Blog

The tell-tale sign of a phishing email used to be the grammar. Awkward phrasing, misaligned tone, a CFO who suddenly writes like a non-native speaker, these were the signals security awareness training taught employees to catch.

Those signals are gone.

Generative AI has closed the stylistic gap between a real executive’s writing and a synthetic impersonation. Today, 40% of business email compromise (BEC) phishing emails are AI-generated, producing personalized, contextually accurate messages that match the target executive’s known vocabulary, communication cadence, and organizational context. The click-through rate on AI-crafted lures is 450% higher than on traditional phishing emails. And the financial sector is the primary target.

For CISOs at banks, insurers, and fintech firms, this is not an incremental escalation of a known threat. It is a qualitative change in what BEC actually is.

What Is AI-Powered Business Email Compromise?

Business email compromise (BEC) is a class of fraud where attackers impersonate executives, vendors, or business partners to manipulate employees into transferring funds, divulging credentials, or executing unauthorized transactions. Traditional BEC relied on social engineering and domain spoofing. AI-powered BEC adds stylometric matching, voice cloning, real-time context harvesting from LinkedIn and corporate websites, and automated multi-channel targeting.

The FBI IC3 reported that BEC caused more than $2.7 billion in adjusted losses in 2024 and accounts for 73% of all reported cyber incidents.

How the AI-BEC Threat Has Evolved in 2026

Adversary-in-the-Middle (AiTM) Phishing

In January 2026, Microsoft documented a multi-stage AiTM phishing and BEC campaign targeting the energy sector via SharePoint. Rather than simply spoofing an email, the attacker positioned themselves between the victim and a legitimate Microsoft authentication flow, intercepting session tokens in real time.

Dual-Channel BEC Attacks

The dominant 2026 BEC pattern is the dual-channel attack: simultaneous multi-vector contact where the target receives a spoofed email from an “executive” and a concurrent phone call or SMS confirming the request. The second channel creates urgency and authenticity reinforcement that significantly increases compliance rates.

Callback Phishing

Callback phishing, where a phishing email instructs the target to call a fraudulent number staffed by social engineers posing as IT or finance support, more than doubled in popularity in 2025 and continues accelerating into 2026.

What Happens When Financial Security Teams Don’t Address This

According to 2026 threat intelligence, 59% of financial services organizations hit by ransomware had their data successfully encrypted. The median ransom demand in financial services reached $3 million.

The Financial Sector’s Structural Vulnerability

How Peris.ai Defends Financial Institutions Against AI-BEC

BrahmaFusion: Behavioral Analytics and Anomalous Communication Detection

BrahmaFusion, Peris.ai’s agentic AI and hyperautomation platform, applies behavioral analytics to communication patterns across email, endpoint, and identity systems. While content filtering can be defeated by stylistically accurate AI-generated text, behavioral analytics focuses on what is unusual about how and when a communication occurs: an executive sending a wire transfer request from an unusual IP, at an unusual hour, to a new payee, without the corresponding approval workflow.

A FeedLoop customer using BrahmaFusion’s automation reported a 70% reduction in response time for anomalous communication incidents.

INDRA CTI: Tracking BEC Campaigns Targeting Financial Institutions

INDRA CTI provides real-time intelligence on threat actor campaigns, including BEC operations targeting specific industries and geographies. When a threat actor group begins targeting the Indonesian banking sector with AiTM infrastructure, INDRA CTI surfaces the relevant indicators before the first targeted email reaches your inbox.

Use Case: Catching an AI-BEC Attack Before the Wire Transfers

A regional bank’s CFO receives what appears to be an email from the CEO requesting an urgent $4.2M wire transfer to a new overseas account for a confidential acquisition. The email matches the CEO’s known writing style precisely.

BrahmaFusion flags the transaction request before it reaches the wire desk:

• The email originated from an AiTM proxy domain registered 48 hours earlier (INDRA CTI IOC match)
• The CEO’s actual session shows no corresponding activity in the corporate email system around the email’s timestamp
• The payee account has no prior relationship in the organization’s transaction history
• The request bypassed the standard dual-approval workflow required for transfers above $1M

The BrahmaFusion playbook pauses the request, alerts the SOC and compliance team, and generates a case in Peris.ai IRP with full evidence chain. The attack is neutralized without reaching the wire desk.

Benefits at a Glance

The Authentication Stack Is No Longer Sufficient on Its Own

MFA was the correct response to credential theft. AiTM attacks are the response to MFA. The adversarial cycle does not stop at the authentication layer, and financial institutions that treat identity security as the final defense will be repeatedly outmaneuvered.

Behavioral analytics, real-time threat intelligence, and automated anomaly response are the layers that catch what authentication cannot. Peris.ai was built to operate at this level, with BrahmaFusion providing the intelligence-driven automation that financial security teams need to stay ahead of AI-powered fraud.

Visit peris.ai to see how Peris.ai’s agentic AI platform protects financial institutions from the next generation of BEC attacks.

Frequently Asked Questions

What is AI-powered BEC?

AI-powered business email compromise uses generative AI to create hyper-personalized, stylistically accurate executive impersonation emails, increasing click-through rates by up to 450% versus traditional phishing.

How does adversary-in-the-middle (AiTM) phishing bypass MFA?

AiTM phishing intercepts a user’s live authentication session, capturing the session token after the user completes genuine MFA. The attacker uses the captured token to authenticate as the user without ever needing the password or MFA code.

