Vibe Hacking: How AI Is Changing Cybercrime
We explore how conversational AI is lowering the barrier to malicious hacking, helping amateurs generate phishing lures, malware, and extortion workflows without deep technical skill. The episode also breaks down why even crude, AI-assisted attacks can still cause major disruption for hospitals, schools, cities, and businesses.
Is this your podcast and want to remove this banner? Click here.
Chapter 1
The New Amateur Hacker Isn’t Learning the Old Way
John Harvey
Welcome to the show. [reflective] Nikki, one of the more unsettling shifts I've seen lately is this: hacking used to require sitting with the machinery. You had to read the ugly manuals, break things in a lab, stare at code until it stared back. Now... [short pause] a person can type a prompt, get a phishing email, a malicious script, even pieces of ransomware, and feel like they built something. That's a very different creature.
Nikki Callahan
[curious] When you say "different creature," I feel the hairs on my arms go up a little. Because the old image was the script kiddie, right? Somebody grabbing a tool off a forum like a teenager finding fireworks in a damp garage. But this newer thing -- "vibe hacking" -- that's not just downloading a tool. That's asking for one in conversation.
John Harvey
Exactly. The old script kiddie reused tools they didn't understand. The newer vibe hacker may generate tools they don't understand. That's the jump. Instead of hunting around for some prebuilt exploit kit, they can ask for help scanning a subnet, obfuscating a PowerShell command, writing a credential-harvesting lure, drafting a ransom note, translating threats into three languages. Prompt, generate, test, adjust, deploy. It's almost offensively casual.
Nikki Callahan
[skeptical] But let me push on that word casual. Casual doesn't always mean effective. If somebody is just poking at an AI and iterating by feel, isn't there still a ceiling? I mean, surely "less skilled" still means "less dangerous" at SOME point.
John Harvey
[short pause][skeptical] That's the assumption that no longer holds cleanly. AI doesn't turn an amateur into an elite operator -- not exactly. But it lowers the amount of knowledge required to get to harmful outcomes. And the really dangerous part is psychological. A model can explain things fluently. It can sound authoritative, coherent, patient. So the user feels competent. They think, "I understand this." But fluent explanation is not mastery. It's a mask that can sit over ignorance.
Nikki Callahan
[softly] So the illusion becomes part of the weapon.
John Harvey
Yes. That's the phrase. The illusion becomes part of the weapon. Because the learning loop has changed. In the older world, if you wanted to do offensive security, even badly, you still had to spend time in forums, labs, documentation, peer groups. Friction taught you humility. Now the process is conversational. You ask, it answers. You hit an error, it suggests a fix. You ask for a cleaner version, a rewritten version, a version in another language. And that intimacy -- that feeling of collaboration -- can trick somebody into operating above their real competence.
Nikki Callahan
[questioning tone] Let me try to say that back. The old barrier wasn't just technical skill. It was also the long, bruising apprenticeship of realizing what you DIDN'T know. And AI sort of... smooths that mountain trail. It covers the rocks with snow, so the cliff edge looks gentle.
John Harvey
[warmly] That's well put. It makes ignorance more operationally useful. Anthropic's 2025 threat reporting actually used the phrase "vibe hacking" in cases where criminals were using AI coding agents across the attack chain -- reconnaissance, malware development, stolen-data analysis, extortion workflows. That's not theory anymore. It's a pattern.
Nikki Callahan
Anthropic 2025 is the part that sticks for me, because it means this isn't just a dark little thought experiment. And the phrase "stolen-data analysis" is so cold. Not just stealing it -- sorting it, understanding it, weaponizing it faster.
John Harvey
Right. And once hacking becomes more conversational, the culture changes with it. It starts to feel less like engineering and more like chatting your way toward a weapon. That's a profound shift. Not because every result will be elegant, but because elegance isn't required to ruin somebody's week... or a hospital's week.
