Artificial intelligence (AI) has lowered the barrier to entry for cybercriminals, enabling ransomware groups to automate coding, generate polymorphic malware that alters its code with each infection, and create convincing social engineering lures, according to blockchain intelligence firm TRM Labs.
Nine emerging groups identified in the past 12 months have leveraged AI to scale their operations rapidly, with some shifting away from encryption to rely on reputational damage, regulatory pressure, and data leaks for extortion.
Global crypto scam losses surged to $4.6 billion in 2024, with at least 87 AI-driven scam rings dismantled in the first quarter of 2025 alone.
According to Ari Redbord, Global Head of Policy at TRM Labs, “the line between financially motivated groups and state-linked actors is also becoming increasingly blurred”, with state-sponsored actors collaborating with cybercriminals to pool resources.
Most notably, TRM identified APTLock as linked to the Russian state-sponsored group Fancy Bear, conducting destructive attacks that encrypt and delete data while defacing systems.
The group launders proceeds through long peel chains with dozens of uniform-value deposits into a non-custodial exchange, FixedFloat, before converting to Monero.
AiLock, first identified in April 2025, deliberately markets itself as AI-assisted and employs polymorphic malware for defense evasion.
The group threatens to report breaches to regulators and competitors while giving 72-hour response deadlines and five-day payment windows.
AiLock launders funds through peel chain patterns, directing the majority to the Wasabi mixer and routing smaller portions through FixedFloat.
AiLock victim funds deposited through Wasabi mixer. | Source: TRM LabsEmerging Groups Deploy Tactics From Encryption to Pure Extortion
Among other notable groups, Arkana Security gained prominence after breaching U.S. cable provider WideOpenWest in March 2025, employing a three-phase extortion strategy combining ransom demands, data sales, and public leaks.
The group carries out attacks from phishing to credential theft and network lateral movement while doxxing executives’ personally identifiable information.
Arkana funnels all victim proceeds into a single non-custodial exchange, creating potentially recoverable cash-out patterns.
Arkana Security deposits victim funds to a non-custodial exchange. | Source: TRM LabsNotably as well, Dire Wolf conducts targeted double-extortion attacks across manufacturing, technology, healthcare, and construction sectors, primarily targeting the United States and Thailand.
The group deploys custom Golang ransomware that disables security tools and deletes recovery files, directing victims to live dark web chatrooms for negotiations.
Proceeds are also laundered through multiple deposits into non-custodial exchanges to avoid strict KYC procedures.
Dire Wolf depositing victim funds to a non-custodial exchange. | Source: TRM LabsSimilarly, Frag exploits the Veeam vulnerability rated CVSS 9.8, using compromised VPN credentials without multi-factor authentication to deploy ransomware with .frag extensions.
TRM assesses that Frag may be associated with the Akira ransomware group, as both utilize shared wallet clusters and identical payment services.
The group expanded from its first victim in February 2025 to claim 27 organizations by March, with 25 of these located in the United States.
On the other end, Kairos operates differently by focusing solely on data exfiltration without encrypting files, purchasing network access from initial access brokers.
Sophos found that only half of ransomware attacks now involve encryption, the lowest level in six years.
TRM identified Kairos sharing cash-out addresses with SafePay, INC, Lynx, and Qilin ransomware groups, suggesting shared affiliate networks.
Deepfake Scams and Malware Campaigns Drain Millions From Users
Former Binance founder Changpeng Zhao recently issued urgent warnings following sophisticated deepfake Zoom attacks targeting the crypto community.
Japanese influencer Mai Fujimoto lost access to her MetaMask wallets after a 10-minute video call with an AI-generated impersonation of an acquaintance whose Telegram account had been compromised.
Mehdi Farooq, a former Animoca Brands investment partner, also lost years of savings when six wallets were drained after downloading fake Zoom software during a similar deepfake call.
Crypto-stealing malware is spreading through fake AI, gaming, and Web3 startups with convincing websites, social media profiles, GitHub repositories, and team pages.
Darktrace identified schemes involving fake blockchain games, such as “Eternal Decay,” and startups including Pollens AI, Swox, and Buzzu.
The malware targets Windows and macOS users, stealing wallet credentials using Realst and Atomic Stealer families with advanced evasion techniques, including stolen software signing certificates.
As part of the ongoing war against the growing threat, Spanish authorities recently dismantled a crypto investment scam that defrauded over 200 victims out of more than €19 million using AI-generated celebrity videos to promote fake high-return ventures.
The investigation has arrested six individuals, aged 34 to 57, who are facing charges of fraud, money laundering, and document falsification.
The post AI Ransomware Attacks Surge as Groups Leverage Automation to Target Victims – Is Your Crypto Secure? appeared first on Cryptonews.