What are the signs of a dual-channel BEC attack?

An unsolicited request arriving simultaneously via email and phone or SMS, with urgency framing and a request that bypasses normal approval processes, is a strong indicator of a dual-channel BEC operation.

How much do BEC attacks cost financial organizations?

The FBI IC3 reported $2.7B+ in BEC-adjusted losses in 2024. The median ransom demand in financial services reached $3 million in 2026.

How does behavioral analytics catch AI-generated BEC emails?

Behavioral analytics focuses on communication context, not content: unusual timing, new payees, bypassed workflows, mismatched session activity, and infrastructure anomalies that AI-generated text cannot replicate.

On May 11, 2026, the Nitrogen ransomware group listed Foxconn on its public leak site, claiming exfiltration of approximately 8TB of data spanning more than 11 million files. Foxconn confirmed disruption to North American operations the following day. Here is why manufacturers are the next major ransomware battleground.

Foxconn is not a small target. It is one of the largest electronics manufacturers on the planet, a supplier to Apple, Microsoft, and Sony, operating factories on multiple continents. If Nitrogen ransomware can penetrate Foxconn’s North American operations and walk out with 8TB of sensitive data, no manufacturer should consider itself safe.

This post examines how Nitrogen operates, why the manufacturing sector has become a primary target, and what security architecture prevents an EDR killer from disabling your defences before the encryption begins.

What Is Nitrogen Ransomware?

Nitrogen ransomware is a ransomware-as-a-service (RaaS) operation that gained significant attention in 2026 for its targeting of large manufacturing, industrial, and logistics organisations. The group maintains a public leak site, NitroBlog, where it lists confirmed victims and publishes exfiltrated data to pressure ransom payment.

Nitrogen’s defining technical characteristic is its use of EDR killers as a standard pre-attack preparation step. EDR killers are tools specifically designed to disable, crash, or evade endpoint detection and response software before the ransomware payload is deployed. Their inclusion in Nitrogen’s standard attack playbook reflects a sector-wide trend: Kaspersky’s 2026 International Anti-Ransomware Day report confirmed that EDR killers are now standard components of ransomware attack chains across the industry.

How Nitrogen Gets In: The Malvertising Initial Access Vector

Nitrogen does not rely on zero-day exploits for initial access. Its approach is more insidious: malvertising campaigns that deliver trojanized installers of legitimate, trusted software.

The tools commonly used as lures include:

• WinSCP (popular Windows file transfer tool)
• AnyDesk (remote desktop software widely used in manufacturing IT)
• Advanced IP Scanner (network administration tool)
• PuTTY (SSH client used by IT and OT teams)

An IT technician searching for a free download of WinSCP may land on a malvertised page serving a trojanized installer that looks identical to the legitimate version. The installer runs, the legitimate software installs correctly, and in the background Nitrogen’s initial access malware establishes persistence. The technician sees nothing unusual.

The Foxconn Attack: Timeline and Impact

• May 11, 2026: Nitrogen lists Foxconn on NitroBlog, claiming exfiltration of 8TB of data across more than 11 million files
• May 12, 2026: Foxconn publicly confirms disruption to North American operations, affecting facilities in Wisconsin and Texas
• Scope of data claimed: manufacturing specifications, supplier contracts, employee records, and operational data

The attack follows a pattern that Nitrogen has repeated across multiple manufacturing sector targets in 2026. The group increasingly favours encryptionless extortion, exfiltrating data and threatening to publish it rather than encrypting systems and demanding a decryption key.

Why Is Manufacturing a Ransomware Target?

Operational Technology Exposure

Modern manufacturing environments blend IT systems with OT (operational technology): industrial control systems, SCADA platforms, programmable logic controllers, and connected assembly-line equipment. These OT systems are often decades old, running software that cannot be updated without re-certifying the manufacturing process.

High Operational Cost of Downtime

A ransomware-induced shutdown of a manufacturing line costs thousands to tens of thousands of dollars per hour in lost production.

Interconnected Supply Chains

A breach at Foxconn has downstream implications for every organisation in its supply chain.

What Happens When EDR Is the First Casualty?

Nitrogen’s EDR killer deployment is specifically designed to neutralise your primary detection capability before the attack proceeds. When EDR is disabled:

• Endpoint behavioural detection goes dark
• The ransomware payload deploys without triggering the controls that should stop it
• Security teams receive no alerts until encryption is already underway
• Recovery scope expands dramatically because the attack was uncontained

Nitrogen Attack vs. Defended Environment

How Peris.ai Defends Manufacturing Environments

Our EDR provides behavioural detection on industrial endpoints and IT workstations. Critically, Peris.ai’s EDR is designed to resist EDR killer techniques through tamper-protection mechanisms.

Our XDR extends detection to the full manufacturing environment, including OT network segments. In a factory where industrial control systems share network infrastructure with corporate IT, XDR correlates telemetry across both layers.

Our NVM (Network Visibility Monitor) provides packet-level analysis of all traffic traversing the factory network. Nitrogen’s data exfiltration, typically multi-gigabyte transfers to external infrastructure, generates distinctive network traffic patterns that NVM detects and flags regardless of endpoint agent status.

BimaRed monitors the attack surfaces that Nitrogen exploits for initial access: internet-facing management interfaces, exposed OT systems, and vulnerabilities in IT administration tools.

