdStrike. Work on "uplifted attackers, human defenders" highlights exactly this trailing-edge-organization concern.24
Cruxes
| Crux | If true | If false |
|---|---|---|
| AI offense multiplier is modest (≈2x rather than 10x+) | Estimates stay near the low end | Sustained damage and single-event probabilities rise materially |
| Defense scales faster at major chokepoints | Hyperscaler, identity, OS, browser, and payment-system cascades become less likely | Shared-platform cascade becomes the dominant tail |
| State conflict stays below major-war thresholds | Destructive cyber remains rare and mostly bounded | Wartime cyber and pre-positioned access dominate near-term risk |
| Criminal incentives remain monetary | Ransomware remains expensive nuisance, not maximal destruction | Criminal/proxy lines blur and destructive attacks become more plausible |
| Attribution remains good enough for deterrence | States hesitate to cause large civilian disruption | AI-enabled ambiguity increases crisis instability |
| Largest plausible single-event loss today is $100B-$500B | 10% GDP remains a low-probability tail | Demonstrated $1T+ warning shot updates the whole page upward |
| Cyber insurance markets are informative | Soft pricing and capacity growth are evidence against near-term catastrophe | Exclusions and protection gaps hide the real tail |
What would update this estimate
| Signal | Update upward | Update downward |
|---|---|---|
| Cyber cat bonds and ILS | Spreads widen sharply, issuance stalls, investors demand much higher compensation for systemic cyber tranches | Cyber ILS grows while spreads compress and modeled losses remain stable |
| Reinsurance capacity | Major reinsurers reduce cyber appetite or withdraw systemic cover | Munich Re / Swiss Re / Lloyd's-market capacity grows with tighter but workable terms |
| Warning-shot events | A single AI-linked event causes >$100B damage or sustained multi-sector outage | AI-linked incidents remain espionage-heavy and operationally contained |
| Agentic capability | Publicly credible agents achieve end-to-end intrusion against hardened targets without human handholding | Agents remain brittle outside CTF/lab environments |
| State pre-positioning | Volt Typhoon-style access shifts from persistence to actual disruption | Access is repeatedly detected, removed, and deterred before use |
| Defensive AI | SOC automation fails under machine-speed campaigns | AI defense demonstrably reduces dwell time, phishing success, and exploit impact |
| Baseline damage estimates | Cybersecurity Ventures-style broad aggregates become methodologically accepted and continue rising | Broad estimates are revised downward; FBI/claims/incident datasets flatten |
Policy implications
The best interventions follow from the scenario decomposition:
- Protect systemic chokepoints. Payment systems, cloud control planes, identity providers, DNS/CAs, and OT vendors matter more for catastrophe than ordinary endpoint hygiene.
- Invest in defensive AI where telemetry is centralized. The biggest defense leverage is at hyperscalers, endpoint vendors, identity providers, and managed security providers.
- Harden trailing-edge critical infrastructure. AI widens the gap between attackers and weak defenders unless hospitals, utilities, local governments, and small manufacturers get usable security help.
- Track market signals. Cyber cat-bond pricing, reinsurance capacity, exclusions, and systemic-event modeling are among the cleanest revealed-preference indicators.
- Treat state-crisis scenarios separately from crime. Ransomware policy and wartime cyber deterrence are different problems.
- Require incident reporting for AI-orchestrated cyber operations. The important evidence is not generic AI misuse but end-to-end autonomy, target quality, persistence, and realized damage.
Limitations
- The estimates are illustrative. They are calibrated judgments based on the linked pages, not actuarial model outputs.
- The 10% GDP threshold is arbitrary. A $500B event would be historically enormous even though it is far below 10% of global GDP.
- Economic loss accounting is messy. Transfers, defensive spending, downtime, reputational harm, and lost output should not be collapsed into one number without caveats.
- The tail is sparse. One genuinely catastrophic event would dominate the historical record and update many priors at once.
- AI capability is moving. Frontier cyber evaluations, agent reliability, tool access, and defensive adoption can change quickly.
- Cyber and geopolitics are coupled. The probability of destructive cyber depends heavily on Taiwan, Russia/NATO, Iran, North Korea, and other crisis pathways outside the cyber domain.
