The honest answer is: far more attempts, noticeably more successful fraud, and a more modest increase in serious cyber breaches.
Those distinctions matter. AI agents may multiply malicious activity without producing an equivalent increase in damage. An agent can send thousands of convincing messages, probe hundreds of applications, or maintain dozens of fraudulent conversations. But it must still defeat identity checks, payment controls, endpoint security and increasingly AI-assisted defenders.
The future is therefore unlikely to resemble an autonomous cyber apocalypse. It will look more like an enormous reduction in the cost of committing ordinary digital crime.
What counts as an AI-agent attack?
An AI model generates an answer. An AI agent can pursue an objective: navigate websites, operate accounts, call tools, interpret responses, adjust its approach and continue working with limited supervision.
That creates several levels of AI involvement:
AI-present: A criminal used a model somewhere in the process.
AI-assisted: AI helped write messages, research targets or > produce content.
Agent-accelerated: An agent completed a meaningful sequence of > actions.
Agent-dependent: The campaign could not have operated at the > same scale, speed or level of personalization without agents.
Only the last two categories should normally be counted as attacks attributable to agent progress. Otherwise, almost every digitally enabled crime could eventually be described as “AI-related,” making the label meaningless.
The most likely numbers
No one can measure a future counterfactual precisely. The following ranges are my forecast for the end of 2028, relative to a world in which agent capabilities remained near their 2025 level.
| Activity | Increase caused by agent progress by 2028 |
|---|---|
| Fraud attempts in highly exposed digital channels | 3–10× |
| Successful fraud incidents | 20–60% |
| Fraud losses | 15–50% |
| Malicious reconnaissance and application probing | 3–8× |
| Successful cyber intrusions | 10–30% |
| Severe cyber incidents in which an agent is the decisive factor | 5–15% |
These are not predictions that total global cybercrime will rise by those exact amounts. They estimate the additional activity that agent progress could create, after accounting for the fact that many attacks would have happened anyway.
By 2030, agents could be involved in the majority of fraud attempts and malicious reconnaissance targeting some digital channels. I would not yet predict that they will cause the majority of successful breaches. Fraud is much easier to scale with agents than technically demanding intrusion operations.
The early evidence already points toward a volume explosion
The available measurements use inconsistent definitions, but their direction is remarkably consistent.
CrowdStrike reported an 89% year-over-year increase in “AI-enabled” attacks in its 2026 threat report, alongside an average breakout time of 29 minutes. That category is broader than autonomous agents, but it indicates that AI is becoming part of real adversarial workflows rather than remaining an experimental tool. CrowdStrike’s 2026 Global Threat Report
HUMAN Security reported that automated traffic grew eight times faster than human traffic and said it had observed AI agents behaving in patterns associated with payment-card testing. Its data represents the traffic visible to one security provider, not the entire internet, but it illustrates where the first major effect is appearing: automation volume and adaptability. HUMAN’s 2026 State of AI Traffic and Cyberthreat Benchmark
INTERPOL estimates that AI-enhanced fraud can be 4.5 times more profitable than traditional fraud. That does not mean global losses will quadruple. It means that certain AI-supported operations may achieve better economics through lower labor costs, greater scale or higher conversion rates. INTERPOL’s 2026 Global Financial Fraud Threat Assessment
The evidence supports a clear conclusion: the immediate impact of agents is primarily economic. They allow one operator to attempt work that previously required a call center, a fraud crew or a collection of specialized contractors.
Why fraud will grow faster than cyber intrusion
Fraud is fundamentally a communication and workflow problem. Criminals must find targets, build trust, maintain a convincing identity, answer questions and guide victims or institutions through a sequence of actions.
Those are exactly the activities agents are improving at.
An agent can maintain many conversations simultaneously, communicate across languages, remember the details of each victim, personalize its story and remain available around the clock. It can also navigate application interfaces, collect required information and adapt when a form or workflow changes.
The result will not simply be more phishing messages. It will be longer, more interactive campaigns in which the target believes they are dealing with a patient and attentive human.
Likely high-growth categories include:
Impersonation and business-payment fraud
Romance and investment scams
Fraudulent customer-support interactions
Synthetic-identity and account-opening attempts
Marketplace, refund and promotion abuse
Account recovery and identity-verification manipulation
Humans will remain involved, particularly when money must be moved or an unusual decision is required. But a single operator may supervise tens or hundreds of agents, intervening only at high-value moments.