Chapter 2
Why Crude Attacks Can Still Break Real Things
Nikki Callahan
[calm] This is the part I think people miss. We imagine danger as precision, like a blade. But sometimes danger is a clumsy fire. If AI lowers the barrier and doesn't supply judgment, then what you get is not always a smart attack -- it's a reckless one. And reckless code can still tear through real lives.
John Harvey
That's the heart of it. In ransomware especially, incompetence does not equal safety. Poorly written ransomware may fail to decrypt files, lose the encryption keys, damage system files it was never meant to touch, or lock up machines in ways even the attacker can't reverse. A competent gang, grim as this sounds, often wants a decryption workflow because they want payment and a reputation. An amateur with half-assed vibe-coded ransomware may permanently corrupt the data and not even know why.
Nikki Callahan
[tense] The phrase "fail to decrypt" is the one that lands like a stone. Because that means there may be no path back. Not for a school district. Not for a small clinic. Not for a town office where every permit and payroll file suddenly turns to smoke.
John Harvey
And that's why "less skilled means less dangerous" is such a comforting but outdated idea. A crude ransomware script doesn't have to be sophisticated to be catastrophic. If it hits a hospital, a municipality, a school, a small business with weak backups or poor segmentation, you can still get paralyzed systems, downtime, legal exposure, reputational damage, weeks of recovery. The FBI's 2024 IC3 reporting, released in 2025, put cyber-enabled losses over $16 billion -- up 33% from 2023. And even that likely undercounts ransomware because it doesn't fully capture downtime, lost business, wages, equipment, remediation... all the invisible bleeding.
Nikki Callahan
[urgent] Sixteen BILLION, and up 33%. That's not a niche problem. That's weather. And when you say hospitals and schools, I think that's important because it breaks the movie fantasy. This isn't a hooded genius targeting nuclear launch codes. It's payroll systems, patient records, class schedules, city services.
John Harvey
Precisely. Most attacks begin somewhere much more ordinary than Hollywood wants to admit. They begin with persuasion. A fake invoice. A reset request. A malicious attachment. A login page that looks close enough. And AI is a force multiplier there. Microsoft's 2025 Digital Defense Report said AI-driven phishing is significantly more effective than traditional campaigns. Europol's 2025 assessment warned that criminals are using AI for multilingual messaging, realistic impersonation, automation. So now the weakest entry point -- human trust -- gets industrialized.
Nikki Callahan
Multilingual messaging is a big one. Because the old tells were often audible, almost like hearing a cracked note in a singer's voice -- awkward grammar, strange phrasing, cultural mismatches. If AI smooths that out in English, Spanish, German, whatever the target speaks, then the net gets wider and silkier at the same time.
John Harvey
[matter-of-fact] Yes, and more volume matters. AI doesn't just create the possibility of genius-level attacks. It creates floods of mediocre ones. More phishing, more fake login pages, more extortion notes, more low-quality malware, more noise. But mediocre attacks already work against organizations with weak passwords, exposed remote access, poor patching, unmanaged devices, bad backup testing. So the scale shift is the story. Tool reuse was dangerous. Tool generation at scale is worse because it produces endless variation.
Nikki Callahan
[reflective] Endless variation... that feels like standing in a forest where the sparks no longer fall from one campfire. They're blowing in from every direction. And for defenders, there's a painful asymmetry there, isn't there? An attacker can try ten sloppy things and keep the one that lands. A hospital can't try ten sloppy defenses on live systems.
John Harvey
That's exactly the asymmetry. Defenders have to automate responsibly. They have governance, privacy, uptime, false positives, all of it. Attackers can automate recklessness. Which means the basics matter even more now: multifactor authentication, least privilege, immutable backups, endpoint detection, network segmentation, tested recovery, rapid patching. Boring controls -- but boring controls save lives.
Nikki Callahan
[softly] And maybe that's the most unnerving part. The next serious disruption may not come from some mythic mastermind. It may come from a bored amateur with a grievance, an AI account, and just enough confidence to mistake a fluent answer for wisdom.
John Harvey
[pauses] Yeah. And once a society gives people the power to act far beyond their understanding, the question isn't whether the code is elegant. It's whether the blast radius cares.