BrahmaFusion ties the detection layers together with automated response playbooks. When XDR or NVM surfaces Nitrogen indicators, BrahmaFusion triggers network segmentation rules that isolate affected systems from OT infrastructure before encryption can spread to production lines.

Benefits at a Glance

Final Thought

Nitrogen ransomware listed Foxconn on May 11, 2026. The group will list its next target soon. For manufacturing security teams, the question is not whether their sector is being targeted. It is whether their detection architecture will survive an EDR killer long enough to contain the attack.

Platforms like BrahmaFusion by Peris.ai, combined with XDR, NVM, and INDRA CTI threat intelligence, give manufacturing security teams the layered, agent-independent detection and automated response capability they need to stop Nitrogen and groups like it before the production line goes dark.

Frequently Asked Questions

What is Nitrogen ransomware?

Nitrogen is a ransomware-as-a-service operation that targets manufacturing, industrial, and logistics organisations. The group uses malvertising campaigns to deliver trojanized installers of legitimate tools, deploys EDR killers to disable endpoint detection, and increasingly uses encryptionless extortion by threatening to publish stolen data.

How did Nitrogen ransomware attack Foxconn?

On May 11, 2026, Nitrogen listed Foxconn on its leak site claiming 8TB of exfiltrated data across 11 million or more files. Foxconn confirmed disruption to North American operations including facilities in Wisconsin and Texas on May 12, 2026.

What is an EDR killer and how does it work?

An EDR killer is a tool designed to disable, crash, or evade endpoint detection and response software before a ransomware payload deploys. By neutralising the primary detection control, attackers create a window where encryption or exfiltration proceeds without triggering alerts.

Why does Nitrogen use malvertising as an initial access vector?

Nitrogen uses malvertised downloads of legitimate IT tools (WinSCP, AnyDesk, Advanced IP Scanner, PuTTY) because these tools are trusted and regularly downloaded by IT and OT teams in manufacturing environments.

How can manufacturers defend against EDR killer attacks?

Effective defence requires layered detection that operates independently of endpoint agents. This includes network-level visibility (NVM), cross-layer XDR that monitors OT/IT boundaries, EDR with tamper-protection capabilities, and automated isolation playbooks.

Meta Lede: Stryker was cyberattacked in March 2026. 22% of hospitals have had attacks impact medical devices directly. IoMT security is now a patient safety issue.

On March 11, 2026, Stryker, one of the world’s largest medical technology companies supplying surgical equipment and devices to hospitals across the globe, was disrupted by a cyberattack affecting operations worldwide.

This was not a data breach. Stryker’s attack disrupted the operational continuity of a company whose devices are used in operating rooms, ICUs, and emergency departments every hour of every day. And Stryker is not an isolated case. By 2026, 22% of healthcare organizations have experienced cyberattacks that directly impacted medical devices, and 75% of those incidents disrupted patient care. In 24% of medical device attack cases, patients required transfer to other facilities.

Former FBI officials have proposed terrorist designations for ransomware hackers targeting hospitals, reflecting the recognized severity: when medical devices go offline, patients can die. The Internet of Medical Things (IoMT) is no longer just an IT problem. It is a critical care problem.

What Is IoMT Security and Why Is It Different from Standard Healthcare IT Security?

IoMT (Internet of Medical Things) security refers to the protection of network-connected medical devices: infusion pumps, patient monitors, imaging systems, surgical robots, ventilators, diagnostic equipment, and the thousands of other connected devices deployed across modern hospital environments.

IoMT security differs fundamentally from standard healthcare IT security in three ways:

• Devices cannot be patched on a normal cycle. Medical device firmware updates require FDA clearance or CE marking in most jurisdictions. A vulnerability disclosed today may not have a patch available for 12 to 18 months.
• Agents cannot be installed. Most medical devices run proprietary operating systems that cannot accept security agent software. Standard EDR deployment is impossible.
• Device failure directly harms patients. Unlike an email server outage, a compromised ventilator or infusion pump creates an immediate clinical risk.

By 2026, smart hospitals deploy more than 7 million IoMT devices globally, double the level from 2021.

What the Stryker Attack Reveals About Medical Technology Vulnerability

The March 11, 2026 attack on Stryker demonstrates that the vulnerability extends beyond individual hospital networks to the medical technology supply chain. A cyberattack that disrupts Stryker’s operations can simultaneously affect:

• Supply chain continuity for hospital procurement teams
• Software update distribution for connected Stryker devices already deployed in hospitals
• Remote monitoring and diagnostics capabilities for equipment under service contracts
• Customer support and technical assistance for clinical staff

The Scale of the IoMT Security Crisis in 2026

By the Numbers

• 7 million+ IoMT devices deployed in smart hospitals globally (double 2021 levels)
• 22% of healthcare organizations experienced cyberattacks directly impacting medical devices
• 75% of medical device attacks disrupted patient care
• 24% of medical device attacks required patient transfers to other facilities
• $10.9 million average cost of a hospital ransomware attack (downtime, recovery, regulatory fines)
• 276 million health records breached in 2024 alone

How Peris.ai Addresses IoMT Cybersecurity

Agentless Medical Device Monitoring with NVM

Because agents cannot be installed on medical devices, the detection layer must be network-based. Peris.ai’s NVM (Network Visibility Monitor) performs passive packet-level inspection of medical device network traffic without requiring any software installation on the devices themselves and without causing any device operational impact.

