{"slug": "nothing-on-the-internet-is-secure-anymore", "title": "Nothing on the Internet Is Secure Anymore", "summary": "AI tools are enabling a surge in cyberattacks, with Palo Alto Networks reporting a fourfold increase in daily attacks from 2024 to 2025. Hackers are using AI-enhanced viruses that adapt to avoid detection and automating cyber-espionage campaigns, while the time to exploit vulnerabilities has dropped from over 700 days in 2020 to just 44 days in 2025. Experts warn that traditional cybersecurity methods are no longer sufficient as AI-powered hacking tools become as skilled as elite human hackers.", "body_md": "# Nothing on the Internet Is Secure Anymore\n\nAI is enabling a deluge of cyberattacks the likes of which we’ve never seen before.\n\nLate last month, I began to consider withdrawing some money from my savings account to buy gold. It’s the first time I’ve ever thought about panic-buying. For all of the firewalls and two-factor-authentication codes, the safety of the internet is starting to falter. Hackers are gaining the upper hand over organizations around the world—hospitals, energy grids, government agencies, and, yes, banks.\n\nAs AI tools have become extremely good at writing code, they’ve also become extremely good at pulling off cyberattacks. (Malware, after all, is still software.) The result has been a change in the scale, speed, and sophistication of hacks that is difficult to overstate: Among its tens of thousands of clients, the cybersecurity firm Palo Alto Networks identified a fourfold increase in daily attacks from 2024 to 2025. Hackers are developing AI-enhanced computer viruses that adapt on the fly to avoid detection. They are automating cyber-espionage campaigns on foreign governments. They are stealing data in minutes instead of hours. “There’s a crazy amount of offensive activity happening right now,” Alex Stamos, a former chief security officer of Yahoo and Facebook, told me. “Companies are getting hacked every single day.”\n\nIf the NSA is perturbed by the rise in cyberattacks, which it [apparently](https://www.nsa.gov/aisc/) is, then surely my savings are vulnerable. There could be any number of weaknesses in my bank’s IT systems to directly hack. Or perhaps an AI-written phishing email targeted at an employee, personalized to sound like a family member or manager, could let hackers into the back end to empty my coffers. Even if the bank has great cybersecurity, an attack on another business—a medical clinic I visited, a car-rental company, a newsletter subscription—could steal my payment information and, potentially, much more. The attack angles are seemingly infinite. And no one is adequately prepared.\n\nThe term *software engineering* has always been an insult to the level of rigor demanded of mechanical, civic, and other engineers. Computer programs can be riddled with vulnerabilities and run just fine for years or decades—and much of the software underlying the web has done just that. “We’ve just been writing software in a totally slapdash and insecure way for decades now,” Stamos, who is now the chief security officer at the AI-coding company Corridor, said. With some small, high-stakes exceptions—such as software used on the International Space Station or nuclear submarines—code is written and deployed without much rigorous testing. If a bug is reported, it gets patched.\n\nSuch a relaxed security posture has been more or less fine because discovering vulnerabilities is hard and skilled hackers are few in number: Either nobody found the bugs or nobody was able to exploit them. But traditional cybersecurity methods don’t cut it anymore. Before, you might scramble for a week to patch a hole, Giovanni Vigna, a cybersecurity expert at UC Santa Barbara, told me. “Now you could have hundreds of those every week.” Moody’s Ratings has found that the time attackers take to exploit a publicly known vulnerability (the digital equivalent of a robber plotting how to get around a bank’s guards and cameras after obtaining a key) fell from more than 700 days in 2020 to just 44 days in 2025—faster than the average time cybersecurity teams take to patch the bug.