Conclusions
The best current synthesis is neither "AI cyber catastrophe is imminent" nor "cyber is just expensive nuisance." Ordinary cybercrime probably does not scale linearly to 10% of global GDP. The worrying scenarios are narrower: destructive state action during crisis, AI-multiplied mid-tier actors, and cascading failure in a few highly coupled systems.
For near-term policy, the practical question is less "will AI cause cyber doom?" and more "which chokepoints would make a $100B-$1T warning shot possible, and are markets, governments, and platform defenders behaving as if that tail is getting worse?" On present evidence, the tail is real enough to monitor and reduce, but the strongest market, base-rate, and operational-complexity arguments push against very high near-term probabilities.
Sources & Resources
The main synthesis pages are:
- AI Cyber Damage Estimates
- Cyber Insurance Market Signals
- Catastrophic Cyber Tail Risk
- Cyberweapons (E86), E87, E88
Key direct sources:
| Topic | Source | Role in this page |
|---|---|---|
| Broad cybercrime-cost upper bound | Cybersecurity Ventures Cybersecurity Almanac 2025↗🔗 webCybersecurity Ventures projectsTangentially relevant to AI safety as AI systems increasingly intersect with cybersecurity; useful for understanding the threat environment in which AI-enabled or AI-targeted attacks may occur, but not directly focused on AI alignment or safety.The Cybersecurity Almanac 2025 by Cybersecurity Ventures compiles key statistics, forecasts, and trends in global cybersecurity, including projections on cybercrime costs, workf...cybersecuritygovernancecritical-infrastructurepolicy+3Source ↗ | Upper-bound industry forecast; useful but very broad |
| Reported US cybercrime floor | FBI IC3 2024 Internet Crime Report↗🏛️ governmentFBI IC3 2024 Internet Crime ReportThis official FBI report provides empirical baseline data on real-world harms from cyber-enabled fraud, including AI-assisted scams; relevant to AI governance and deployment risk discussions as evidence of societal impact from misuse of AI tools.The FBI's Internet Crime Complaint Center (IC3) 2024 Annual Report documents $16.6 billion in losses from cybercrime and cyber-enabled fraud in the United States, representing t...governancepolicydeploymentred-teaming+3Source ↗ | Complaint-registry lower bound |
| Historical destructive incident | WIRED NotPetya investigation↗🔗 web★★★☆☆WIREDThe Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIREDThis investigative piece documents the NotPetya cyberattack of 2017, a state-sponsored Russian cyberweapon that caused ~$10B in global damage. It illustrates catastrophic risks from offensive cyber capabilities, systemic infrastructure vulnerabilities, and how AI-enabled or state-sponsored cyberattacks could cause civilizational-scale disruption.This WIRED longform investigation details the 2017 NotPetya cyberattack, a Russian state-sponsored malware disguised as ransomware that devastated global infrastructure includin...governanceexistential-riskdeploymentcoordination+3Source ↗ | Canonical $10B-scale destructive state cyber case |
| Agentic AI cyber evidence | Anthropic AI-orchestrated cyberattack disclosure↗🔗 web★★★★☆Anthropicfirst documented AI-orchestrated cyberattackA landmark real-world incident report from Anthropic documenting the first known AI-orchestrated espionage campaign, directly relevant to agentic AI risks, deployment safety, and the intersection of AI capabilities with national security threats.Anthropic reports detecting a sophisticated September 2025 espionage campaign in which a suspected Chinese state-sponsored group weaponized Claude Code as an autonomous agent to...cybersecuritycapabilitiesdeploymentred-teaming+6Source ↗ | Evidence for AI tactical automation and remaining bottlenecks |
| Offense-defense balance | CSET, Anticipating AI's Impact↗🔗 web★★★★☆CSET GeorgetownAnticipating AI's ImpactA 2025 CSET policy-analytical report relevant to AI safety practitioners concerned with dual-use AI capabilities, cyber threat landscapes, and governance of AI in national security contexts.This CSET report by Andrew Lohn (May 2025) analyzes how AI will reshape the cybersecurity offense-defense balance across five domains: digital ecosystem changes, environment har...cybersecuritycapabilitiespolicygovernance+4Source ↗ | Framework for why AI helps both offense and defense |
