Study Finds AI Hasn't Made Cybercriminals Into Superhackers — Mostly Just Better Bloggers

A Cambridge University study published on 5 May 2026 finds that large language models are doing something unexpected for the cybercrime industry: almost nothing revolutionary. Researchers from the university's Department of Computer Science surveyed and interviewed 70 threat actors over six months and found that AI tools are primarily helping hackers write blog spam and refine phishing emails — not conjuring novel exploits or automating sophisticated intrusion campaigns at scale.

The finding cuts against a dominant narrative in the cybersecurity industry. For two years, vendors and conference stages have rung with warnings that AI would lower the barrier to entry for advanced attacks, flooding the market with actors capable of the kind of targeted intrusions once reserved for nation-state groups. The Cambridge data suggests that framing was, at minimum, premature.

What Hackers Are Actually Using AI For

The study, led by researchers at the Cambridge Cybercrime Centre, found that AI assistance among active threat actors was widespread but narrow in application. Respondents reported using large language models most frequently for drafting convincing phishing content, generating fake blog posts to host malicious links, and drafting social engineering scripts. One researcher noted that this represents a "compression of the low-skill, high-volume part of the workflow" — precisely the tasks that were already commoditised before AI arrived.

The study found that roughly 70 percent of respondents had incorporated AI tools into their operational routine, but that usage clustered around content generation and copyediting. The researchers described this as the "spammy end of the spectrum" — attacks that work by volume rather than sophistication.

What It Can't Do Yet

The more significant finding is what AI is not doing. Despite marketing claims from AI companies and惊恐 warnings from security vendors, large language models have not, according to this study, enabled threat actors to develop novel attack methodologies. The researchers found no evidence that AI was helping actors move up the sophistication ladder — from opportunistic credential stuffing toward targeted zero-day development.

This matters because the cybersecurity industry's threat model has been built partly on the assumption that AI would democratize advanced capabilities. If that assumption is wrong, the defensive architecture built around it may be addressing the wrong problem.

The study's authors are careful not to claim that AI cannot eventually assist in more sophisticated attacks. But they note that current large language models have "a ceiling of capability" when it comes to tasks requiring deep contextual knowledge of specific software vulnerabilities, network architectures, or target environments. Writing a better phishing email is a language problem. Writing a reliable zero-day exploit is an engineering problem. Those remain, for now, different categories.

The Gap Between Vendor Hype and Underground Reality

The study raises uncomfortable questions about incentive structures in the cybersecurity industry. Threat intelligence vendors have strong commercial reasons to portray the threat landscape as escalating — more alarming threats justify bigger security budgets and more sophisticated product suites. The result is a persistent gap between the threat picture presented to enterprise buyers and the operational reality inside criminal forums and chat groups.

The researchers found that while AI was being discussed in underground communities, actual adoption remained concentrated in mundane tasks. The criminal market for sophisticated intrusion tools — the custom malware, the access brokers, the zero-day researchers — showed no AI-driven disruption in the study period. Prices for high-quality access remained stable. Sophisticated operations continued to rely on human expertise.

This does not mean the threat is imaginary. It means the threat has been mischaracterised in ways that serve particular commercial and policy interests. A more accurate picture — AI helping spammers be more productive, but not turning hobbyists into APT operators — is both less alarming and harder to monetise.

What This Means for Defenders

The implications for enterprise security are modest but clarifying. If AI is primarily augmenting the low end of the threat spectrum, then the defensive priority should be the basics: phishing-resistant authentication, credential hygiene, user training. These are the measures that address the kind of volume-based attacks AI appears to be amplifying.

The study does not rule out future capability improvements that could shift this picture. Future models with better code generation, longer context windows, and more integrated tooling could narrow the gap between current capability and the sophisticated automation that has been predicted. Security teams operating on a two-to-three-year planning horizon may still need to account for that possibility.

But for the immediate term, the Cambridge findings suggest the most alarming predictions about AI-powered cybercrime deserve more scepticism than they typically receive. The hackers are not, it seems, transforming into superhackers. They are writing better blog spam.

This publication covered the DECRYPT report on the Cambridge study rather than the study itself, which had not been formally indexed at time of writing. The underlying research was cited by DECRYPT with links to the Cambridge Cybercrime Centre.