Every cybersecurity nightmare just became real. Google published research Monday confirming that criminal hackers used an AI model to discover a previously unknown software vulnerability and tried to weaponize it.

This is the first confirmed case of AI being used by criminals to find zero-day exploits in the wild. What was theoretical for years is now documented reality.

"High Confidence"

"We have high confidence that the actor likely leveraged an A.I. model to support the discovery and weaponization of this vulnerability," Google's research team wrote.

Google didn't say which AI platform the hackers used. They confirmed it wasn't Gemini. They also didn't reveal when the attack happened, who was targeted, or which software contained the vulnerability. They did say the attack was thwarted.

From Million-Dollar Bugs to Mass Production

Zero-day vulnerabilities are software bugs that nobody knows about except the hacker who found them. They're called "zero-day" because software makers have had zero days to fix them.

Until recently, they were so rare and difficult to find that they fetched millions on black markets. Nation-states hoarded them. Criminal groups fought over them.

AI changes everything. If machine learning can systematically scan codebases for unknown vulnerabilities, zero-days could become mass-produced commodities. The entire economics of cybersecurity would collapse.

Perfect Timing

Google's announcement comes at an extraordinary moment. Last month, Anthropic's Mythos model was flagged as an "unprecedented cyberweapon" capable of infiltrating government databases and financial institutions. OpenAI just gave the EU special access to GPT-5.5-Cyber. The Washington Post reported today that US spy agencies are battling Commerce for more control over AI regulation.

And now Google confirms what everyone feared: criminals are already using AI for zero-day discovery in the wild.

The cat's out of the bag. The question now is whether defenders can keep up.