NVM establishes behavioral baselines for each device type: the normal communication patterns of an infusion pump differ from those of a patient monitor. Deviations from baseline, including unexpected outbound connections, unusual authentication attempts, and command-and-control traffic patterns, trigger alerts without disrupting device function.

Cross-Network Threat Detection with XDR

Peris.ai’s XDR platform correlates signals from NVM (medical device network), EDR (clinical IT endpoints), and cloud environments into a unified detection view.

Automated Clinical Isolation with BrahmaFusion

BrahmaFusion, Peris.ai’s agentic AI and hyperautomation platform, enables automated response playbooks specifically designed to isolate compromised devices without disrupting clinical workflows. When NVM detects anomalous communication from a medical device, a BrahmaFusion playbook can:

• Isolate the affected device’s network access at the switch level without powering down the device
• Alert clinical biomedical engineering and the security team simultaneously
• Trigger a structured incident response workflow via Peris.ai IRP
• Preserve all network traffic captures for forensic investigation

Healthcare-Specific Threat Intelligence with INDRA CTI

INDRA CTI provides healthcare sector-specific threat intelligence: ransomware group tactics targeting medical devices, active campaign IOCs for healthcare-focused threat actors, and vulnerability intelligence for common medical device platforms and operating systems.

Real-World Scenario: A Ransomware Attack on Hospital IoMT

A regional hospital system with 2,400 connected medical devices across three facilities:

• An attacker gains initial access through a phishing email to a hospital IT administrator
• They move laterally through the hospital IT network to reach the medical device VLAN, which lacks proper segmentation
• An infusion pump with a known unpatched CVE is exploited as a pivot point into the medical device network
• Ransomware is deployed targeting the device management server and clinical data systems simultaneously
• 40 infusion pumps require manual operation; two ICU patients require transfer to another facility
• Total incident cost: $12.4 million over 8 weeks of recovery

With Peris.ai: NVM detects the lateral movement into the medical device VLAN. BrahmaFusion isolates the compromised VLAN segment while preserving device function. The infusion pump CVE exploitation is flagged before pivot occurs. INDRA CTI confirms the attacker’s infrastructure matches a known ransomware group’s healthcare campaign.

Healthcare IoMT Security Priorities

Conclusion

The Stryker cyberattack and the data from 2026 make one thing clear: IoMT security is no longer a future concern. With 22% of healthcare organizations already experiencing attacks that directly impact medical devices and 24% of those incidents forcing patient transfers, the question is not whether your hospital will face an IoMT security incident, but whether you will detect it before it reaches patients.

Peris.ai’s healthcare security stack, built around agentless NVM monitoring, cross-network XDR detection, and clinically aware BrahmaFusion automated response, provides the coverage that standard IT security tools cannot deliver in medical device environments.

Don’t wait for a breach to take action. Secure your organization today. Stay Secure with Peris.ai.

Frequently Asked Questions

What is IoMT cybersecurity?

IoMT (Internet of Medical Things) cybersecurity refers to the protection of network-connected medical devices including infusion pumps, patient monitors, imaging systems, surgical equipment, and diagnostic devices against cyberattacks that could disrupt clinical operations or compromise patient safety.

What happened in the Stryker cyberattack in 2026?

On March 11, 2026, Stryker, one of the world’s largest medical technology companies, was disrupted by a cyberattack affecting its global operations, including supply chain, software update distribution, and technical support capabilities for its connected medical devices.

Why are medical devices difficult to secure against cyberattacks?

Medical devices are difficult to secure because they typically run proprietary operating systems that cannot accept security agents, require regulatory approval for firmware updates creating long patch cycles, and cannot be taken offline without clinical risk to patients.

How common are cyberattacks on medical devices?

As of 2026, 22% of healthcare organizations have experienced cyberattacks that directly impacted medical devices. Of those, 75% disrupted patient care and 24% required patient transfers to other facilities.

What is the best way to monitor medical device security without disrupting clinical operations?

Passive, agentless network monitoring (such as NVM) is the recommended approach. It inspects medical device network traffic at the packet level without installing any software on devices and without causing any operational impact.

Meta Lede: AI-powered voice cloning made CEO fraud nearly undetectable. BEC losses hit $2.77B. Here’s how the attack is built and what stops it.

The call lasted four minutes. The voice on the line sounded exactly like the CFO: same cadence, same regional accent, same habit of trailing off before giving a direct instruction. The finance team authorized a $400,000 wire transfer. The CFO never made that call.

Business email compromise (BEC) has evolved beyond email. Attackers now use generative AI to clone the voices and, increasingly, the video presence of C-suite executives to authorize fraudulent wire transfers, extract credentials, and bypass standard verification procedures. The FBI classifies AI-powered BEC as one of the fastest-growing, highest-value fraud categories targeting enterprises in 2026, with BEC generating $2.77 billion in losses across 21,442 incidents in the most recent FBI IC3 reporting period.

Detection is nearly impossible in real time. Few tools exist for live audio deepfake detection, and human ears are fundamentally unreliable at identifying AI-generated speech. This post explains exactly how deepfake CEO voice cloning fraud is constructed, why it works, and what controls can actually stop it.

What Is Deepfake CEO Voice Cloning BEC?

