- Security
- A
AI Hacker – The End of the Internet?
Today, I read about future AI hackers and realized that the problem is much bigger than "more cyberattacks." It no longer seems like fantasy. OpenAI states that it is preparing models capable of creating functional zero-day exploits against well-secured systems or significantly aiding in complex covert intrusions. Anthropic writes that current models are already capable of working on the internet, writing and executing code, using computers, and performing autonomous multi-step actions. OpenAI is already demonstrating a defensive version of the same idea: their agentic security researcher Aardvark searches for vulnerabilities in codebases, suggests patches, and has already discovered new CVEs.
But the main question is not that AI will start hacking better than a human. The main problem is different: it will almost nullify the cost of another attack attempt.
So far, the internet has survived on a simple, though implicit, compromise. Yes, systems were hacked, money was stolen, databases leaked, people were phished. But a good attack was still expensive. To realistically attack complex systems, you needed people, skills, time, infrastructure, patience. The defender didn’t have to be perfect. Often, it was enough for them to make the attack too complicated, too long, or too costly.
AI changes precisely that.
It doesn’t just help write code or find bugs. It reduces the cost of the entire chain: finding the attack surface, testing hypotheses, writing and adapting exploits, analyzing errors, bypassing defenses, retrying, changing tactics, scaling a successful scenario to thousands of targets. Didn’t succeed the first time? It will try the second, the hundredth, the thousandth time. No fatigue. No shortage of specialists. Almost no marginal cost for each new attempt.
And that’s when the balance breaks.
The defender has to protect everything: servers, laptops, phones, accounts, sessions, email, VPN, CI/CD, recovery channels, employees, contractors, updates, integrations, internal processes. The attacker needs only one entry point. One new vulnerability. One forgotten service. One compromised endpoint. One hijacked account. One successful chain of several weak points.
Therefore, the problem with AI hackers is not that servers will be hacked more often. The problem is that all modern digital life relies not on the servers themselves but on trust in a remote digital entity.
Every day, we assume that the account belongs to the person. That the message was written by them. That the phone is in their hands. That the banking app is opened by the owner. That the confirmation code was received by the right person. That the mail is not hijacked. That the work session is not stolen. That the person in the messenger is indeed them, and not someone who is already on their device.
If this assumption is no longer reliable, then not only the security of the infrastructure collapses. The very meaning of remote digital life collapses.
If I cannot reasonably trust my phone, email, banking app, messenger, recovery code, and work session, then the phone and computer stop being my wallet, office, ID, and communication tool. Physically, they will remain. But as a trusted environment for important things, they will lose their meaning.
That’s why I don’t consider an AI hacker to be just another cybersecurity issue. It’s not a “new type of virus.” It’s not “another round in the attack-defense race.” It’s a scenario in which the open internet stops being a normal environment for everything that really matters.
Today, you can still comfort yourself with the thought that you’ve closed ports, set up key access, enabled MFA, updated your system, and generally are doing things right. But in a world where a bot is continuously looking for new vulnerabilities, this no longer seems like a reliable strategy. If it finds a new hole faster than you can update, your protection turns into a race that you start with a delay. And if updates ever become almost instant, then the very emergency update system will become a new attack surface.
This leads to an unpleasant conclusion.
If the cost of an attack approaches zero, while the cost of protection remains high, the only truly reliable response becomes isolation. Not in the romantic sense of “going into the forest without a phone,” but in a technical sense. Everything truly valuable will gradually move out of the open internet: into closed networks, hardware keys, physical confirmation, separation of powers, manual procedures, local environments, and architectures where an attack must once again be made expensive, complicated, and inconvenient.
That is, the internet will not become safer. On the contrary. Everything important will leave it, because there is no other way.
Therefore, the end of the internet does not come when packets stop flowing.
The end of the internet comes when it is no longer reasonable to trust an account, a device, or a remote communication channel.
The internet as a network may remain.
But the internet as an environment of trust will not.
Write comment