{"id":7481,"date":"2025-08-21T09:00:00","date_gmt":"2025-08-21T09:00:00","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-4967\/"},"modified":"2026-05-10T19:04:52","modified_gmt":"2026-05-10T19:04:52","slug":"ai-weapons-are-in-use-and-no-one-is-controlling-them","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2025\/08\/21\/ai-weapons-are-in-use-and-no-one-is-controlling-them\/","title":{"rendered":"AI Weapons Are in Use  &#8211;  And No One Is Controlling Them"},"content":{"rendered":"<p><strong>Generative AI has democratized cybercrime. Real-time deepfake videos, perfectly crafted phishing emails in German, automated vulnerability scanning in minutes instead of weeks  &#8211;  the tools exist, are freely available, and are actively being used. Regulation? Expected no earlier than 2027.<\/strong><\/p>\n<h2>TL;DR<\/h2>\n<ul>\n<li>AI-generated phishing emails have a 60 percent higher click rate than manually written ones  &#8211;  because they are linguistically and contextually nearly perfect<\/li>\n<li>Deepfake-based CEO fraud caused damages of over $500 million in 2024\/2025  &#8211;  with an exponentially increasing trend<\/li>\n<li>Offensive AI tools like WormGPT and FraudGPT are freely available in the darknet and require no technical expertise<\/li>\n<li>The EU AI Act regulates AI applications but not AI misuse by criminals  &#8211;  a fundamental gap<\/li>\n<\/ul>\n<h2>The New Quality of Threat<\/h2>\n<p>In February 2024, a financial employee of a multinational corporation in Hong Kong transferred $25 million  &#8211;  after a video conference with his CFO and several colleagues. All participants were deepfakes. The voices, the faces, the gestures  &#8211;  all AI-generated in real time. The employee had no reason to doubt.<\/p>\n<p>This is not science fiction. This is the present. And it\u2019s getting worse  &#8211;  because the technology is becoming exponentially better and cheaper, while detection lags behind at a linear pace.<\/p>\n<h2>The Three AI Weapon Categories<\/h2>\n<p><strong>1. Social Engineering at Scale:<\/strong> Spear-phishing, which once required hours of manual research per target, can now be automated using large language models. The AI reads LinkedIn profiles, analyzes communication patterns from leaked emails, and generates personalized messages in the sender\u2019s language and tone. The result? Phishing emails that even trained employees struggle to distinguish from legitimate ones.<\/p>\n<p><strong>2. Deepfakes as Weapons:<\/strong> Voice cloning requires just three seconds of audio. Face swapping works in real time on consumer-grade hardware. Combine the two  &#8211;  a video call that looks and sounds exactly like the CEO  &#8211;  and you have the perfect social engineering vector. It bypasses every technical security control, because the attack targets human judgment, not software.<\/p>\n<p><strong>3. Autonomous Exploitation:<\/strong> AI-powered tools scan networks, identify vulnerabilities, and automatically generate exploit code. What once took an experienced penetration tester a week, AI accomplishes in minutes. The technical barrier to launching sophisticated attacks has effectively vanished.<\/p>\n<h2>Why Regulation Fails<\/h2>\n<p>The EU AI Act  &#8211;  the world\u2019s most ambitious AI law  &#8211;  governs how companies and public authorities deploy AI. High-risk applications require certification. Generative AI systems must meet transparency obligations. All sound and necessary. But criminals don\u2019t seek certification.<\/p>\n<p>The AI Act addresses legitimate use cases. It offers no operational framework for tackling AI misuse by cybercriminals. Who\u2019s responsible for preventing deepfake attacks? Who bears liability when a freely available open-source model is weaponized for fraud? These questions aren\u2019t even on the regulatory agenda  &#8211;  let alone answered.<\/p>\n<h2>How Companies Can Protect Themselves<\/h2>\n<p><strong>Procedural Safeguards:<\/strong> No financial transfer over $10,000 without dual-channel verification. If the CFO calls via video, confirm the request through a separate channel  &#8211;  in person or by phone on a known, verified number. Every time.<\/p>\n<p><strong>Deepfake Awareness:<\/strong> Employees must understand that flawless video conferences can be fabricated. That a CEO\u2019s voice can be cloned. That \u201cI saw him\u201d no longer qualifies as proof of authenticity. This mindset shift must be embedded in every security awareness program.<\/p>\n<p><strong>AI Against AI:<\/strong> Deepfake detection tools are improving  &#8211;  but it\u2019s an arms race. Companies should deploy them, yet never treat them as foolproof. Procedural safeguards remain the final, most reliable line of defense.