3 minute read
So that little six-digit code you punch in like a good citizen every time you log into your bank? Yeah, somebody just used AI to walk right past it. Google’s Threat Intelligence Group dropped this news on May 11 and didn’t bury it. They called it a “mass exploitation event,” meaning the bad guys planned to hit a lot of people at once. Google caught it and pushed a patch before launch, which is great. The not-so-great part is that AI just got promoted from “writes you a poem about your dog” to “writes working zero-day exploits.”
The intern just figured out the safe combination
Here’s the short version. A criminal crew Google won’t name used an AI model to dig through a popular open-source admin tool, found a logic flaw nobody had caught, and had the AI write a Python script to slide past the 2FA check. Google says the code has all the fingerprints of LLM output, including the AI hallucinating a fake severity score because apparently even hacker AIs make things up. The exploit needs valid credentials to work, so it’s not “your bank account is now empty” territory. But the thing we all got told to enable as our shield? Turns out it has hinges that bend.
Meanwhile the good guys are doing the same thing
Plot twist. Anthropic announced in April that its restricted Claude Mythos model went hunting through major open-source projects and surfaced bugs nobody had spotted in decades. A 27-year-old crash bug in OpenBSD. A 16-year-old flaw in FFmpeg, sitting in code that fuzzers had hit five million times without flinching. A 17-year-old remote root hole in FreeBSD’s NFS server, the kind of thing that runs Netflix and PlayStation. Mythos found and exploited that one on its own. So yes, the defense side has the same tool. They’re just behind.
And the propaganda bots are busy too
Google’s same report flagged that operators tied to China, Iran, Russia, and Saudi Arabia have been leaning on AI to crank out political satire, fake posters, and propaganda for both digital and physical channels. Russia bumped its info ops budget by 54 percent this year. The combo is ugly. AI writing the exploit, AI writing the lie about the exploit, AI cleaning up after the lie. It’s an assembly line, and you’re the product.
What this means for you
Don’t ditch 2FA. It still raises the bar for the average attacker who can’t afford a six-figure compute bill. But if you’re still using SMS codes, swap to an authenticator app or a hardware key. Patch your stuff. Watch your statements. Get suspicious of polished, urgent emails.
The race is already running
Patching takes weeks. Exploiting takes hours. Pick a side. Stay loud.
Sources: Google Threat Intelligence Group, Anthropic, CSO Online, Security Week, The Hacker News, The Register, VentureBeat, Tom’s Hardware, Help Net Security