Deepfake CEO voice cloning BEC is a variant of business email compromise in which attackers use AI-generated audio (and increasingly video) to impersonate senior executives during phone or video calls. Rather than sending a fraudulent email, the attacker places a phone call using a voice synthesized from publicly available audio sources, directing employees to take financial or access-related actions under false authority.

The FBI reports a 312% spike in AI-assisted cybercrime targeting US citizens between 2024 and 2026. Q1 2026 alone saw 10.7 million BEC attacks, with 4 million occurring in March.

How AI Voice Cloning Attacks Are Built

The Preparation Phase

Attackers invest weeks before placing a single fraudulent call. They harvest voice samples from publicly available sources:

• Earnings call recordings and investor day presentations
• Conference keynote videos and panel recordings
• LinkedIn videos, podcast appearances, and media interviews
• Company website leadership videos

Using commercially available AI voice synthesis tools, they train a voice model requiring as little as 30 seconds of clean audio. The result is a synthesized voice that replicates emotional cues: urgency, frustration, reassurance, and fatigue, all of which human listeners rely on to assess credibility.

The Attack Execution

Calls are deliberately timed to create pressure: before long weekends, immediately before market close, or during known leadership travel. The attacker calls the finance team, accounts payable department, or IT helpdesk and poses as the CEO, CFO, or other executive.

In 2026, the dominant tactic is the “dual-channel” attack: a simultaneous voice call, a spoofed email from an executive address, and a spoofed SMS text message all arrive at the same time, creating apparent corroboration across three channels.

Why Human Detection Fails

AI-generated voices now replicate micro-level speech patterns including breath timing, hesitation markers, and stress patterns. Independent testing shows that under 3% of hyper-personalized deepfake interactions are detected by their targets using standard listening judgment.

Why Deepfake CEO Fraud Is Different from Traditional BEC

What Controls Actually Stop AI-Powered BEC

Challenge-Response Safe Words

The most immediately deployable control is a pre-established verbal safe word protocol between executive leadership and finance/IT teams. Any out-of-band financial or access request must be verified with a shared phrase that was established in person during onboarding and is rotated monthly.

Mandatory Dual-Approval Delay

All wire transfers above a defined threshold must require two independent approvals with a mandatory cooling-off period. No single voice call or message, regardless of claimed authority, can authorize a transfer without a second approver confirming through a separate verification path.

AI-Powered Anomaly Detection with BrahmaFusion

BrahmaFusion, Peris.ai’s agentic AI and hyperautomation platform, can monitor for unusual financial authorization patterns: requests arriving outside business hours, transfers to first-time beneficiary accounts, requests placed before public holidays, and dual-channel simultaneous contact patterns.

Incident Response Workflow with Peris.ai IRP

When a suspected CEO fraud attempt is detected or reported, a structured incident response workflow is essential. Peris.ai IRP provides unified case management to coordinate rapid investigation. Organizations using Peris.ai IRP have achieved 35% analyst workload reduction through this structured approach.

Threat Actor Attribution with INDRA CTI

INDRA CTI, Peris.ai’s cyber threat intelligence platform, tracks deepfake BEC campaign infrastructure: spoofed caller ID pools, campaign timing patterns, and affiliate groups operating specific CEO fraud campaigns.

Security Testing with Pandava

Pandava, Peris.ai’s penetration testing platform, includes social engineering scenarios specifically designed around simulated deepfake calls.

Real-World Scenario: A Dual-Channel CEO Fraud Attack

A regional bank’s CFO is traveling internationally for a conference:

• Attackers monitor the CFO’s LinkedIn and conference social media to confirm travel dates
• On Friday afternoon, three simultaneous contacts arrive: a spoofed email from the CFO’s address, a spoofed SMS from the CFO’s number, and a voice call using an AI-cloned version of the CFO’s voice
• The voice call requests an urgent $650,000 wire transfer to a new vendor account, citing a confidential acquisition
• The finance coordinator, seeing email and SMS corroboration, initiates the transfer
• Total time from first contact to wire authorization: 11 minutes

With BrahmaFusion’s anomaly detection: the new beneficiary account, Friday afternoon timing, and simultaneous multi-channel contact pattern trigger an automated hold and escalation. The transfer is flagged for manual review before execution. The fraud is stopped.

Benefits of an AI-Aware BEC Defense Program

Conclusion

AI voice cloning has turned CEO fraud from an email problem into a multi-channel social engineering crisis. With $2.77 billion in losses and a 312% increase in AI-assisted cybercrime, organizations that rely solely on email security controls are defending against the wrong threat vector.

The controls that work are behavioral, not perceptual: anomaly detection that flags unusual authorization patterns, structured incident response that creates mandatory friction, and security testing that trains your teams before attackers do. Peris.ai’s integrated platform gives security and finance teams the tools to detect, respond to, and learn from deepfake BEC attempts before they become wire transfer losses.

Don’t wait for a breach to take action. Secure your organization today. Stay Secure with Peris.ai.

Frequently Asked Questions

What is deepfake CEO voice cloning fraud?

Deepfake CEO voice cloning fraud is a form of business email compromise (BEC) in which attackers use AI-synthesized audio to impersonate C-suite executives during phone calls, directing employees to authorize wire transfers, share credentials, or bypass standard verification procedures.

How do attackers create a deepfake voice for CEO fraud?

Attackers collect voice samples from public sources such as earnings calls, conference videos, and podcast recordings. Using AI voice synthesis tools, they train a voice model requiring as little as 30 seconds of audio, producing a synthetic voice that replicates the target’s speech patterns and emotional cues.

