“We watched criminal groups breach government agencies at scale, using AI as the primary operator rather than a background assistant,” the Check Point report says.
How Check Point traced AI through every stage of an intrusion
Researchers at cybersecurity firm Check Point analyzed a range of recent cyberattacks and concluded that artificial intelligence is no longer confined to isolated tasks inside operations. According to the report, AI systems have been used to identify targets, test vulnerabilities, generate commands and assist with lateral movement and data theft — in some cases carrying out thousands of commands with reduced human direction. The company cautioned that this does not yet amount to fully autonomous hacking, but represents a clear shift from AI as occasional aid to an “extra set of hands” across the intrusion lifecycle.
Gentlemen ransomware: choosing models by guardrails and speed
The report names the Gentlemen ransomware group as an example of how criminal operators are integrating mainstream commercial models. Members compared mainstream commercial models “based largely on which imposed the fewest restrictions” and used AI to build internal tooling, including a management platform completed in three days. Check Point’s threat intelligence lead Sergey Shykevich told reporters that attackers initially try higher-quality U.S. models like ChatGPT or Claude but will pivot when guardrails block their efforts.
VoidLink and a single developer’s 88,000 lines of code
Check Point highlighted VoidLink, a sophisticated remote-control toolkit for infected machines, which researchers had first believed required months of team development. The firm later found that a single developer produced roughly 88,000 lines of working code in under a week using a commercial AI coding tool — a finding the report uses to illustrate how AI can dramatically compress development timelines for offensive tooling.
Model selection: ChatGPT, Claude, DeepSeek, Qwen and Trae
Shykevich described attackers’ model-choice calculus: U.S. models such as ChatGPT and Claude are preferred for response quality but are harder to exploit because of stronger guardrails. “They are trying to jailbreak those [Western] models, but when they are not successful, they just go to DeepSeek, Qwen and Trae,” he said. The report notes Qwen as a suite of AI and large language models developed by Alibaba and Trae as an AI-backed code editor and programming platform built by ByteDance. Check Point observed that ransomware groups have increasingly relied on Chinese models to generate code for exploits as those models have grown more capable for coding tasks.
CISA remediation timelines and the administration’s benchmarking order
The report appears amid U.S. federal moves to adapt to AI-driven speed. The Cybersecurity and Infrastructure Security Agency recently revamped remediation guidance to range from three days for the highest-risk flaws to 60 days for lower-priority issues — a change CISA said was “part of [its] response to the current threat landscape where AI software services can assist threat actors to find and exploit vulnerabilities.” Separately, the Trump administration has directed the National Security Agency, CISA and other federal officials to develop a classified process by Aug. 1 to benchmark frontier AI models’ advanced cyber capabilities and determine which systems need additional scrutiny.
What security teams, CISA, and ransomware victims face
- Security teams: Check Point warns that “a vulnerability now becomes a working exploit within hours of disclosure,” and that phishing and intrusion campaigns can run “at a quality and volume no human team could match.” That speed forces defenders to consider faster patching and automated detection measures.
- CISA and federal agencies: The agency’s updated remediation timeline and the administration’s benchmarking directive place emphasis on classifying model capabilities and accelerating patch management to contend with AI-enabled exploitation.
- Ransomware victims and operators: The report documents how criminal groups are using commercial models and lower-guardrail alternatives to increase operational tempo and to produce tools and management platforms in days rather than months.
Check Point’s central thesis is one of pace rather than novelty: “The most significant shift this report documents is not a new technique. It is pace,” the firm writes. The evidence the company offers — rapid tool development, model-switching to evade guardrails, and AI handling thousands of operational commands between human check-ins — frames a practical dilemma for defenders and policy makers alike: vulnerabilities that once took days or weeks to weaponize can now become working exploits in hours, and the actors doing the weaponizing are using a mix of mainstream commercial models and alternative platforms.
The record in the report leaves one clear question for the coming weeks and months: can defensive processes — from automated patching to federally mandated benchmarking — keep up with the tempo AI has brought to offensive operations?