| CrowdStrike outage analogue | Microsoft/CrowdStrike outage coverage↗🔗 webCrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft | The VergeSource ↗ and CrowdStrike remediation hub↗🔗 webFalcon Content Update Remediation and Guidance Hub | CrowdStrikeSource ↗ | Monoculture outage scale and operational analogy |
| Near-term government assessment | NCSC AI cyber threat to 2027↗🏛️ government★★★★☆UK GovernmentImpact of AI on Cyber Threat from Now to 2027 – NCSC AssessmentThis NCSC assessment evaluates how AI will amplify cyber threats through 2027, relevant to AI safety as it addresses misuse risks, proliferation of offensive AI tools, and vulnerabilities in critical infrastructure from AI deployment.The UK National Cyber Security Centre assesses that AI will almost certainly increase the frequency and intensity of cyber intrusion operations by enhancing threat actors' recon...governancepolicycapabilitiesdeployment+4Source ↗ | Probabilistic assessment of AI-enabled intrusion pathways |
| AI-lab cyber capability trend | OpenAI cyber-resilience update↗🔗 web★★★★☆OpenAIStrengthening Cyber Resilience as AI Capabilities AdvanceOpenAI's December 2025 post outlines their approach to managing rapidly advancing AI cybersecurity capabilities, including safeguards for models approaching 'High' capability levels (zero-day exploits, enterprise intrusion), relevant to AI safety's dual-use risk management and deployment safety.OpenAI describes how their models' cybersecurity capabilities have rapidly improved (27% to 76% on CTF benchmarks from August to November 2025) and outlines a defense-in-depth s...ai-safetycapabilitiesdeploymentred-teaming+6Source ↗ | Evidence that frontier cyber evaluations are moving quickly |
| Threat-intelligence observations | Google Threat Intelligence AI Threat Tracker↗🔗 webGTIG AI Threat Tracker: Advances in Threat Actor Usage of AI ToolsGoogle Threat Intelligence Group's 2025 report documents the first observed use of LLMs embedded within malware during execution, representing a significant escalation in AI misuse by state-sponsored and criminal threat actors relevant to AI safety and deployment risks.Google Threat Intelligence Group (GTIG) identifies a new phase of AI misuse where adversaries deploy 'just-in-time' AI-enabled malware (e.g., PROMPTFLUX, PROMPTSTEAL) that dynam...ai-safetydeploymentred-teamingcapabilities+4Source ↗ | Real-world state and criminal use of AI across the attack lifecycle |
| Insurance-market context | Munich Re Cyber Risks and Trends 2025↗🔗 webCyber Insurance: Risks and Trends 2025 – Munich ReThis Munich Re industry report on cyber insurance risks and trends 2025 is relevant to AI safety as it documents systemic risks from software dependencies, AI-enabled cyber threats, and large-scale digital infrastructure vulnerabilities that intersect with AI deployment safety concerns.Munich Re's 2025 cyber risk report analyzes the evolving cyber threat landscape, projecting the global cyber insurance market to reach USD 16.3bn. It highlights major loss drive...governancedeploymentpolicycoordination+2Source ↗, Howden Rebooting Growth 2025↗🔗 webwww.howdengroup.comSource ↗, RAND Insuring Catastrophic Cyber Risk↗🔗 web★★★★☆RAND CorporationInsuring Catastrophic Cyber Risk | RANDSource ↗ | Capacity, protection-gap, and catastrophic accumulation context |
| Systemic catastrophe modeling | Lloyd's/Cambridge payments-system cyber scenario↗🔗 webLloyd's Systemic Risk Scenario: Global Economy Exposed to $3.5trn from Major Cyber AttackThis Lloyd's press release models systemic cyber risk from a major financial payments system attack, estimating $3.5trn in global losses. Relevant to AI safety as AI systems increasingly manage critical infrastructure, amplifying potential cascading failures from cyber attacks.Lloyd's of London, in partnership with the Cambridge Centre for Risk Studies, published a systemic risk scenario modeling the global economic impact of a hypothetical cyber atta...governancepolicyexistential-riskdeployment+2Source ↗ | Best public anchor for multi-trillion GDP-loss cyber cascade scenarios |