How much money has been lost to BEC and deepfake CEO fraud?

The FBI reports $2.77 billion in BEC losses across 21,442 incidents in the most recent IC3 reporting period. AI-assisted cybercrime targeting US citizens increased 312% between 2024 and 2026.

Can deepfake phone calls be detected in real time?

Industry testing shows that fewer than 3% of hyper-personalized deepfake interactions are detected by their targets in real time. Human listeners cannot reliably distinguish AI-generated speech, particularly under time pressure.

What is the most effective control against AI voice cloning BEC?

A combination of pre-established verbal safe words, mandatory dual-approval delays for financial transfers, AI-powered behavioral anomaly detection (such as BrahmaFusion), and regular simulated deepfake testing (such as Pandava) provides the most effective layered defense.

More than 90,000 LLMjacking attempts were logged between late 2025 and early 2026. Criminal AI toolkits have removed safety guardrails from large language models and made sophisticated attacks accessible at industrial scale. Your AI infrastructure is now an attack surface.

The AI revolution in enterprise technology has a shadow side that most organisations are not yet defending against. While security teams focus on AI-powered phishing and deepfake fraud, a different category of threat has matured quietly: attacks against AI infrastructure itself.

LLMjacking is the act of hijacking an organisation’s AI infrastructure to run compute-intensive tasks at the victim’s expense. It is analogous to cryptojacking but targets GPU-backed inference endpoints instead of CPU cycles. Meanwhile, a parallel criminal AI ecosystem has emerged, purpose-built to remove the safety controls of mainstream AI models and make sophisticated cyberattacks, fraud, and social engineering accessible to anyone willing to pay a subscription fee.

This post examines both threats, the data behind their scale, and what security teams need to do before their AI investment becomes someone else’s attack platform.

What Is LLMjacking?

LLMjacking is the unauthorised use of an organisation’s AI model infrastructure, typically cloud-hosted LLM endpoints, to run inference tasks for the attacker’s benefit. The attacker does not steal data in the traditional sense. Instead, they consume the organisation’s compute resources, generating costs that can reach tens of thousands of dollars per day at scale.

The attack vector is straightforward: misconfigured API keys, exposed inference endpoints, and vulnerable proxy configurations give attackers access to AI services. Automated scanners probe for these exposures continuously. More than 90,000 LLMjacking attempts were logged between late 2025 and early 2026, driven largely by misconfigured open proxies that provide access to LLM service APIs.

The Criminal AI Toolkit Ecosystem

Parallel to LLMjacking, a mature criminal AI ecosystem has developed specifically to remove the ethical and safety guardrails that mainstream AI providers have built into their models. These purpose-built criminal LLMs serve the same function as legitimate AI models, but without restrictions on harmful content:

• WormGPT: generates convincing phishing emails, social engineering scripts, and malware code without the refusals that ChatGPT or Claude would produce
• WolfGPT: focused on financial fraud and business email compromise script generation
• EscapeGPT: specialises in jailbreaking and circumventing AI safety mechanisms
• FraudGPT: used for generating fake invoices, fraudulent financial documents, and identity theft scripts
• GhostGPT: targeted at creating evasive malware and exploit code

These tools are not hypothetical. They are available on underground markets with subscription pricing ranging from $100 to $1,500 per month, making sophisticated attack capabilities accessible to threat actors with minimal technical background.

The CrowdStrike 2026 Global Threat Report documented an 89% increase in AI-enabled adversary activity in 2025 compared to the prior year. All four major nation-state actors, China, Russia, Iran, and North Korea, had operationalised large language models in their attack chains by late 2025.

CVE-2025-53773: When AI Development Tools Become Attack Surfaces

The security risk of AI infrastructure extends beyond criminal toolkits. CVE-2025-53773 is a prompt injection vulnerability in GitHub Copilot that carries a CVSS score of 9.6. By embedding malicious instructions in pull request descriptions, an attacker could cause GitHub Copilot to execute arbitrary code on a developer’s workstation.

This vulnerability illustrates a category of risk that security teams are not yet systematically addressing: the AI tools embedded in the development workflow are themselves attack surfaces. Every AI-assisted code review, every AI-generated pull request summary, and every AI-powered development tool introduces a new vector for prompt injection, model manipulation, and supply chain compromise.

What Happens When AI Security Is Overlooked?

Organisations that deploy AI infrastructure without corresponding security controls face multiple compounding risks:

• Financial: LLMjacking can generate unexpected cloud bills of $10,000 to $50,000 or more per day when attackers run compute-intensive inference tasks at scale
• Operational: Consumed API quotas disable legitimate AI-powered workflows
• Data exposure: Attackers with access to AI inference endpoints may be able to extract training data or previous conversation context through prompt injection
• Competitive: Proprietary models trained on internal data may be accessible to attackers via compromised API endpoints
• Reputational: AI infrastructure used to generate attacker content may create attribution and liability issues

AI Security: Traditional Posture vs. AI-Aware Defence

How Peris.ai Secures AI Infrastructure

INDRA CTI tracks the criminal AI toolkit ecosystem continuously. WormGPT, FraudGPT, GhostGPT, and their successors are monitored through their infrastructure, distribution channels, and capability updates. When a new criminal AI toolkit is identified that targets a specific sector or is observed being used in campaigns against organisations similar to yours, INDRA CTI delivers that intelligence to your security team as actionable context rather than a news item.

