Brace for bugmageddon: experts warn of AI crime wave
Jennifer Dudley-Nicholson |
Australia’s finance firms are increasingly being targeted by Chinese and North Korean hacking groups in attacks designed to steal funds, access and identity data.
But artificial intelligence tools could multiply those attacks in future, a report warns, as the technology is used to find software vulnerabilities and even to impersonate workers.
Cybersecurity firm CrowdStrike issued the warning on Thursday in its Financial Services Threat Landscape report that showed attacks on the sector soared by 43 per cent in 2025.
The announcement comes one year after several major Australian superannuation funds, including Australian Retirement Trust and AustralianSuper, were targeted in a coordinated online attack, in which criminals stole more than $500,000.
CrowdStrike’s research found financial services had become the fourth most targeted industry for hackers, representing 12 per cent of all online attacks.
Three in every four attacks were launched by criminal groups for financial gain, the report found, while one in four were the result of state-sponsored adversaries targeting information.
North Korean groups posed a major threat to the industry, stealing more than $US2 billion in digital assets such as cryptocurrency, while Chinese hackers posed the biggest espionage threat, the study said.
Many attackers attempted to break into finance firms using weaknesses in edge devices, CrowdStrike counter-adversary operations head Adam Meyers said, such as routers, switches and other networking equipment.
These devices were the most likely to be overlooked for software updates, he said, and attackers were using AI tools to find ways to break into them.
“We’re seeing this increase in the use of AI for finding vulnerabilities and I think we’re going to see more and more vulnerabilities identified in these devices and network appliances,” he told AAP.
“There were 48,200 of these vulnerabilities registered last year and if AI (multiplies that by 10) that means that defenders are going to have over 400,000 vulnerabilities that they need to patch.”
The trend, which has been dubbed bugmageddon and vulnpocalypse, could put significant strain on IT workers over the coming year, Mr Meyers said.
Other rising attacks in the sector included ransomware, with the details of 27 per cent more victims published on leak sites during 2025, and targeted phishing attacks, some of which deployed AI tools.
Rather than using emails to trick employees into sharing credentials, Mr Meyers said criminal groups were using AI to impersonate their voices in calls to help desks.
“Humans are actually the biggest risk,” he said.
“A lot of people think you get an email, don’t click on that email, but in reality, (phishing) can be a text message, it could be a phone call.”
Finance firms should prioritise patching all parts of their network to avoid attacks, Mr Meyers said, while individuals should use multi-factor authentication and authentication apps.
AAP