Insights

How to lose $285M in 10 Minutes: meet vibe hacking.

You know what is really dead? Cybersecurity. With open-source AI globally accessible, the barrier to entry for attackers has dropped to zero. Legacy digital infrastructure is entirely exposed to AI-driven vulnerability mapping. We are all doomed.

TL; DR

  • The attack surface has widened because the required skill level has plummeted. Attackers use AI to automate up to 90% of their intrusion workflows.
  • Machine learning compresses the attack lifecycle. Average breakout times have fallen to 29 minutes, and data exfiltration happens in just 72 minutes.
  • You cannot regulate the threat. Malicious AI lives on local hardware, bypassing public surveillance and API rate limits.
  • AI scans legacy code to find exploits faster than human developers patch them. 56% of newly disclosed vulnerabilities require zero authentication to exploit.
  • Human security teams are obsolete. Deploying Autonomous Cyber Defense (ACD) and runtime anomaly detection is mandatory.
  • The Investor Takeaway: Investing in a company running on Pre-AI digital architecture means holding a time bomb. Price manual security operations as toxic assets.

The Democratization of Destruction

Executing a profitable cyberattack historically required technical expertise and heavy human capital. The FIN7 cybercrime syndicate that stole over $1 billion from the global financial sector between 2015 and 2020 built a corporation. They operated a front company with an HR department, salaried reverse-engineers, penetration testers, and initial access brokers coordinating via JIRA tickets. 70 humans were working in shifts to execute network breaches.

AI eradicated that overhead. The industrialization of fraud is complete. CrowdStrike data shows AI-enabled adversaries increased operations by 89% year-over-year in 2025.

If only AI required five years of study to master, the attack vector surface area would remain small. But anybody can do it now. We have vibe coders who have no idea how the underlying code works, and yet they’re deploying autonomous agents to execute exploits.

With automation handed to the general public, bad actors ask an agent to find the vulnerability and write the exploit.

Anthropic investigators recently confirmed a threat actor used Claude Code to inspect target systems, identify databases, harvest credentials, create backdoors, and exfiltrate data. AI handled 90% of the campaign workflow. This is a direct escalation from human-in-the-loop vibe hacking. Now humans are stepping back, and machines are running the intrusions. 

Image

The top of the funnel is equally automated. Microsoft reports AI-automated phishing emails achieve 54% click-through rates, compared to 12% for standard attempts. AI is better in generating compelling letters — and it’s but one thing it’s good at.

Image
Attackers are weaponizing AI across every single stage of the intrusion lifecycle.

The Open Source Weapon

Regulators police Anthropic and OpenAI to control AI. This approach fails, because there are open models.

Today, open models match the latest Opus models and operate at a tenth of the cost. You run them locally. Defending against a globally distributed threat operating in a black box is a structural nightmare.

You cannot regulate mathematical weights downloaded to a local hard drive. The threat vector exists outside of public APIs.

When an attacker runs an open-source LLM locally, corporate oversight disappears. Surveillance arms cannot monitor the prompt history, as the attacker iterates exploit code without tripping external alarms. IBM X-Force tracked nearly 40,000 vulnerabilities in 2025, and over half required zero authentication for an attacker to successfully exploit. Without using credentials, attackers are bypassing MFA entirely.

Even when they do need credentials, they use AI to trick the humans. Microsoft’s 2025 data shows a massive surge in “ClickFix” attacks — 47% of initial access alerts — where AI-generated prompts trick users into copying and pasting malicious code directly into their own terminals. The humans, once again the weakest link, are bypassing the firewalls for the intruders.

The Pre-AI Machine-Speed Compromise

Our digital infrastructure was built for attackers typing on keyboards. That paradigm has ended.

This exposes the divide between the Pre-AI and Post-AI world. Crypto serves as the ultimate benchmark because smart contracts are public and value is concentrated in deterministic execution paths. The volume of crypto exploits happening now is insane. AI continuously scans legacy code and identifies vulnerabilities that humans missed. It forces a question: How many holes exist in our Pre-AI world that we missed?

April 1st provided an answer when Drift Protocol was hacked for $285 million.

Image
Post-AI attack surface: 30 exploits in 30 days. $630 million drained in one month.

The Drift Protocol exploit involved a governance-layer failure fueled by AI-scaled social engineering and code surveillance. The attackers bypassed smart contract audits and targeted the human layer, using automation to infiltrate the protocol’s multisig approval process.

The enterprise software world faces the exact same timeline collapse. Palo Alto’s Unit 42 2026 Incident Response Report shows attackers need 72 minutes to move from initial access to data exfiltration — four times faster than last year. CrowdStrike tracks average eCrime breakout times falling to just 29 minutes.

During Anthropic’s investigation, they logged the AI making thousands of requests, often multiple per second. Human hackers cannot match that speed. Attackers use frontier models to perform real-time binary diffing the moment a software update is announced. They hit unpatched systems within minutes.

The CAIO Defense Playbook

A human-in-the-loop Security Operations Center cannot defend against machine-speed attacks. Relying on humans to triage alerts guarantees a breach. Point-in-time auditing provides baseline security, but opposing machine-speed offense requires autonomous runtime defense.

Chief AI Officers must wire machine learning directly into runtime controls. Look at Microsoft’s telemetry: earlier this year, they intercepted a ransomware attack against a global shipping company. The time from observation to total disruption was 14 minutes. The encryption itself was killed in 68 seconds — that’s the speed of autonomous agents, not human analysts.

Image
A modern defense architecture.

Stay Safe in Post-AI Reality

Analyze the security posture of your portfolio companies.

Image

Investing in a company running on Pre-AI digital architecture, defended by human analysts working 9-to-5 shifts means holding a time bomb. Valuations rely on projected cash flows. A machine-speed breach zeros out those cash flows overnight.

Image
The fastest attacks are getting faster. The window between access and impact is gone.

Security requires deploying AI defense before AI attackers find the holes; treat it as a fundamental viability metric. If a founder pitches a $500 million valuation but relies on human analysts reading SOC alerts to protect their network, you are pricing a distressed asset. Discount the shares, demand proof of Autonomous Cyber Defense, or walk away entirely. Let someone else hold the bag when the exploit hits.

 

Nick Cote, Chief AI Strategy Officer & Co-founder SecondLane

Read more