\n\nGovernments and major companies are on high alert for AI-enabled cyberwarfare. The wake-up call came this spring, with the announcement of two extremely advanced cyber models—[Claude Mythos Preview](https://www.theatlantic.com/technology/2026/04/claude-mythos-hacking/686746/) from Anthropic, and the analogous GPT-5.5-Cyber from OpenAI soon after. Many independent cybersecurity experts have told me that these models are as or nearly as skilled as elite human hackers, which is why Anthropic and OpenAI didn’t release them publicly. Instead, the AI labs have granted a small number of partner organizations and government agencies exclusive access to the unrestricted versions of these cyber models in the hopes of shoring up their IT systems. And this month, Donald Trump signed an executive order to expedite just that.\n\nOrganizations can guard against the coming deluge of AI-enabled hacks, most notably by using AI to detect and resolve vulnerabilities before cybercriminals can exploit them. Anthropic has itself used Claude Mythos Preview to find thousands of bugs in open-source-software packages—many of which went undetected for years or decades—that undergird much of the internet. Mozilla [used](https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/) Mythos to fix more than 400 bugs in the Firefox web browser in April, roughly 20 times more than it fixes in a typical month. And having an AI agent monitoring for intruders 24/7 could be far more effective than periodic cybersecurity audits. If you’ve noticed more updates in your web browser, work software, and smartphone apps, it may well be because software companies are using AI to scan for bugs.\n\nBut, if anything, these efforts are late. Even though they’re not as powerful as Mythos, plenty of free and open-source AI hacking tools are allowing criminals with little technical experience to marshal an army of hackers at their fingertips. Tools from Google, Anthropic, and OpenAI have guardrails intended to prevent them from being used for hacks, but they are not perfect: All three companies have reported more, and more sophisticated, hacking attempts using their AI models. When the courseware Canvas was [hacked last month](https://www.theatlantic.com/ideas/2026/05/canvas-hack-campus-fragility/687115/), upending classrooms in thousands of schools and universities worldwide, AI likely played a role—and the criminal group responsible, a notorious hacking ring called ShinyHunters, is known for using AI in all sorts of scams. Just weeks later, Google cybersecurity researchers reported that ShinyHunters had hacked into an Oracle HR system and may have stolen data from more than 100 organizations. Meanwhile, the Trump administration has [forced Anthropic](https://www.theatlantic.com/technology/2026/06/trump-anthropic-export-control-ai-race/687555/) to revoke all public access to the latest version of Mythos—taking away perhaps the most powerful cyberdefense tool we have from both the government and the private sector.\n\nThat does not mean you should withdraw your life’s savings and buy gold (although, well). But a tremendous amount of change needs to happen in a very short period of time; open-source AI models will soon catch up to Mythos and GPT-5.5. The internet needs upgrades “at a Y2K-like scale,” Raffi Krikorian, the chief technology officer at Mozilla, told me, referring to a widespread fear that computer programs interpreting the digits “00” to mean the year 1900, rather than 2000, would bring down the web. But IT professionals spent years preparing for and ultimately avoiding a Y2K apocalypse, he said; with AI, we have months. No one company or government can demand the requisite collective action rapidly enough to completely secure our digital infrastructure. “There’s no way organizations across the globe are going to patch everything that needs to occur within the next three to five months,” Wendi Whitmore, the chief security intelligence officer at Palo Alto Networks, told me.\n\nAt the same time that bots are making hackers more capable, the technology is also making the web less robust to attacks. Coding agents, due to their propensity to hallucinate, frequently write insecure code—and humans, in the thrall of vibe-coding, usually don’t take the time to verify it. Spotty AI code has, for instance, [reportedly](https://www.ft.com/content/7cab4ec7-4712-4137-b602-119a44f771de?syn-25a6b1a6=1) caused multiple outages in Amazon’s e-commerce services. Meanwhile, the AI models being integrated across the web—into Amazon, Google, your bank’s customer-service department, and more—are themselves new, untested, and vulnerable to all manner of creative attacks that allow hackers to request passwords and personal information. A few weeks ago, a group of cybercriminals basically just asked Meta’s customer-service AI to give them access to some 30,000 Instagram accounts (including the Sephora corporate account and the defunct Obama White House account), and the AI obliged. (“Some of our internal backend checks failed in this instance, but it wasn’t due to the AI agent itself, and we’ve addressed the underlying cause,” Andy Stone, a Meta spokesperson told me.)