Anthropic Analyzes 832 AI-Enabled Cybercrime Accounts
Anthropic published an analysis of 832 accounts it banned for malicious cyber activity between March 2025 and March 2026, mapping observed behavior to the MITRE ATT&CK framework, per Anthropic and reporting by Help Net Security. The team logged 13,873 actions spanning 482 unique ATT&CK techniques and all 14 tactics. It found 560 of the 832 accounts (67.3%) used AI for malware-related preparation and capability development, while a smaller share, 54 accounts (6.5%), used AI for lateral movement inside compromised networks, per Anthropic. The share of medium- and high-risk actors rose from 33% to 56% between the first and second halves of the period. Anthropic notes that several high-risk behaviors, such as orchestrating attack steps autonomously, are not yet represented as techniques in ATT&CK, and says it contributed findings to the 2026 Verizon DBIR.
What happened
Anthropic published an analysis of AI-related cyber misuse covering 832 accounts it banned for malicious activity between March 2025 and March 2026, as described on Anthropic's research posts and summarized by Help Net Security. The team mapped observed activity to the MITRE ATT&CK framework, logging 13,873 discrete actions across 482 unique ATT&CK techniques and all 14 ATT&CK tactics, per Anthropic.
Key findings
- •Per Anthropic, 560 of the 832 accounts (about 67.3%) used AI for malware development and capability development, the most common category of misuse.
- •A smaller group, 54 accounts (6.5%), used AI to assist with lateral movement inside compromised networks, per Anthropic.
- •The share of medium- and high-risk actors rose from 33% in the first half of the window to 56% in the second, indicating an escalation in actor sophistication.
Where ATT&CK falls short
Anthropic reports that some behaviors distinguishing the highest-risk actors, such as using AI to sequence attack steps, make real-time decisions, and execute with limited human intervention, are not yet represented as attacker techniques in MITRE ATT&CK. Anthropic says it contributed findings to the 2026 Verizon Data Breach Investigations Report.
Editorial analysis - industry pattern
ATT&CK-mapped telemetry gives defenders a structured way to reason about AI-assisted tradecraft rather than anecdotes. The reported shift toward agentic, multi-step automation is consistent with a broader industry pattern in which detection emphasis moves from inspecting single prompts to identifying automation artifacts and orchestration behavior. Defenders weighing these signals should treat counts of banned accounts as a floor, not a census, since they reflect one vendor's enforcement view.
Key Points
- 1Anthropic mapped 832 banned accounts to MITRE ATT&CK, logging 13,873 actions across 482 techniques and all 14 tactics, giving defenders structured telemetry.
- 2About 67.3% of reviewed accounts used AI for malware or capability development, and medium-or-higher-risk actors rose from 33% to 56% over the year.
- 3Several high-risk behaviors like autonomous attack orchestration are not yet ATT&CK techniques, so defenders must watch agentic tooling and automation artifacts.
Scoring Rationale
A year-long, ATT&CK-mapped dataset from a frontier lab quantifying how attackers use AI is concrete and directly actionable for defenders and threat analysts, and was notable enough to feed the 2026 Verizon DBIR. It documents and measures an ongoing trend rather than disclosing a new attack technique or model, so it is major-leaning-notable but not industry-shaking.
Sources
Public references used for this report.
View 11 more sources
- 04832 banned accounts reveal AI's growing role in cybercrime - MSNmsn.com
- 05Significant Rise in AI Use for Cyberattacks: Insights and Implicationsvaluethemarkets.com
- 06Anthropic + MITRE Map a Year of AI-Enabled Cyber Attackshumphreytheodore.com
- 07What We Learned by Tracking a Year of AI-Enabled Cyber Attackshci.today
- 08The Weather Report - Dispatches on AI, Security, and Safetytheweatherreport.ai
- 09AI Escalates Cyber Threats in 2026startuphub.ai
- 1056% of High-Risk Hackers Now Use AI, Anthropic Reportsawesomeagents.ai
- 11Malware Development Drives 67% of AI Cyber Misuse in 2026getaibook.com
- 12Crypto: 67% of banned Anthropic accounts aided AI cyberattacksmexc.com
- 13Risky Business - Apple Podcastspodcasts.apple.com
- 14AI is helping low-skill hackers pull off advanced cyberattacksitsecuritynews.info
Practice with real Telecom & ISP data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Telecom & ISP problems