BimaRed applies SAST to your AI and ML pipeline code. Prompt injection vulnerabilities, like CVE-2025-53773, are a class of code-level issue that static analysis can identify. BimaRed scans AI pipeline code for unsafe prompt handling patterns, unsanitised user input passed to model APIs, and dependencies with known AI-related vulnerabilities.

BrahmaFusion detects anomalous AI API usage through behavioural monitoring. LLMjacking generates distinctive patterns: sudden spikes in API calls, unusual times of day for high-volume inference requests, calls from unexpected IP addresses or service identities, and consumption patterns inconsistent with legitimate business workflows. BrahmaFusion triggers automated isolation playbooks when these patterns are detected, revoking the compromised credentials and blocking the offending access before the bill arrives.

Our XDR provides cross-layer detection for AI cloud service abuse. In cloud environments where AI inference runs alongside other workloads, XDR correlates anomalous AI service activity with related indicators in identity logs, network traffic, and endpoint activity to build a complete picture of the attack chain.

Scenario: Catching LLMjacking Before the $40,000 Bill

At 2:30am, BrahmaFusion detects an anomaly in the organisation’s AI inference endpoint usage: API call volume has increased 8,000% over baseline in the past 45 minutes. The calls are originating from an IP not associated with any known service identity.

With Peris.ai:

• BrahmaFusion immediately flags the anomalous API consumption pattern
• INDRA CTI matches the source IP to known LLMjacking infrastructure from a scanning campaign identified the prior week
• The compromised API key is revoked automatically
• The inference endpoint is temporarily restricted to approved IP ranges pending investigation
• Peris.ai IRP opens a case documenting the incident for the cloud security team
• Estimated cost of the LLMjacking attempt if undetected for 24 hours: $38,000. Cost of the containment: 12 minutes of automated response.

Benefits at a Glance

Final Thought

The AI infrastructure your organisation has invested in, the inference endpoints, the model APIs, the development tools with AI integration, is now part of your attack surface. The criminal ecosystem that has grown up around AI in 2025 and 2026 treats it as a resource to be exploited and a capability to be weaponised.

Platforms like BrahmaFusion by Peris.ai, combined with INDRA CTI’s criminal AI tracking and BimaRed’s AI pipeline security, give security teams the visibility and automated response needed to protect AI investments from becoming attacker infrastructure.

Frequently Asked Questions

What is LLMjacking?

LLMjacking is the unauthorised use of an organisation’s AI model infrastructure to run inference tasks at the victim’s expense. Attackers exploit misconfigured API keys or exposed inference endpoints to consume AI compute resources, generating costs of up to $50,000 or more per day. More than 90,000 LLMjacking attempts were logged between late 2025 and early 2026.

What are criminal AI tools like WormGPT and FraudGPT?

Criminal AI toolkits are purpose-built large language models that remove the safety guardrails of mainstream AI models. WormGPT generates phishing emails and malware code. FraudGPT creates fraudulent financial documents. GhostGPT produces evasive malware. These tools are available on underground markets for $100 to $1,500 per month.

What is CVE-2025-53773 in GitHub Copilot?

CVE-2025-53773 is a prompt injection vulnerability in GitHub Copilot with a CVSS score of 9.6. By embedding malicious instructions in pull request descriptions, an attacker could cause GitHub Copilot to execute arbitrary code on a developer’s machine.

How can organisations detect LLMjacking attempts?

Effective LLMjacking detection requires monitoring AI API usage for anomalous patterns: sudden spikes in call volume, requests from unexpected IP addresses or service identities, and consumption patterns inconsistent with normal business workflows. BrahmaFusion’s behavioural monitoring detects these patterns and triggers automated credential revocation before significant cost accumulates.

How has nation-state use of AI in attacks evolved?

According to CrowdStrike’s 2026 Global Threat Report, all four major nation-state actors (China, Russia, Iran, North Korea) had operationalised LLMs in their attack chains by late 2025, and AI-enabled adversary activity increased by 89% in 2025 versus the prior year.

The Browser Became the New Endpoint, and Nobody Sent the Memo

While most enterprise security programs are still budgeting for shadow IT, the actual crisis has migrated into a single application: the browser. Layerx Security 2026 research shows that 1 in 6 enterprise users runs at least one AI-enabled browser extension, and 73% of those extensions carry high or critical permission scope. AI extensions are 60% more likely to have a known CVE than the average extension, three times more likely to have cookie access, and six times more likely to expand permissions after install.

IBM’s 2025 Cost of a Data Breach Report adds the financial line: shadow AI added USD 670,000 to the average breach cost, and only 37% of organizations had any governance controls in place.

This is the new perimeter problem. The CASB-SWG-DLP stack you bought in 2020 was not designed for it. This post is the CISO briefing on what changed, what is exposed, and how Peris.ai shrinks the gap.

What Is Shadow AI in the Browser?

Shadow AI describes the unsanctioned use of generative AI tools and AI-enabled browser extensions by employees, outside of central IT governance. It includes browser plugins that summarize email, rewrite documents, transcribe meetings, suggest replies, or read web pages, all by streaming corporate data to third-party large language model providers.

The defining characteristic of shadow AI is consent. Employees install these tools personally, often using personal accounts, and grant permissions through a one-click flow that bypasses identity, DLP, and procurement entirely.