| 2026 reinsurance pricing | Gallagher Re Cyber RAR Index 2026↗🔗 webGallagher Re Cyber Risk Adjusted Rating (RAR) Index: 2026 update | GallagherReSource ↗ and Beazley PoleStar Re 2026-1 cyber cat bond↗🔗 webBeazley Secures Largest Cyber Cat Bond So Far: PoleStar Re 2026-1 Priced at $300MThis article covers a $300M cyber catastrophe bond issuance by Beazley, relevant to AI safety insofar as it reflects growing financial market mechanisms for managing systemic cyber risk, which intersects with AI-driven cyber threats and infrastructure resilience.Beazley has priced the PoleStar Re Ltd. Series 2026-1 catastrophe bond at $300 million across three tranches, making it the largest cyber catastrophe bond ever issued. The deal ...governancedeploymentpolicycoordinationSource ↗ | Revealed-preference evidence from cyber aggregate reinsurance and ILS capacity |
| Autonomous-agent policy analysis | IAPS autonomous cyber attacks↗🔗 web★★★★☆Institute for AI Policy and StrategyThe Emergence of Autonomous Cyber Attacks: Analysis and Implications — Institute for AI Policy and StrategySource ↗ | Interpretation of the Anthropic incident and implications for state actors |
| Academic capability papers | autonomous website hacking↗🔗 webhuggingface.coSource ↗, one-day exploitation↗🔗 webhuggingface.coSource ↗, teams of agents on zero-days↗🔗 webhuggingface.coSource ↗, AI cyberattack evaluation framework↗📄 paper★★★☆☆arXivA Framework for Evaluating Emerging Cyberattack Capabilities of AIRelevant to AI safety researchers and policymakers concerned with dual-use risks; provides concrete evaluation methodology for tracking dangerous AI cyber capabilities as models become more capable.Mikel Rodriguez, Raluca Ada Popa, Four Flynn et al. (2025)27 citationsThis paper proposes a structured framework for assessing the offensive cybersecurity capabilities of AI systems, focusing on how to evaluate whether AI can assist in or autonomo...capabilitiesevaluationcybersecurityred-teaming+5Source ↗ | Bounded evidence on what current agents can do |
Additional source notes:
Footnotes
-
Andy Greenberg, "The Untold Story of NotPetya, the Most Devastating Cyberattack in History", WIRED, August 2018. ↩ ↩2
-
UnitedHealth Group, 2024 Form 10-K, reporting Change Healthcare cyberattack impacts; U.S. Department of Health and Human Services, "HHS Statement Regarding the Cyberattack on Change Healthcare", March 2024. ↩ ↩2
-
Microsoft, "Helping our customers through the CrowdStrike outage", July 2024; Parametrix, "CrowdStrike to Cost Fortune 500 $5.4B", August 2024; CrowdStrike, "Falcon Content Update Preliminary Post Incident Report", July 2024. ↩ ↩2 ↩3
-
Lloyd's, "Lloyd's systemic risk scenario reveals global economy exposed to $3.5trn from major cyber attack", October 18, 2023. The scenario was produced with the Cambridge Centre for Risk Studies and reports five-year GDP losses, not a one-year loss estimate. ↩ ↩2
-
Howden, "Rebooting Growth", September 2025; Guy Carpenter / Risk & Insurance, "Global Cyber Insurance Market Reaches $16.6 Billion in 2024", April 2025; Munich Re, "Dealing with Cyber Accumulation Risk", 2023-2024. ↩ ↩2 ↩3
-
Gallagher Re, "Cyber Risk Adjusted Rating (RAR) Index: 2026 update", January 30, 2026. ↩ ↩2
-
Royal Gazette, "Beazley secures $300m cyber cat bond in Bermuda vehicle", December 2025; Artemis, "Catastrophe bond market records that were broken in 2025", January 2026. ↩ ↩2
-
UK National Cyber Security Centre, "Impact of AI on cyber threat from now to 2027", May 7, 2025. NCSC assesses that AI will almost certainly increase cyber intrusion frequency and intensity, that VRED will be a major near-term development, and that fully automated end-to-end advanced cyber attacks are unlikely by 2027. ↩ ↩2 ↩3
-
OpenAI, "Strengthening cyber resilience as AI capabilities advance", December 10, 2025. OpenAI reports that its CTF-based cyber capability evaluation rose from 27% on GPT-5 in August 2025 to 76% on GPT-5.1-Codex-Max in November 2025, and says it is evaluating as though new models could reach "High" cybersecurity capability. ↩ ↩2 ↩3
-
Anthropic, "Disrupting the first reported AI-orchestrated cyber espionage campaign", November 13, 2025. ↩ ↩2
-
Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang, "LLM Agents can Autonomously Exploit One-day Vulnerabilities", arXiv:2404.08144, April 2024. ↩ ↩2
-
Ross Anderson et al., "Measuring the Cost of Cybercrime", Workshop on the Economics of Information Security, 2012; Ross Anderson et al., "Measuring the Changing Cost of Cybercrime", WEIS 2019. ↩ ↩2
-
Sasha Romanosky, "Examining the Costs and Causes of Cyber Incidents", Journal of Cybersecurity, 2016. ↩ ↩2 ↩3
-
Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang, "LLM Agents can Autonomously Hack Websites", arXiv:2402.06664, February 2024. ↩
-
Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang, "Teams of LLM Agents can Exploit Zero-Day Vulnerabilities", arXiv:2406.01637, June 2024. ↩
-
CISA and partner agencies, "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection", February 2024. ↩ ↩2
-
Munich Re, "Cyber Insurance: Risks and Trends 2025", March 2025. Munich Re discusses ransomware, supply-chain vulnerabilities, AI as both weapon and target, cyber insurance market size, and modeled industry accumulation potential. ↩
-
Cybersecurity Ventures, "Cybersecurity Almanac 2025" and "Cybercrime To Cost The World $12.2 Trillion Annually By 2031". Cybersecurity Ventures' 2025 forecast is useful as a broad upper-bound industry estimate, but it includes indirect cost categories that should not be read as direct lost GDP. ↩
-
CISA, "Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations", December 2020; SolarWinds, SEC Form 10-K for fiscal 2020, discussing Orion-related costs and risks. ↩
-
U.S. Department of Defense, "Remarks by Secretary Panetta on Cybersecurity to the Business Executives for National Security", October 11, 2012. ↩
-
Google Threat Intelligence Group, "GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools", November 5, 2025. ↩ ↩2
-
Andrew J. Lohn, "The Impact of AI on the Cyber Offense-Defense Balance and the Character of Cyber Conflict", arXiv:2504.13371, April 2025; CSET, "Anticipating AI's Impact on the Cyber Offense-Defense Balance", May 2025. ↩
-
Caleb Withers / CNAS, "Tipping the Scales: Emerging AI Capabilities and the Cyber Offense-Defense Balance", September 2025. ↩
-
"Uplifted Attackers, Human Defenders: The Cyber Offense-Defense Balance for Trailing-Edge Organizations", arXiv:2508.15808, 2025. ↩
References
The UK National Cyber Security Centre assesses that AI will almost certainly increase the frequency and intensity of cyber intrusion operations by enhancing threat actors' reconnaissance, vulnerability research, and exploit development capabilities. The report warns of a growing digital divide between AI-resilient and vulnerable systems, and highlights that proliferation of AI-enabled tools will expand offensive cyber capabilities to a broader range of state and non-state actors. Critical national infrastructure faces heightened risk as AI integration expands the attack surface.
OpenAI describes how their models' cybersecurity capabilities have rapidly improved (27% to 76% on CTF benchmarks from August to November 2025) and outlines a defense-in-depth safeguard strategy for models approaching 'High' capability levels. The post details layered mitigations including model training, detection systems, access controls, and partnerships with security experts. OpenAI frames this as a long-term investment to ensure advanced AI primarily benefits defenders rather than enabling malicious actors.
Google Threat Intelligence Group (GTIG) identifies a new phase of AI misuse where adversaries deploy 'just-in-time' AI-enabled malware (e.g., PROMPTFLUX, PROMPTSTEAL) that dynamically generates and obfuscates malicious code during execution. State-sponsored actors from North Korea, Iran, and China continue leveraging AI across the full attack lifecycle, while a maturing underground marketplace lowers barriers for less sophisticated cybercriminals. The report also documents social engineering tactics used to bypass AI safety guardrails.
Munich Re's 2025 cyber risk report analyzes the evolving cyber threat landscape, projecting the global cyber insurance market to reach USD 16.3bn. It highlights major loss drivers including ransomware, supply chain attacks, and geopolitical cyber threats, noting that government, manufacturing, and technology sectors are most targeted. The report underscores systemic vulnerabilities illustrated by the 2024 CrowdStrike outage.
Lloyd's of London, in partnership with the Cambridge Centre for Risk Studies, published a systemic risk scenario modeling the global economic impact of a hypothetical cyber attack on a major financial services payments system. The scenario estimates $3.5trn in global economic losses over five years, with the US, China, and Japan most affected. The report highlights the gap between cyber insurance coverage (~$9bn in premiums) and potential economic losses.
