A major academic study analysing more than 100 million posts from underground cybercrime forums has found that artificial intelligence is yet to deliver the breakthrough many feared for cybercriminal activity. The research was conducted by a team from the University of Edinburgh, the University of Cambridge and the University of Strathclyde, drawing on the CrimeBB database covering online criminal communities since OpenAI's release of ChatGPT in late 2022.
The study found that while hackers are experimenting with AI tools, adoption remains limited and what does exist largely benefits already skilled actors — rather than lowering barriers to entry for cybercrime. AI was most effective at concealing malicious patterns from cybersecurity systems and in operating automated social media bot networks linked to fraud and online harassment. For more advanced attacks, however, most criminal groups lacked the technical expertise and resources needed to use AI effectively.
Dr Ben Collier of the University of Edinburgh's School of Social and Political Science summarised the findings: 'Cybercriminals are experimenting with these tools, but as far as we can tell it's not delivering them real benefits in their own work.' His message to industry pushes back on the prevailing panic: 'Our message to industry is — don't panic yet.'
A critical caveat the researchers underline is that the greater immediate danger may sit on the defence side rather than the attack side. AI systems deployed by companies with poor security controls could create new vulnerabilities that relatively unsophisticated attackers can exploit with minimal effort. From a supply-chain perspective this is especially relevant: AI agents, automation platforms and computer-vision analytics being rolled out across global logistics, procurement and warehousing form the weakest link if deployed without proper hardening — and the blast radius of such an exploit easily spreads beyond a single company to its partners and customers.
Key Takeaways:
1. A joint Edinburgh-Cambridge-Strathclyde study analysed more than 100 million posts from the CrimeBB database.
2. Hackers are experimenting with AI, but adoption remains limited and largely benefits already skilled actors — not lowering the barrier to entry.
3. AI is most useful for running social media bot networks and concealing malicious patterns from antivirus systems.
4. Dr Ben Collier: 'Our message to industry is — don't panic yet.'
5. The bigger risk lies in insecurely deployed corporate AI systems, which low-skill attackers can exploit with minimal effort.