<\/p>\n<h2>Conclusion: Pandora\u2019s Box Is Open<\/h2>\n<p>Generative AI cannot be un-invented. The tools exist. They\u2019re growing more powerful and accessible by the day. And cybercriminals are adopting them faster than defenders can adapt. The answer isn\u2019t panic  &#8211;  it\u2019s realism: harden processes, train people, demand verification. Assume every communication could be forged. Then act accordingly.<\/p>\n<h2>Key Facts<\/h2>\n<p><strong>Deepfake Damages:<\/strong> CEO fraud using deepfake technology caused over $500 million in losses during 2024\/2025  &#8211;  the largest single incident involved $25 million.<\/p>\n<p><strong>AI Phishing Efficiency:<\/strong> Automatically generated spear-phishing campaigns achieve a 60 percent click-through rate, according to recent studies  &#8211;  compared to 12-18 percent for manually crafted messages.<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<h3>Can deepfakes be reliably detected?<\/h3>\n<p>Not yet  &#8211;  at least not consistently. Detection tools achieve 85-90 percent accuracy against pre-recorded videos. But in live video conferences, where lighting, angles, and audio conditions vary unpredictably, detection rates drop significantly. It\u2019s an ongoing arms race: as detection improves, so does generation.<\/p>\n<h3>Is open-source AI the problem?<\/h3>\n<p>Partly. Open models fuel innovation and research  &#8211;  but also enable abuse. Banning them would backfire, pushing development underground or into jurisdictions with lax oversight, like China or Russia. A smarter approach combines built-in safety guardrails at the model level with swift, targeted enforcement against malicious use.<\/p>\n<h3>How much does deepfake protection cost for companies?<\/h3>\n<p>Technical detection tools range from $5,000 to $50,000 annually. But the most effective protection  &#8211;  process redesign and workforce awareness  &#8211;  costs a fraction of that. Investing in mandatory verification protocols for high-value financial transactions delivers the highest return on investment in deepfake defense.<\/p>\n<h2>Related Articles<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/02\/20\/post_id-3525\/\">Recognizing AI-Generated Phishing Emails: 7 Warning Signs for 2026<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/02\/28\/post_id-3833\/\">Cyber Warfare 2026: When States Upgrade Digitally<\/a><\/li>\n<li><a href=\"https:\/\/www.securitytoday.de\/en\/2026\/03\/01\/post_id-3841\/\">Hybrid Warfare and Disinformation<\/a><\/li>\n<\/ul>\n<h3>More from the MBF Media Network<\/h3>\n<ul>\n<li><a href=\"https:\/\/mybusinessfuture.com\/ki-made-in-germany-935-startups-oekosystem\/\" target=\"_blank\" rel=\"noopener\">AI Trends for Decision-Makers on mybusinessfuture.com<\/a><\/li>\n<li><a href=\"https:\/\/www.digital-chiefs.de\/149-000-offene-it-stellen-wie-cios-ki-copiloten-als-fachkraeftersatz-nutzen\/\" target=\"_blank\" rel=\"noopener\">Artificial Intelligence in SMEs on digital-chiefs.de<\/a><\/li>\n<\/ul>\n<p style=\"text-align: right; font-size: 0.85em; color: #888; margin-top: 2em;\"><em>Header Image Source: Pexels<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"Generative AI has democratized cybercrime. Real-time deepfake videos, perfectly crafted phishing emails in German, automated vulnerability scanning in minutes instead of weeks &#8211; the tools exist, are freely available, and are actively being used. Regulation? Expected no earlier than 2027. TL;DR AI-generated phishing emails have a 60 percent higher click rate than manually written ones [&hellip;]","protected":false},"author":55,"featured_media":4968,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"ai weapons","_yoast_wpseo_title":"AI Weapons Are in Use - And No One Is Controlling Them","_yoast_wpseo_metadesc":"AI weapons fuel cybercrime surge\u2014stop the threat. Learn how to protect yourself now.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"_evm_translation_lang":"","featured_post":0,"featured_post_sortierung":0,"_wp_old_slug":["post_id-4967"],"footnotes":""},"categories":[251],"tags":[],"class_list":["post-7481","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"evm_reading_time_minutes":5,"wpml_language":"en","wpml_translation_of":4967,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=7481"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7481\/revisions"}],"predecessor-version":[{"id":10101,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7481\/revisions\/10101"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/4968"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=7481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=7481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=7481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}