Google's Threat Intelligence Group (GTIG) dropped a sobering report on May 11: state-linked hackers and criminal actors are now weaponizing AI at industrial scale. For the first time, the group spotted a zero-day exploit it believes was developed with AI assistance. And a new piece of malware called PROMPTSPY can watch your authentication flow and bypass two-factor authentication in real time. The message for crypto users is blunt — standard 2FA is no longer enough.
First AI-Assisted Zero-Day Exploit
GTIG says it identified a threat actor using a zero-day exploit that was almost certainly built with generative AI. The exploit was planned for a mass exploitation event, but proactive counter-discovery may have prevented it from being deployed. The report doesn't name the specific vulnerability or the actor behind it, but it marks a turning point. In February 2026, GTIG described AI-assisted adversarial activity as nascent and experimental. Now the assessment is that generative models are embedded in offensive workflows at scale.
PROMPTSPY: Malware That Watches Your Authentication
The report details a capability called PROMPTSPY — AI-enabled malware that interprets system states dynamically and generates commands in real time to manipulate victim environments. Among its most alarming features: the ability to perform timing attacks against SMS-based and app-based two-factor authentication during live sessions. That means a user could enter a 2FA code, and the malware intercepts or hijacks the session before the code reaches the intended service. Polymorphic malware that rewrites itself to evade detection has also been linked to suspected Russia-nexus threat actors.
Why Standard 2FA Isn't Enough
GTIG's finding directly challenges the assumption that a one-time code or push notification provides adequate security. If malware can observe and respond to authentication flows as they happen, the second factor becomes a liability rather than a shield. The report recommends hardware security keys, air-gapped signing devices, and multi-signature wallet architectures for crypto users. These methods don't rely on a network-observable code that can be intercepted in real time.
The report also notes that state-linked actors associated with China and North Korea have shown significant interest in using AI for vulnerability discovery. That suggests the zero-day exploit pipeline is likely to accelerate. For anyone holding crypto or managing sensitive accounts, the window for upgrading past SMS-based 2FA just got a lot shorter.