Beazley has priced the PoleStar Re Ltd. Series 2026-1 catastrophe bond at $300 million across three tranches, making it the largest cyber catastrophe bond ever issued. The deal provides Beazley with three-year excess-of-loss cyber reinsurance coverage through end of 2028, with all tranches pricing below initial guidance mid-points. This reflects growing investor confidence in cyber as an insurable catastrophe peril via capital markets.
The Cybersecurity Almanac 2025 by Cybersecurity Ventures compiles key statistics, forecasts, and trends in global cybersecurity, including projections on cybercrime costs, workforce gaps, and threat landscape evolution. It serves as a comprehensive reference document for understanding the scale and trajectory of cyber threats facing organizations and critical infrastructure. The almanac is widely cited in industry and policy discussions around cybersecurity investment and risk.
Cybersecurity Ventures projects global cybercrime costs will reach $10.5 trillion in 2025 and $12.2 trillion annually by 2031, growing at 2.5% per year. The report frames cybercrime as a self-sustaining global economy larger than most nations, driven by nation-state actors and criminal gangs increasingly leveraging generative AI. It highlights the breadth of costs including data theft, fraud, productivity loss, and reputational harm.
Published in the Journal of Cybersecurity (2016), this RAND Corporation study by Sasha Romanosky empirically examines the financial costs and root causes of cyber incidents using large-scale data. It provides quantitative analysis to help organizations and policymakers better understand the economic impact of cybersecurity failures. The findings inform risk management and policy decisions around cybersecurity investment.
This WIRED longform investigation details the 2017 NotPetya cyberattack, a Russian state-sponsored malware disguised as ransomware that devastated global infrastructure including Maersk, Merck, and FedEx. The attack originated in Ukraine and spread globally, causing an estimated $10 billion in damages. It serves as a landmark case study in how offensive cyber capabilities can produce catastrophic, uncontrolled global consequences.
CISA, NSA, FBI, and international partners warn that PRC state-sponsored group Volt Typhoon has compromised U.S. critical infrastructure sectors—including communications, energy, transportation, and water—using living-off-the-land techniques to maintain persistent, long-term access. The advisory assesses these actors are pre-positioning for potential disruptive cyberattacks during geopolitical crises or military conflict. Recommended mitigations include patching, phishing-resistant MFA, and centralized logging.
The URL references a speech published on the official U.S. Department of Defense website. The content retrieved is an Internet Archive interface rather than the speech itself, indicating the original page content was not accessible. The specific subject and speaker of the speech cannot be determined from the available content.
CISA advisory documenting the SolarWinds Orion supply chain compromise by Russian SVR (APT), affecting U.S. government agencies, critical infrastructure, and private sector organizations beginning March 2020. The advisory details initial access vectors including trojanized SolarWinds DLLs and SAML token abuse, and characterizes the threat as a patient, well-resourced adversary. It was updated to formally attribute the activity to Russia's Foreign Intelligence Service.
Microsoft's official response to the July 2024 CrowdStrike faulty update that affected 8.5 million Windows devices globally, detailing remediation steps including engineer deployment, cross-cloud collaboration with AWS and GCP, and technical workarounds. The post highlights the interconnected nature of the tech ecosystem and the importance of safe deployment practices and disaster recovery mechanisms.
25CrowdStrike to Cost Fortune 500 $5.4b; Insured Loss Range of $0.54b - $1.08bparametrixinsurance.com▸
Parametrix Insurance estimates the CrowdStrike July 2024 outage caused $5.4 billion in direct financial losses to Fortune 500 companies, with only 10–20% covered by cyber insurance due to large risk retentions and low policy limits. Healthcare ($1.94B) and banking ($1.15B) sectors bore the heaviest losses. The analysis highlights systemic cyber risk, the limits of insurance coverage, and the importance of aggregation risk management.
CrowdStrike's official post-incident hub documents the July 19, 2024 Falcon sensor content update that caused widespread Windows system crashes due to an out-of-bounds memory read from a field count mismatch (21 fields provided vs. 20 expected). The hub provides root cause analysis, recovery metrics (~99% of sensors restored by July 29), and outlines process improvements to prevent recurrence.
