Google Reports First Case of Criminal Hackers Using AI to Discover Zero-Day Vulnerability

Google reported the first documented case of criminal hackers using AI to discover a previously unknown software vulnerability, or zero-day flaw. The attack was thwarted, but details such as the timing, target, and specific AI platform used were not disclosed, though Google confirmed it was not its own Gemini chatbot. Zero-day vulnerabilities—unpatched security holes unknown to software vendors—are highly valuable, often selling for millions on black markets, and traditionally require significant time and expertise to uncover. The incident highlights concerns that AI lowers the barrier to entry for identifying such flaws, enabling even low-skilled attackers to exploit them. Anthropic's recently announced AI model, Mythos, was cited as an example of advanced systems so capable of finding vulnerabilities that access is restricted to select firms and government agencies in the U.S. and Britain. While AI could improve future code security, legacy software from as recently as 2015 remains vulnerable to AI-driven discovery of flaws, posing ongoing risks. Google's threat intelligence chief described the event as "the tip of the iceberg," signaling broader cybersecurity challenges ahead.