Hackers Used AI to Develop First Known Zero-Day 2FA Bypass
Source: The Hacker News — Ravie Lakshmanan, 2026-05-11
Summary
Google Threat Intelligence Group confirmed the first known in-the-wild use of AI-generated exploit code for zero-day vulnerability discovery and weaponization. An AI model produced a Python script exploiting a 2FA bypass in an unnamed open-source web-based system administration tool. This marks AI crossing from capability research into active offensive operations.
Vulnerability Details
- Type: Two-factor authentication (2FA) bypass
- Root cause: Semantic logic flaw from hard-coded trust assumption
- Requirement: Valid credentials needed to exploit
- AI fingerprints: Educational docstrings, hallucinated CVSS score, textbook Pythonic structure, ANSI color classes, detailed help menus — all characteristic of LLM training data
Google assessed with high confidence AI generated the exploit code.
Threat Actor Activity Documented
| Actor | Affiliation | AI Usage |
|---|---|---|
| UNC2814 | China-nexus | Gemini for jailbreaking, embedded device research |
| APT45 | North Korea | Thousands of repetitive CVE analysis prompts |
| APT27 | China | Gemini for fleet management app development |
| Russia-nexus | Russia | CANFAIL + LONGSTREAM malware via LLM-generated decoy code |
| TeamPCP/UNC6780 | Unknown | Targeted AI development environments |
| UNC5673 | China-linked | Commercial tools + GitHub projects for LLM abuse |
| UNC6201 | China-affiliated | Automated premium LLM account registration to bypass usage limits |
PromptSpy Android Malware
- Abuses Google Gemini to analyze screen content
- Captures biometric data for authentication bypass
AppProtectionDetectormodule blocks uninstall- Dynamic C2 infrastructure updates for resilience
Shadow API Abuse (CISPA Research)
- 17 shadow APIs provide unauthorized access to Claude and Gemini
- Proxy services capture all prompts/responses for fine-tuning and knowledge distillation
- Gemini-2.5-flash accuracy dropped from 83.82% (official API) to ~37% on medical benchmarks via shadow APIs
Key Quote
“AI is already accelerating vulnerability discovery, reducing the effort needed to identify, validate, and weaponize flaws… discovery, weaponization, and exploitation are faster.” — watchTowr Head of Threat Intelligence
Significance
First confirmed case of AI used offensively for zero-day discovery in the wild. Confirms threat intelligence warnings about AI compressing the exploit development lifecycle.