The global cyber insurance market grew to $16.6 billion in 2024, with North America leading at $10.5 billion. Ransomware and double-extortion attacks remain primary loss drivers, while generative AI is emerging as a tool for threat actors. Risk modeling uncertainty remains high, with aggregate loss estimates ranging from $20 to $46 billion at a 1-in-200-year return period.
Munich Re examines how interconnected cyber risks—malware, data breaches, IT outages, and infrastructure attacks—can create catastrophic accumulation losses for insurers. The article highlights challenges in modeling these risks due to rapidly evolving threat vectors and the difficulty of identifying dependencies across global supply chains. Real-world examples like NotPetya, WannaCry, and a 2017 AWS outage illustrate the scale of potential losses.
Beazley has issued a $300 million cyber catastrophe bond (PoleStar Re Series 2026-1) through a Bermuda special purpose vehicle, its fourth and largest such issuance, bringing total outstanding cyber cat bond protection to $670 million. The three-year, indemnity-based bond covers low-probability, high-severity systemic cyber events through 2028. Strong investor demand caused the deal to grow from an initial $200M target.
The article reports on record-breaking catastrophe bond market activity in 2025, including over $25.6 billion in total issuance—a 45% increase over 2024. The outstanding cat bond market reached $61.3 billion by year-end. The piece highlights growth across Rule 144A and private transactions, including cyber and terrorism-linked bonds.
This paper reviews literature on cyber offense-defense dynamics, cataloguing 18 arguments about offensive/defensive advantage and 48 characterizations of cyber conflict, then assesses how varying degrees of AI advancement would affect each. It finds no single answer to whether AI favors offense or defense, identifying 44 specific expected impacts across multiple dimensions of cyber conflict.
This CSET report by Andrew Lohn (May 2025) analyzes how AI will reshape the cybersecurity offense-defense balance across five domains: digital ecosystem changes, environment hardening, tactical engagements, incentives, and strategic effects. It finds no single winner—AI aids both attackers and defenders—but identifies concrete steps defenders can take to tilt the balance in their favor. The report warns that several missteps could push the balance toward offense.
This CNAS report examines how advancing AI capabilities may shift the balance between cyber offense and defense, potentially giving attackers new advantages in exploiting vulnerabilities, automating attacks, and evading defenses. It analyzes the implications for national security, critical infrastructure, and existing cybersecurity frameworks. The report offers policy recommendations for governments and organizations to prepare for an AI-enabled cyber threat landscape.
The paper argues that AI advances will dramatically worsen cybersecurity outcomes for 'trailing-edge organizations'—firms relying on legacy systems and underinvesting in security. AI lowers the marginal cost of cyberattacks and accelerates exploit development, exposing these organizations to substantially heightened risk. The authors propose solutions for both individual organizations and governments to improve defensive postures.
Anthropic reports detecting a sophisticated September 2025 espionage campaign in which a suspected Chinese state-sponsored group weaponized Claude Code as an autonomous agent to attack roughly thirty global targets including tech companies, financial institutions, and government agencies. This is described as the first documented large-scale cyberattack executed without substantial human intervention, leveraging AI capabilities in intelligence, agency, and tool use. Anthropic responded by banning accounts, notifying victims, coordinating with authorities, and expanding detection capabilities.
This paper demonstrates that LLM agents, specifically GPT-4, can autonomously hack websites by performing complex attacks like SQL injections and blind database schema extraction without prior knowledge of vulnerabilities. The agent achieves a 73.3% success rate across 15 tested vulnerabilities and can find vulnerabilities in real-world websites. The findings highlight significant cybersecurity risks posed by frontier AI models with tool-use capabilities.
The paper shows that GPT-4-based LLM agents can autonomously exploit 87% of a benchmark of 15 real-world one-day CVE vulnerabilities when given CVE descriptions, vastly outperforming all other tested models and scanners. Without CVE descriptions, performance drops to 7%, indicating the agent is better at exploitation than discovery. These findings raise serious questions about the risks of deploying highly capable LLM agents.
This paper introduces HPTSA, a hierarchical multi-agent LLM framework where a planning agent coordinates specialized subagents to exploit real-world zero-day cybersecurity vulnerabilities. Tested on a benchmark of 15 real-world vulnerabilities past GPT-4's knowledge cutoff, HPTSA achieves 53% pass@5 success rate, outperforming prior single-agent approaches by up to 4.5x and surpassing open-source vulnerability scanners entirely.