Criminal Hackers Used AI to Find a Zero-Day Exploit for the First Time, Google Confirms

The words Innovation Explained with the ai underlined on gradient background with a data node pattern.The words Innovation Explained with the ai underlined on gradient background with a data node pattern.

A zero-day exploit is a cyberattack that targets a software vulnerability unknown to the software’s developer, leaving no time (zero days) for a patch or fix before it can be used maliciously. These exploits are among the most dangerous weapons in a hacker’s arsenal because they strike at blind spots that no one knows exist. On May 11, 2026, Google confirmed for the first time that criminal hackers used artificial intelligence to discover and weaponize one of these previously unknown flaws in a sysadmin tool, marking a pivotal shift in how cyberattacks are conceived and executed.

In this article, we’ll discuss Google’s groundbreaking disclosure, how the attack worked, why AI is uniquely suited to uncovering deep software vulnerabilities, and what this means for businesses, security teams, and the broader tech industry. We’ll also explore the growing role of state-sponsored hacking groups in AI-driven cyber operations and take a look at the defensive side of the equation, including Anthropic’s Mythos model and other AI tools being used to find and patch vulnerabilities before the bad actors get to them first.

TL;DR Snapshot

Google’s Threat Intelligence Group (GTIG) released a report on May 11, 2026 confirming that a criminal hacking group used an AI large language model to discover a zero-day vulnerability in a widely used open-source system administration tool and then built a working exploit to attack it at scale. Google disrupted the operation before it caused damage, but the incident represents the first confirmed case of AI being used to create a zero-day exploit in the wild.

Key takeaways include…

  • AI-generated exploits are no longer theoretical: Google’s GTIG confirmed that a criminal group used an AI model to discover a previously unknown flaw and build a Python-based exploit designed to bypass two-factor authentication. The code contained telltale signs of AI generation, including hallucinated severity scores and textbook formatting.
  • State-backed hackers are also weaponizing AI: Groups linked to China, North Korea, and Russia are integrating AI across the full attack chain, from vulnerability research and exploit validation to autonomous reconnaissance using agentic AI frameworks.
  • The defensive side of AI is racing to keep up: Anthropic’s Mythos model discovered over 2,000 previously unknown vulnerabilities in just seven weeks of testing, demonstrating that AI can also be a powerful tool for defenders, but it raises urgent questions about who gets access to these capabilities and how they’re governed.

Who should read this: Cybersecurity professionals, IT leaders, software developers, policymakers, and anyone interested in the intersection of AI and digital security.

The First Confirmed AI-Generated Zero-Day Exploit

For years, cybersecurity experts have warned that the day would come when hackers would use artificial intelligence not just to automate phishing emails or scan for known bugs, but to actually discover entirely new vulnerabilities. That day has arrived. According to SiliconANGLE’s coverage of the GTIG (Google Threat Intelligence Group) report, Google identified a criminal group that used an AI large language model to find a zero-day flaw in a popular open-source, web-based system administration tool and then built a Python-based exploit to bypass its two-factor authentication protections.

Google hasn’t named the specific tool or the criminal group involved, but it has confirmed that the exploit was designed to be deployed in a mass exploitation campaign. The operation was disrupted before it could cause real damage after Google notified the affected software vendor and law enforcement.

What makes this case especially notable is how Google’s researchers were able to determine that AI was involved. As BleepingComputer reported, the exploit code contained several signatures characteristic of AI-generated output: a hallucinated CVSS severity score (one the model fabricated rather than looked up), highly structured and textbook-style Python formatting, unusually detailed help menus, and educational docstrings that are typical of the kind of code LLMs produce when drawing on their training data.

The vulnerability itself was a semantic logic flaw, one where the developer had hardcoded a trust assumption that appeared functionally correct to traditional security scanners but contained a dormant logical error. According to SiliconANGLE, frontier large language models excel at identifying these types of flaws because they can reason about a developer’s intent and surface errors that look perfectly fine on the surface.

Google did not identify which AI model was used but stated it was most likely not Google’s Gemini or Anthropic’s Claude Mythos. John Hultquist, chief analyst at Google Threat Intelligence Group, was direct about what this discovery means. As CyberScoop reported, Hultquist said this incident is likely just the beginning of a much larger trend that researchers are only now starting to uncover.

Nation-State Hackers Are Already In the Game

The criminal zero-day exploit grabbed the headlines, but Google’s report paints an even broader picture of how AI is being woven into state-sponsored cyber operations around the world.

Illustration of a geometric AI head aiming a red beam at a laptop screen with a cracked security shield, while a separate blue shield with a lock represents cyber defense.

According to SecurityWeek’s analysis of the GTIG report, North Korea’s APT45 group has been observed sending thousands of repetitive prompts to AI models to recursively analyze known vulnerabilities and validate proof-of-concept exploits. The goal is to build an arsenal of exploit capabilities that would be impractical to develop and maintain without AI assistance.

Chinese-linked actors are pushing the boundaries even further. SiliconANGLE reported that an alleged China-linked group, tracked as UNC2814, used expert-persona jailbreaking techniques to push the Gemini AI model into researching pre-authentication remote code execution flaws in TP-Link router firmware and file transfer protocol implementations. Another China-nexus actor was observed using agentic AI frameworks (Hexstrike, Strix, and the Graphiti memory system) to autonomously probe a Japanese technology firm and an East Asian cybersecurity platform, pivoting between reconnaissance tools based on internal reasoning with minimal human oversight.

Russia-linked actors, meanwhile, have been using AI-generated decoy code to obfuscate malware. Google’s report also detailed a Russian operation codenamed “Overload,” in which social engineering threat actors used AI voice cloning to impersonate real journalists in fake videos.