Cyberattacks face harder constraints
Agents will also transform cyber operations, but the effect on successful intrusions should be smaller than the increase in activity.
They can continuously survey public applications, prioritize targets, research disclosed vulnerabilities, test defensive assumptions and adapt basic workflows when an application responds unexpectedly. Google’s threat-intelligence team has already described a shift toward industrial-scale AI use in adversarial workflows, including a zero-day exploit it believes was developed with AI assistance. Google Threat Intelligence Group
Yet an agent cannot manufacture a vulnerability where none exists. It still needs an exploitable weakness, stolen access or a person willing to make a mistake. It must also remain reliable across long sequences of actions while avoiding rate limits, behavioral detection and containment systems.
That is why malicious reconnaissance may grow several-fold while successful breaches rise by tens of percent rather than hundreds.
The largest impact will probably appear in the long tail: smaller businesses, neglected applications, poorly monitored cloud environments and organizations that are slow to patch. Hardened enterprises will experience much more hostile activity, but many will prevent that activity from becoming material incidents.
What will agents give criminals that they do not already have?
Most individual agent capabilities already exist in some form. Criminals can hire researchers, purchase automation, outsource social engineering and use conventional scripts. What changes is the ability to combine these functions cheaply.
Agents bring five economically important capabilities:
Persistence: They can continue working without fatigue or shift > changes.
Adaptive automation: Unlike fixed scripts, they can interpret > unfamiliar responses and choose a new action.
Personalization at scale: Every target can receive a campaign > shaped around their language, organization and behavior.
Cheap coordination: One person can supervise a fleet of workers > without building a conventional criminal organization.
Rapid replication: A successful workflow can be copied across > targets, languages and markets almost immediately.
The critical change is not that agents invent entirely new crimes. It is that they make previously labor-intensive crimes behave more like software.
Why attempts will rise faster than losses
AI agents will also be available to defenders. Financial institutions can use them to investigate alerts, correlate identities and interrupt suspicious transactions. Software teams can accelerate patching and security testing. Application owners can identify abnormal navigation patterns and require stronger verification at sensitive moments.
Agents are also imperfect. They misunderstand pages, lose context, trigger controls and make confidently incorrect decisions. Criminals will tolerate those failures because the marginal cost of another attempt is low. Defenders only need to make those failures expensive enough to destroy the economics of the campaign.
This creates an asymmetrical future:
Attack volume rises dramatically.
The average quality of an attempt may initially fall.
The best campaigns become much more convincing.
Well-defended organizations absorb much of the increase.
Weakly defended organizations suffer a disproportionate share of the > additional losses.
An application may therefore see five times as much malicious automation while experiencing only 20% more successful fraud. That is still a serious problem: infrastructure, support teams and detection systems must process the unsuccessful activity too.
Attribution will remain frustratingly difficult
An incident rarely arrives with a reliable label saying that an autonomous agent caused it. Attackers can use local models, commercial models, traditional scripts and human contractors in the same campaign.
Investigators will often observe the outcome without being able to reconstruct the production process. An unusually responsive scammer might be an agent, a human using AI suggestions or an ordinary human following a script. Automated application behavior might come from an AI browser agent or a well-designed conventional bot.
For that reason, statistics claiming that a precise percentage of cybercrime is “caused by AI” should be treated skeptically. The most defensible measure is counterfactual: would this campaign have happened at the same speed, scale or cost without the agent?
The bottom line
Between now and 2028, organizations should prepare for several times more automated fraud attempts and hostile application exploration. Successful fraud and cyber incidents will rise much more slowly, but the increase will still be material—probably tens of percent rather than an order of magnitude.
By 2030, agents may conduct most of the reconnaissance behind digital attacks and a majority of attempts in certain fraud channels. Humans will still supervise the highest-value decisions, and agents will not automatically defeat competent security controls.
The greatest danger is therefore not an all-powerful autonomous hacker. It is millions of inexpensive, patient and reasonably capable digital operators making attacks that already work cheaper to run, easier to personalize and far harder to exhaust.



