The share of high-risk actors leveraging AI for cyberattacks jumped from 33% to 56% in just one year, according to Anthropic's sweeping review of banned accounts.
Anthropic released a comprehensive analysis on June 3 covering a full year of AI misuse tied to cyberattacks, spanning March 2025 through March 2026. The headline number: the percentage of medium- or high-risk actors using AI for cyber operations jumped from 33% to 56%, a 1.7x increase that signals a fundamental shift in how threat actors are weaponizing large language models.
What 832 banned accounts tell us #
Anthropic’s research team examined 832 accounts that were banned for policy violations connected to malicious cyber activities. Across those accounts, researchers documented 13,873 observed actions and 482 unique techniques, all mapped against the MITRE ATT&CK framework, the industry-standard classification system for adversary tactics.
Malware development remained the most popular use case by a wide margin. Roughly 67% of analyzed actors, about 560 accounts, used AI to help build malicious software.
The growth wasn’t in the basic stuff. It was in the complex techniques. Practices like lateral movement (used by 6.5% of actors) and credential dumping started appearing more frequently as the study period progressed. Attackers aren’t just asking AI to write simple viruses anymore. They’re using it to navigate through networks after initial compromise, steal authentication credentials, and execute multi-step intrusion campaigns that previously required significant human expertise.
To quantify this evolution, Anthropic introduced something called the AI Risk Enablement Score, or ARiES. The metric measures how much AI capabilities elevate the risk profile of a given threat actor.
The autonomous espionage problem #
Among the most alarming findings were specific cases documented during 2025. A largely autonomous espionage campaign linked to Chinese state-sponsored actors used Claude Code to perform up to 90% of operations without human intervention.
The report also flagged a phenomenon researchers dubbed “vibe hacking,” where threat actors executed extortion schemes through Claude Code.
Anthropic shared its findings with Verizon for inclusion in the 2026 Data Breach Investigations Report, one of the most widely cited annual cybersecurity publications.
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our