A comprehensive analysis published by Trend Micro on January 28, 2026, has laid bare an uncomfortable reality: artificial intelligence is no longer just a defensive tool in cybersecurity — it has become the primary force multiplier for criminal operations. The report, titled “An Update on the State of Criminal AI,” chronicles how threat actors have moved from experimenting with AI-generated code to deploying fully autonomous malware that builds itself in real time, fundamentally altering the threat landscape for cryptocurrency users and the broader digital ecosystem.
The Threat Landscape
The Trend Micro report identifies a clear escalation pattern in AI-assisted cybercrime throughout 2025. What began as malware authors using AI chatbots to accelerate development has evolved into self-modifying malicious software that queries AI models on the fly. The implications are severe: each infection can generate functionally unique code, rendering traditional signature-based detection nearly useless.
Four distinct AI-powered malware families emerged as particularly concerning. MalTerminal, first discovered by SentinelLabs in September 2025, used OpenAI’s ChatGPT to generate either ransomware code or a reverse shell on demand, spreading as a compiled Python executable. In July 2025, CERT-Ukraine reported LameHug — attributed with moderate confidence to APT28, a threat group linked to Russian military intelligence — which used an AI model hosted on Hugging Face to generate code for searching and exfiltrating data from infected systems.
Core Principles
The most alarming development came in August 2025, when ESET researchers uncovered a ransomware sample written in Go that downloaded an entire AI model from Hugging Face — 11 gigabytes — before prompting it to generate ransomware source code in Lua. This code was then compiled and executed, meaning every single infection produced a cryptographically unique ransomware variant. ESET dubbed the family PROMPTLOCK.
The core principle behind these threats is polymorphism at scale. Traditional malware relies on fixed code that can be fingerprinted. AI-generated malware produces novel code with every execution, creating an effectively unlimited number of variants. This shifts the burden from detection to behavior analysis and sandboxing — a far more resource-intensive defensive approach.
Tooling and Setup
For cryptocurrency users and organizations, defending against AI-powered threats requires a multi-layered approach. Endpoint detection and response systems must incorporate behavioral analysis rather than relying solely on signature matching. Network monitoring should flag unusual outbound connections to AI inference endpoints. Email filtering needs AI-powered analysis to catch phishing attempts generated by the same large language models being used for malware.
Cold storage practices become even more critical in this environment. Hardware wallets that sign transactions offline remain immune to remote compromise. Multi-signature setups add another layer of protection, requiring multiple independent approvals before funds can move. For institutions, air-gapped signing ceremonies and hardware security modules provide enterprise-grade protection against increasingly autonomous threats.
Ongoing Vigilance
Google’s November 2025 report added two more AI-powered malware families to the catalog: PROMPTFLUX, a VBScript-based threat that requests obfuscation and evasion techniques from AI models in real time, and another variant still in early development stages. The rapid proliferation of these tools suggests the barrier to entry for sophisticated cybercrime is dropping precipitously.
The Trend Micro analysis makes clear that the cybersecurity industry is in an arms race against AI-enabled adversaries who can iterate faster than ever before. With Bitcoin trading around $89,000 and total crypto market capitalization exceeding $3 trillion, the financial incentives for attackers have never been greater.
Final Takeaway
AI-powered malware represents a paradigm shift in cybersecurity. The old model of detect-and-block is giving way to a new reality where adversaries generate novel attack code on demand. For crypto holders, this means security practices must evolve beyond simple precautions. Hardware wallets, multi-factor authentication, behavioral monitoring, and zero-trust architectures are no longer optional — they are the minimum standard for protecting digital assets in an era where malware writes itself.
Disclaimer: This article is for informational purposes only and does not constitute professional cybersecurity or financial advice. Consult with qualified security professionals for specific threat mitigation strategies.
MalTerminal using chatgpt to build itself in real time is straight out of a sci-fi movie. signature-based av is completely cooked
been saying this for months. if every infection generates unique code you cant patch your way out of it. behavioral detection is the only play left
so ai agents can post on social networks and malware can rewrite itself autonomously but my bank still needs 2 business days for a wire transfer. cool cool cool
the trend micro report covering 4 distinct malware families by late 2025 means theres probably a dozen more we dont know about yet. the detection gap is real