Anthropic Analyzes 832 AI-Enabled Cybercrime Accounts

Anthropic published an analysis of AI-related cyber misuse covering 832 accounts it banned for malicious activity between March 2025 and March 2026, as described on Anthropic's research posts and summarized by Help Net Security. The team mapped observed activity to the MITRE ATT&CK framework, logging 13,873 discrete actions across 482 unique ATT&CK techniques and all 14 ATT&CK tactics, per Anthropic.

• •Per Anthropic, 560 of the 832 accounts (about 67.3%) used AI for malware development and capability development, the most common category of misuse.
• •A smaller group, 54 accounts (6.5%), used AI to assist with lateral movement inside compromised networks, per Anthropic.
• •The share of medium- and high-risk actors rose from 33% in the first half of the window to 56% in the second, indicating an escalation in actor sophistication.

Anthropic reports that some behaviors distinguishing the highest-risk actors, such as using AI to sequence attack steps, make real-time decisions, and execute with limited human intervention, are not yet represented as attacker techniques in MITRE ATT&CK. Anthropic says it contributed findings to the 2026 Verizon Data Breach Investigations Report.

ATT&CK-mapped telemetry gives defenders a structured way to reason about AI-assisted tradecraft rather than anecdotes. The reported shift toward agentic, multi-step automation is consistent with a broader industry pattern in which detection emphasis moves from inspecting single prompts to identifying automation artifacts and orchestration behavior. Defenders weighing these signals should treat counts of banned accounts as a floor, not a census, since they reflect one vendor's enforcement view.