When ChatGPT Teaches Your Attacker: How LLMs Are Supercharging Phishing and Ransomware
From polished spearphishing to automated extortion playbooks — why AI is shifting the advantage back to attackers and what enterprises must do now
From polished spearphishing to automated extortion playbooks — why AI is shifting the advantage back to attackers and what enterprises must do now

Illustration by IMF Alpha editorial · Reviewed by Pedro Marini
The new reality
Large language models are no longer just tools for drafting emails or helping with code. They have become accelerants for cybercrime, lowering the skill floor for sophisticated attacks and enabling new tactics that mix social engineering, code generation, and automation. Where malware used to be handcrafted by specialists, LLMs let a moderately capable threat actor assemble targeted campaigns in hours instead of weeks.
A short history to make sense of today
Over the last decade phishing moved from noisy, typo-filled blasts to precise spearphishing. Ransomware followed a similar arc: opportunistic campaigns hardened into organized extortion networks by around 2019. What’s striking now is that LLMs compress those decades of maturation into a single development cycle — providing templates, persona mimicry, and multilingual nuance on demand.
How LLMs shift the threat model
Upside for defenders — but with an asymmetry
Security teams are using the same models for threat hunting, phishing simulations, and rapid incident analysis. Automated triage can sift through thousands of suspicious messages, and synthetic data improves defender training. The rub is the asymmetry: an attacker needs one successful hit; defenders must fortify thousands of endpoints and people.
Real implications for enterprises and investors
Practical controls that actually help
Policy and governance are playing catch-up
Laws and standards trail how organizations actually use these models. Liability for model providers will be messy, so start with voluntary norms: better abuse reporting channels, model watermarking, and tighter restrictions around code-generation prompts. Industry-driven standards around transparency and supply-chain automation would help dampen the worst abuses while regulators figure things out.
A final, human insight
The clearest lesson so far is that AI is less a brand-new weapon and more a multiplier. Think of LLMs as pocket calculators that let more people solve problems they couldn’t before. For defenders, there won’t be a single product that solves this; the response will be a mix of smarter controls, better training, and organizational humility. Expect future cyber strategies to look more like intelligence operations than the classic IT playbook.
What this means in practice
LLMs have tilted the balance in cyber conflict. Companies that treat AI as both risk and tool — investing in detection, governance, and people — will be best positioned to endure.

As privacy rules bite and data costs spike, synthetic data startups and cloud giants are racing to replace real-world training sets. Investors should be selective.

From privacy gains to battery headaches, on‑device large language models force chipmakers, apps and regulators to rethink mobile AI—and investors to reassess winners.

As chip makers and developers push compact LLMs and NPUs into handsets, expect faster answers, tighter privacy—and a shakeup in how apps make money.