AI Hacks AI- Cybercriminals Unleash An AI-Powered Self-Replicating Botnet

By Matthew Griffin Security and Privacy 24th March 2026

WHY THIS MATTERS IN BRIEF

Self-spreading AI attacks could let one breach hijack global AI infrastructure and weaponise it against itself autonomously.

Matthew Griffin is the World’s #1 Futurist Keynote Speaker and Global Advisor for the G7 and Fortune 500, specialising in exponential disruption across 100 countries. Book a Keynote or Advisory Session — Join 1M+ followers on YouTube and explore his 15-book Codex of the Future series.

Hackers have started using large language models to code up attacks on other Artificial Intelligence (AI) systems, researchers have warned. They’re then using those hacked AI systems to target other AI machines – which is a little like what Morris II, the Zero click AI-killing Worm, that I talked about a year or so ago does – but in a much more horrific way. Marking another milestone on the road to a cyber world where AI constantly fights AI, Israel-based Oligo Security found evidence of mass exploitation of software designed to help developers manage and assign power to AI projects, called Ray.

Cisco rolls out new software tools to protect IT systems from AI Agents

The Oligo researchers were able to find over 230,000 Ray servers that were online despite the company's warning, potentially leaving them open to cyberattacks, according to Oligo’s AI security researcher Avi Lumelsky.

Lumelsky said he was “very certain” large language models, such as OpenAI’s ChatGPT and Anthropic’s Claude, were used to generate code to order the hacked servers to mine crypto, though he couldn’t specify which models. He said there were identifiable “hallmarks” when LLMs had been used to produce malicious code, including needless repetition of certain comments and strings in the code.

The Future of Cyber and European Security Keynote | Fortinet, Norway | Matt Griffin | Cyber Futurist, by Futurist Keynote Speaker Matthew Griffin

Book a Keynote with Matthew

The Ray servers were also used to autonomously scout out further targets, turning their operation into a self-propagating botnet, showing “AI infrastructure can be hijacked to attack itself,” said Gal Elbaz, CTO and cofounder of Oligo. Oligo has dubbed the attack ShadowRay 2.0, an update to hacks it detected last year.

New breakthrough could let smart windows replace Wi-Fi in your home

AnyScale, the company that created Ray, hadn’t provided comment at the time of publication. The company previously disputed the alleged flaw after Forbes first reported on it last year, saying it was not exploitable when users followed its advice to not expose their servers to the internet. The company has made its guidance on dealing with the vulnerability available online and has released a .

The news comes after Anthropic warned that its Claude AI was used by Chinese researchers to write up malware and it was revealed that the Pentagon had spent millions on a startup developing AI agents for automated cyberwarfare.

“The jailbreaking of Anthropic’s Claude showed how adversaries can manipulate an AI system into participating in an attack: an AI-manipulated attack,” said Elbaz, referencing Anthropic’s report. “ShadowRay represents the next phase: an AI-coordinated attack, where adversaries hijack the underlying AI infrastructure to create a self-propagating, global campaign.”

There was another twist: there appear to be multiple hackers trying to carry out the same attack. Oligo discovered scripts designed to detect and delete rival cryptocurrency miners on vulnerable servers.

Research shows GPT4 becomes 30 percent better when it critiques itself

The hackers also turned their AI-powered botnet to distributed denial of service (DDoS) attacks on a number of websites. They could have done worse. The researchers said the hackers were able to access proprietary AI models on the compromised systems, potentially endangering sensitive corporate intellectual property. In one case, a single company was exposing 240GB of material, including source code and AI models.

“Essentially a company’s entire R&D environment was accessible from the internet,” said Lumelsky.

Could AI-powered botnets become the defining cyber threat of the next decade?
Quite possibly. Once attackers can point large language models at the very infrastructure that runs AI, breaches stop being isolated events and start becoming self-propagating campaigns that spread and adapt faster than human defenders can respond – which is exactly the shift researchers say ShadowRay represents.

Matthew Griffin / About Author

Matthew Griffin is a multi-award winning Futurist and expert in Disruption and Innovation, Geopolitics, Leadership, and Technology, who NASA have described as a "walking encyclopaedia of the future" and a "futurist Polymath." 15-time best selling author of the "Codex of the Future" series, Matthew is the Founder and Futurist in Chief of the 311 Institute, a global Futures and Deep Futures advisory firm working with royal households, world leaders, G7, G20, and G77 governments, NGOs, and multi-national mid and mega cap firms to help them explore, shape, and lead the next 50 years of business and society.

An award-winning YouTube creator with over a million followers, with an unrivalled global reach and impact, Matthew is a highly sought-after international keynote speaker, lecturer, and mentor who collaborates with global leaders through the United Nations Alliance of Civilizations (UNAOC) and United Nations General Assembly (UNGA) to shape pivotal initiatives such as the UN’s AI for Humanity program, the United Nations Conference of the Parties (UN COP), and the World Economic Forum in Davos.

As the former Global Head of Cloud, National Security, and Enterprise Sales for companies including Atos, Dell-EMC, and IBM, Matthew has a proven track record of building multi-billion dollar business units and turning failing divisions into market leaders. His ability to identify, analyse, and communicate the implications of hundreds of emerging technologies and trends is unparalleled, and his insights are trusted by many of the world’s most respected organisations, including ABB, Accenture, Adidas, AON, ARM, BCG, Centrica, Citi, Coca-Cola, Dentons, Deloitte, Dow Jones, EY, Google, KPMG, Lego, Legal & General, LinkedIn, Microsoft, PepsiCo, Qualcomm, RWE, Samsung, Siemens AG and Siemens Energy, T-Mobile, UBS, VISA, Walmart, Workday, Worldpay and many others.

Regularly featured in the global media including the AP, BBC, Bloomberg, CNBC, Discovery, Forbes, Khaleej Times, Telegraph, TIME, ViacomCBS, WIRED, and the WSJ, Matthews mission is to help organisations create a fair and sustainable future whose benefits are shared by everyone irrespective of their ability, background, or circumstances.