\n\nThe near future is very likely to involve more frequent, and more severe, outages and hacks just like those affecting Canvas, Meta, and Amazon. “We will see more of these disruptions,” Vigna said. “I think it’s inevitable in the short term.” Smaller but crucial companies and organizations that are not web-native—think power plants, municipal-government agencies, credit unions—are especially vulnerable. They may be running all sorts of clunky legacy code, and lack the IT capacity or financial resources to make the necessary upgrades. In many cases, the person who wrote the bulk of an organization’s software might be retired or dead.\n\nTake hospitals, many of which are already struggling to combat data breaches and ransomware attacks. Hospital IT systems are full of valuable health and financial data, and the incentive to pay a ransom is high when patients’ lives are on the line. “It’s not a matter of will to increase cybersecurity for hospitals,” John Riggi, the national adviser for cybersecurity and risk for the American Hospital Association, told me. “It is a matter of resources and capabilities.” AI, he said, will make everything worse. And the greater burden is always on the side of the defense: Missing just a single vulnerability can permit a catastrophic attack. An Anthropic spokesperson told me that “hospitals, utilities, and smaller banks run on software built by others,” which Mythos is helping secure. “Software upstream protects the organizations downstream that don’t have resources to staff their own security research team.”)\n\nA worst-case scenario over the next year or so might look like “blackouts across the United States, telecommunications companies being hacked,” Krikorian said, or “our banking systems dealing with people losing money left and right.” Every cybersecurity expert I spoke with for this story concurred: The next few months, couple of years, or even longer will be rough. “I hope that it’s not a catastrophic outage, but I am concerned that 2026 really could be the year that we see some sort of attack like that become very successful,” Whitmore said. Anthropic estimates [that](https://www.anthropic.com/news/expanding-project-glasswing) a major cyberattack on just one of its 200 or so partner organizations could affect at least 100 million people.\n\nCollective action aside, some precautions exist that individuals can take short of liquidating into gold. Many of them are basic: using a password manager that auto-generates long passwords, keeping software updated, restarting devices to wipe viruses from their short-term memory. Be extra wary of all sorts of phishing texts and other low-level scams. And you might consider simplifying your digital life by switching to a Chromebook, certain tablets, or another gadget that is a “thin client,” meaning that very little software and data are stored on the device.\n\nEven in the most catastrophic of scenarios, perhaps we can ride out the AI hacks. No one knows just how many bugs are out there. If there’s a limited pool of vulnerabilities online, things will settle down once they are all found, whether by hackers or security audits. But it’s also possible that every time the top AI models reach a new threshold of capabilities, Stamos said, they discover a new pool of still more complex hacks. And so the chaos begins anew.", "url": "https://wpnews.pro/news/nothing-on-the-internet-is-secure-anymore", "canonical_source": "https://www.theatlantic.com/technology/2026/06/ai-hacking-cybersecurity-banks/687562/?utm_source=feed", "published_at": "2026-06-16 17:50:00+00:00", "updated_at": "2026-06-16 18:23:04.788330+00:00", "lang": "en", "topics": ["artificial-intelligence", "ai-safety", "ai-policy", "ai-tools", "ai-ethics"], "entities": ["Palo Alto Networks", "Alex Stamos", "Yahoo", "Facebook", "Corridor", "Giovanni Vigna", "UC Santa Barbara", "Moody's Ratings"], "alternates": {"html": "https://wpnews.pro/news/nothing-on-the-internet-is-secure-anymore", "markdown": "https://wpnews.pro/news/nothing-on-the-internet-is-secure-anymore.md", "text": "https://wpnews.pro/news/nothing-on-the-internet-is-secure-anymore.txt", "jsonld": "https://wpnews.pro/news/nothing-on-the-internet-is-secure-anymore.jsonld"}}