AI to Boost Cyber Threats in 2026, AhnLab Warns

South Korean cybersecurity company AhnLab has issued a stark warning about the evolving cyber threat landscape, predicting that emerging technologies like artificial intelligence will make malicious actors more efficient and their attacks more sophisticated in 2026. The company’s Cyber Threat Trends & 2026 Security Outlook report, published on November 26, 2025, highlights how AI capabilities are expected to amplify existing threats rather than create entirely new ones, enabling hackers to scale their operations and improve their social engineering tactics.

This technological advancement comes at a time when cybercriminals are already demonstrating significant capabilities. The report emphasizes that while AI will enhance threat actors’ efficiency, the fundamental methods of attack are likely to remain similar, with spear phishing continuing as a primary vector. The concern is that AI will enable attackers to create more convincing fake communications and automate aspects of their campaigns, making detection and prevention increasingly challenging for security teams.

According to AhnLab’s analysis, North Korean state-backed hackers, particularly the Lazarus Group, have emerged as the most frequently mentioned threat actor in post-hack analyses over the past 12 months. The group’s consistent presence across multiple cybersecurity investigations underscores their persistent and widespread targeting of financial institutions, with a particular focus on the cryptocurrency sector where large, liquid assets present attractive targets.

The Lazarus Group’s operational patterns reveal a sophisticated approach to cybercrime that spans multiple sectors. While their notoriety in cryptocurrency hacks has drawn significant attention, their activities extend beyond digital assets to include traditional financial institutions and other high-value targets. This cross-sector targeting demonstrates the group’s adaptability and the broad nature of the threat they pose to global financial security.

AhnLab’s tracking of threat actor mentions in post-incident analyses provides crucial intelligence about which groups are most active and successful. The Lazarus Group’s dominance in these reports indicates not only their frequency of attacks but also their effectiveness in compromising targets and extracting value, making them a primary concern for cybersecurity professionals worldwide.

Spear phishing remains one of the most popular and effective methods employed by threat actors like the Lazarus Group, according to AhnLab analysts. The technique involves sending highly targeted fake emails disguised as legitimate communications, with the cybersecurity firm specifically noting instances where these messages appeared as ‘lecture invitations or interview requests.’ This approach leverages social engineering to bypass technical security controls by exploiting human psychology and trust.

The sophistication of these spear phishing campaigns has evolved significantly, with attackers conducting extensive research on their targets to create convincing lures. By tailoring messages to specific individuals or organizations, threat actors increase the likelihood of their emails being opened and their malicious links or attachments being activated. This personalized approach distinguishes spear phishing from broader phishing campaigns and makes it particularly dangerous for high-value targets in the financial and cryptocurrency sectors.

AhnLab’s identification of spear phishing as a primary attack method underscores the ongoing challenge of human factors in cybersecurity. Despite advances in technical security measures, the human element remains vulnerable to manipulation, and threat actors continue to exploit this weakness with increasingly refined social engineering tactics.

The Lazarus Group’s activities have had substantial financial consequences, with the hackers suspected to be responsible for the massive $1.4 billion Bybit hack on February 21. This incident represents one of the largest cryptocurrency exchange breaches in history and demonstrates the group’s capability to target and compromise major platforms in the digital asset ecosystem. The scale of this theft highlights the significant financial stakes involved in securing cryptocurrency exchanges against sophisticated state-backed threat actors.

More recently, the group is suspected behind the $30 million exploit of South Korean crypto exchange Upbit, indicating their continued focus on cryptocurrency platforms and their ability to successfully execute attacks despite increased security awareness in the industry. The timing of this attack, coming after the massive Bybit breach, suggests either improved security measures forced the hackers to settle for a smaller haul or that they are conducting multiple simultaneous campaigns against different targets.

These high-profile incidents illustrate the Lazarus Group’s persistent targeting of cryptocurrency exchanges, which offer attractive targets due to the irreversible nature of blockchain transactions and the difficulty of tracing stolen funds. The cumulative financial impact of these attacks extends beyond the immediate losses to include reputational damage to affected exchanges, increased insurance costs, and broader market implications as investors grow wary of exchange security.

Looking ahead to 2026, AhnLab’s security outlook paints a concerning picture of an evolving threat landscape where technological advancements benefit both defenders and attackers. The prediction that artificial intelligence will enhance bad actors’ capabilities suggests that current security measures may become less effective unless they similarly incorporate AI and machine learning technologies to detect and respond to threats.

The continued prominence of state-backed groups like the Lazarus Group indicates that geopolitical factors will remain significant drivers of cybercrime, particularly in the financial sector. As these actors refine their techniques and leverage new technologies, organizations must anticipate more sophisticated social engineering, faster attack cycles, and potentially new attack vectors that exploit emerging technologies.

AhnLab’s warning serves as a critical reminder that cybersecurity requires continuous adaptation and investment. The combination of AI-enhanced threats, persistent state-sponsored actors, and the lucrative nature of financial targets creates a perfect storm that demands heightened vigilance, improved security protocols, and greater collaboration between private sector organizations and government agencies to protect critical financial infrastructure.