Hackers using AI just found a ‘zero-day.’ The spyware industry is watching.

WASHINGTON—Hackers are rapidly infusing artificial intelligence (AI) into offensive cyber operations, driving up risks for US national security. Over the past six months, nation-states and criminal groups have leveraged AI to conduct offensive operations at scale against the United States.

Just last week, Google reported a pivotal moment—for the first time, hackers used AI to discover and exploit a zero-day, the most serious type of security flaw because it has not been detected by security companies and has no known fix. This zero-day was particularly dangerous as it would have bypassed two-factor authentication across Google products. Zero-days are typically both rare and expensive, requiring skilled talent to discover and exploit them—this development changes that. By collapsing the cost, time, and expertise required to find and weaponize zero-days, AI is primed to recharacterize the offensive playing field in ways defenders are not yet equipped to match.

The spyware market—private firms that target devices for surveillance and data extraction—is particularly poised to take advantage of this shift. In 2025, spyware vendors topped Google’s list of groups exploiting zero-days, surpassing even nation-states such as China. In effect, the spyware market runs on a pipeline of zero-days, and AI will make that pipeline significantly cheaper and quicker to fill. A technical barrier that once constrained this industry is eroding. This creates a troubling asymmetry: Surveillance tools are becoming faster to build, easier to deploy, and increasingly autonomous, while accountability and policy oversight fall further behind.