Agentic AI Is Industrializing Espionage and Fraud: Why the Real Danger Is Short-Term and the Opportunity Long-Term

THESIS. Agentic AI does not invent espionage or fraud: it industrializes them. What once required a team of seasoned hackers working for weeks can now be executed by an agent in hours, with minimal human oversight. That compression of time and cost is the underlying shift, and the reason the short term will be messy and expensive. Yet the same technology that cheapens the attack cheapens the defense — and that is the long-term reading we hold to: balance will be rebuilt, though only after a genuine period of turbulence that should not be downplayed.

THE FACTS. In November 2025, Anthropic announced it had disrupted what it describes as the first large-scale AI-orchestrated cyber-espionage campaign. According to the company, a group it attributes «with high confidence» to Chinese state-sponsored actors manipulated its Claude Code tool to target roughly 30 organizations — major tech firms, financial institutions, chemical manufacturers and government agencies — succeeding in a small number of cases. The figure that captures the leap: the AI autonomously executed 80% to 90% of the tasks (reconnaissance, vulnerability discovery, credential theft, exfiltration), with human intervention reduced to just four to six decision points per campaign. Attribution matters: the authorship is Anthropic's assessment, not an independently proven fact, and some analysts have urged caution about the true degree of autonomy.

The joint QBE North America and Control Risks report that sparked this debate places the case in a wider context. Attackers bypassed the model's safeguards by breaking the operation into small tasks and framing them as «legitimate defensive security testing.» Anthropic itself acknowledges an important limit: the model «hallucinated» credentials or claimed to have extracted secret information that was in fact public — which still constrains fully autonomous attacks. It is a crucial nuance that the more alarmist coverage tends to erase.

THE FRAUD NUMBERS. Beyond state espionage, everyday fraud is surging. Experian's 2026 forecast ranks «machine-to-machine mayhem» — autonomous agents deceiving other agents — as the number-one threat, alongside deepfakes in hiring and website cloning at scale. The FTC put consumer losses at over $12.5 billion in 2024, and nearly 60% of companies reported higher fraud losses between 2024 and 2025. The emblematic case remains Arup: in early 2024, an employee at its Hong Kong office wired $25 million after a video call in which the «CFO» and several colleagues were deepfakes built from publicly available recordings. The money has not been recovered.

OUR READING. Three ideas. First: what is new is not the technique but the economy of scale. A flawless phishing email, a cloned voice, a bespoke exploit cease to be scarce goods; when the marginal cost of an attack trends toward zero, volume explodes. That is why the short term — the next two or three years — will be the worst moment: defenses and regulation have not caught up, there is an obvious governance gap (fewer than 20% of U.S. organizations have optimized AI governance frameworks, per the QBE report), and an insurance gap persists (roughly a quarter of firms carry no cyber coverage). Denying this harm would be irresponsible.

Second: the asymmetry is temporary, not structural. The line security leaders keep repeating — «the way to fight adversarial agentic AI is with defensive agentic AI» — is not a slogan. The same agents that automate attacks automate the response: alert triage, threat hunting, containment. The defensive figures mirror the offensive ones (90% reductions in response time, automation of the bulk of Tier-1 work), and they also chip away at an old problem: 71% of organizations still see the cybersecurity talent shortage as a risk. The defender starts with an edge the attacker lacks: knowledge of their own house.

Third — and here is our declared bias: matured optimism. The automation of deception is the dark face of a capability — agents that reason, plan and act — whose bright face is immense. That same autonomous orchestration applied to drug design, early diagnosis or biomedical research is what could, over the long run, bring us closer to eradicating diseases, extending healthy life, and freeing people from tasks no one would choose to do. This is not euphoria: the path runs through real short-term harm to jobs and security. But it is not catastrophism either: the story of every general-purpose technology is one of a period of abuse followed by institutional adaptation.

IMPLICATIONS. For companies, the priority shifts from «adopting AI» to «governing AI»: strict identity and access management (including for agents, which become new identities to protect), behavioral monitoring, out-of-band verification for any material transfer — the direct lesson of Arup — and deploying agentic defense before the attacker sets the pace. For insurers, the challenge is twofold: pricing a risk whose frequency and severity are being redefined in quarters, not years, and resolving the liability ambiguity that autonomous agents introduce — who answers when one company's agent is deceived by another's? For regulators and citizens, the conclusion is that default trust in what we see and hear is dead, and verification must be built into process design, not bolted on afterward.

The right question is not whether agentic AI will make the short term more dangerous — it will, and that part must be faced without cosmetics — but whether we will leverage the defender's edge and institutional maturity so that the long term pays off. We bet it will, but the bet demands working on defenses now, not waiting for the problem to solve itself.