Why Is Shadow AI So Dangerous in 2026?

Permission scope is enormous

73% of AI browser extensions in enterprise use carry permissions to read all data on visited pages, capture cookies, and modify network requests. An employee installing an AI assistant for Gmail is, in practice, granting that vendor access to every page they visit and every authenticated session they maintain.

Identity oversight is bypassed by design

90% of GenAI logins in enterprise environments bypass identity oversight, and 67% of employees access GenAI tools via personal accounts. The SSO, the conditional access policies, and the audit logs all become irrelevant because the user never touched the corporate identity provider for that session.

Data exposure is normalized in workflow

77% of employees paste data into GenAI prompts, and 50% of that paste activity includes corporate data, ranging from customer lists to financial models to source code. The transaction feels lightweight because the interface looks like a chat window, but the data exits the perimeter the moment Enter is pressed.

The vulnerability profile is worse than baseline

AI extensions are 60% more likely to carry known CVEs than the average extension. They are 6 times more likely to expand their permissions after install. They are 3 times more likely to require cookie access. The class of software least subject to enterprise vetting is also the class most likely to be exploitable.

What Happens When Teams Do Not Solve This?

• 20% of organizations reported breaches specifically caused by shadow AI in 2025.
• IBM tracked an average USD 670,000 added breach cost attributable to shadow AI exposure.
• Only 37% of organizations have any GenAI detection or governance policy. The other 63% are running blind.
• Customer trust, particularly in regulated sectors, evaporates after a single shadow-AI-linked disclosure.

Old Way vs. New Way: Browser Governance

How Peris.ai Closes the Shadow AI Gap

Peris.ai treats the browser as the actual endpoint, because in 2026 it functionally is. Three components address the shadow AI problem directly.

BrahmaFusion for browser behavioral analytics

BrahmaFusion correlates browser process telemetry with DLP signals, identity events, and outbound traffic patterns. When an employee pastes a customer list into an unsanctioned GenAI tab, BrahmaFusion sees the paste event, the destination, the data sensitivity, and the user context together. It can block the action in real time or trigger a structured coaching prompt without halting productivity. Peris.ai clients report 40% SOC cost savings after BrahmaFusion automates this class of policy enforcement.

INDRA CTI for malicious AI extension intelligence

INDRA CTI tracks malicious AI extensions, prompt-injection attack infrastructure, and AI vendors with known data-handling issues. Your team subscribes to a continuously updated risk feed instead of reactive review cycles.

XDR for endpoint-level browser visibility

Our XDR sees the process layer beneath the browser. When an AI extension expands permissions, accesses cookies it never needed before, or initiates outbound traffic to anomalous endpoints, XDR raises the alert and correlates it with identity and network signals.

Use Case: Catching a Paste Before It Leaves

A mid-market SaaS company using Peris.ai observes the following on a Wednesday morning.

• A product manager installs a popular AI-powered email summarizer browser extension on her work laptop without going through procurement.
• The extension immediately requests cookie access and the ability to read all visited pages. Our XDR logs the new extension fingerprint and elevated permission scope.
• Within an hour, the product manager pastes a sensitive customer churn analysis into the extension’s prompt panel. BrahmaFusion identifies the paste as corporate data, classifies the destination as an unsanctioned LLM provider, and pauses the outbound request mid-flight.
• The user sees a coaching message offering an approved alternative. The data never leaves. IRP captures the event for the governance team.

No breach. No board memo. No USD 670,000 cost addition.

Outcomes That Matter

Conclusion

Shadow AI is not a future risk. It is the most-installed and least-governed software category in your enterprise today. The CASB-SWG-DLP architecture, designed for traditional SaaS sprawl, does not see the browser-layer paste, the extension permission creep, or the personal-account login. Closing that gap requires agentic AI cybersecurity that operates at the browser and prompt layers, with hyperautomation SOC workflows tying it back to identity and network telemetry. Peris.ai brings exactly that capability.

Don’t wait for a breach to take action. Secure your organization today. Stay Secure with Peris.ai.

FAQ

What is shadow AI?

Shadow AI is the unsanctioned use of generative AI tools, browser extensions, or AI-enabled features by employees outside of central IT governance, typically via personal accounts that bypass corporate identity and DLP controls.

How widespread is shadow AI in 2026?

Layerx Security research finds 1 in 6 enterprise users runs at least one AI-enabled browser extension, with 73% of those extensions carrying high or critical permission scope. 77% of employees paste data into GenAI prompts.

How much does shadow AI cost when it leads to a breach?

IBM’s 2025 Cost of a Data Breach Report attributes an average USD 670,000 additional cost to breaches involving shadow AI exposure, and 20% of organizations reported breaches specifically caused by shadow AI.

Why does standard DLP miss shadow AI?

Traditional DLP is positioned at network egress and email gateways, while shadow AI usage often occurs inside an authenticated browser session via a personal account, with the data leaving as a chat prompt. The browser is the actual exfiltration surface and is invisible to legacy DLP.

How does Peris.ai detect and block shadow AI activity?

Peris.ai BrahmaFusion correlates browser process telemetry with DLP signals and identity events, blocks unsanctioned paste actions in real time, and provides coaching prompts. INDRA CTI scores AI extensions for risk continuously, and Peris.ai XDR sees permission-creep behaviors at the endpoint layer.