The report also highlighted a new Android backdoor called PROMPTSPY that calls the Gemini API at runtime to interpret on-screen user interface elements, representing a shift toward malware that can dynamically adapt its behavior based on what it “sees” on a victim’s device.

As Reuters noted via U.S. News, these findings come as governments around the world are grappling with how to regulate powerful AI models that could make it easier for hackers to identify targets and launch attacks. European financial regulators have recently warned that rapidly evolving AI models are increasing both the speed and scale of cyber risks during a period of heightened geopolitical tensions.

AI as a Defensive Weapon: The Mythos Factor

The Google report lands in the middle of a broader reckoning about what happens when AI becomes a first-class tool for both sides of the cybersecurity equation.

Illustration of a glowing AI security shield above a microchip platform, detecting red-orange software vulnerabilities and containing them with protective cyber defenses.

Just a month before Google’s announcement, Anthropic unveiled its Claude Mythos Preview, a powerful AI model that excels at defensive cybersecurity research. The results from its testing period were staggering. According to a Fox News report on its capabilities, Mythos discovered over 2,000 previously unknown software vulnerabilities across every major operating system and web browser in just seven weeks of testing, including flaws that had survived decades of human-led security review. The discoveries included a 27-year-old bug in OpenBSD and a 16-year-old bug in FFmpeg.

Anthropic deemed the model’s capabilities significant enough that it restricted public access. Instead, the company launched Project Glasswing, a consortium that gives trusted partners like Microsoft and Google controlled access to the model’s vulnerability-discovery capabilities. Anthropic committed up to $100 million in usage credits and $4 million in direct donations to open-source security organizations as part of this effort.

But the dual-use nature of this technology is impossible to ignore. As Darktrace noted in a recent analysis, publicly disclosed vulnerabilities have been growing at double-digit rates for the past two years, driven in part by AI even before Mythos existed. What matters now isn’t which specific model performs best, but the fact that vulnerability discovery is no longer a scarce or tightly bounded capability. It’s becoming a commodity, and the question is whether defenders can patch faster than attackers can exploit.

The cybersecurity community is now facing an uncomfortable truth: the same AI capabilities that make defensive security faster and more thorough are also the ones that make offensive hacking cheaper and more accessible. As ArmorCode observed, when enterprises start deploying AI agents capable of autonomous security analysis, they’re introducing a new category of powerful agent into their environment that will need its own governance, access controls, and audit trails.

What This Means Going Forward

The confirmation that criminal hackers have used AI to build a working zero-day exploit isn’t just a noteworthy incident, it’s a signal that the cybersecurity landscape has fundamentally shifted. AI models can now reason about code at a level that allows them to spot subtle logic errors that traditional scanning tools miss and that human reviewers might overlook for decades. That capability doesn’t belong exclusively to well-funded security research teams anymore.

For organizations, the immediate takeaway is that patch management and vulnerability monitoring need to accelerate dramatically. The window between a vulnerability’s discovery and its exploitation is shrinking, and AI is the reason. Security teams should assume that attackers have access to the same caliber of AI tools that defenders do, and plan accordingly.

For the AI industry, this moment underscores the tension between openness and safety. Anthropic’s decision to restrict access to Mythos is one approach to managing this tension. Google’s decision to publicly disclose what it found is another. Both are attempts to stay ahead of a curve that’s bending faster than most people expected.

For policymakers, the message from Google’s report is clear. AI-powered cyberattacks aren’t a future concern, they’re a present reality that requires regulatory frameworks capable of keeping pace with the technology.

Frequently Asked Questions

Google’s Threat Intelligence Group, or GTIG, is a security research division within Google that tracks cyber threats, investigates breaches, and publishes reports on emerging attack techniques. It incorporates research from Google’s Mandiant incident response team and data gathered through Google’s Gemini AI platform.

A zero-day exploit is a cyberattack that takes advantage of a software vulnerability that the software’s developer doesn’t yet know about. The name refers to the fact that developers have “zero days” to fix the flaw before it can be used in an attack, because they don’t know it exists until it’s already being exploited (or, in this case, discovered before deployment).

A large language model is the type of AI system that powers modern chatbots and AI assistants. LLMs are trained on massive datasets of text and code, which allows them to generate human-like writing, analyze complex code bases, and reason about patterns in software. In this case, an LLM was used by attackers to analyze source code and discover a vulnerability.

Agentic AI refers to AI systems that can operate with a degree of autonomy, making decisions, using tools, and taking actions based on their own internal reasoning rather than responding to one prompt at a time. In the context of this report, state-linked hacking groups have been observed using agentic AI frameworks to autonomously probe targets and pivot between different reconnaissance strategies without direct human oversight.

State-sponsored hacking groups are cyber operations teams that are backed by or affiliated with national governments. Google’s report identifies groups linked to China (such as UNC2814), North Korea (such as APT45), and Russia as actively experimenting with AI to enhance their cyber capabilities, from vulnerability research to malware development and social engineering.

Mythos is a specialized AI model built by Anthropic for defensive cybersecurity research. During testing, it discovered over 2,000 previously unknown software vulnerabilities across major operating systems and web browsers. Anthropic restricted public access to the model due to the power of its capabilities and instead launched Project Glasswing, a consortium that gives trusted partners controlled access.

Other Enterprise AI Articles You May Be Interested In

SpaceX Colossus 1 Deal With Anthropic: Everything You Need to Know

Why Nvidia Is Betting Big on Fiber Optics with Corning to Power the Future of AI

How SubQ’s SSA Architecture Could Make Million-Token AI Affordable

CAISI Signs Frontier AI Testing Agreements With Google DeepMind, Microsoft, and xAI: What You Need to Know

HUMAIN ONE: The First Enterprise Operating System for Autonomous AI Agents, Powered by AWS