AI is beginning to carry out live cyberattacks, Check Point warns

AI is moving beyond assisting cybercriminals to carrying out operational tasks during live intrusions, according to Check Point Research’s Annual AI Security Report 2026.

The report argues that AI-enabled cyber operations are entering a new phase in which AI systems can execute parts of an attack rather than simply helping attackers write code, research targets or prepare phishing campaigns. The shift could make cyber operations faster and less dependent on continuous human oversight.

Check Point said it observed AI carrying out hands-on tasks during incidents ranging from China-linked campaigns to a criminal breach affecting several Mexican government agencies. According to the company, these capabilities are spreading beyond state-backed actors to financially motivated cybercriminals.

AI is also being used to create deployment-ready malware and offensive frameworks. One developer reportedly used an AI coding environment to build VoidLink, an 88,000-line command-and-control framework, in less than a week. Check Point noted that AI involvement may be difficult to identify once the finished tool is deployed.

According to the report, attackers increasingly favour commercial AI models over self-hosted alternatives. Rather than relying solely on jailbreak prompts, some are targeting agentic architectures by planting configuration files that AI agents continue to trust across multiple sessions.

The market supporting AI cyberattacks is also becoming more established. Check Point identified phishing-as-a-service products that embed language models with built-in restrictions bypasses, alongside conversational voice-agent services used for vishing and one-time-password theft.

The report warns that synthetic identities are weakening traditional trust signals. Convincing imitations of voices, faces, identity documents, and live video can now be combined across multiple channels, making social engineering operations more coordinated and harder to detect.

AI systems themselves are also emerging as an important attack surface. Models may struggle to distinguish instructions from the content they process, allowing attackers to manipulate AI agents through malicious files, webpages and other external data sources.

Indirect prompt injection is emerging as one of the most important threats to AI systems. Check Point said detections of longer malicious payloads increased roughly fivefold between March and May 2026, reaching close to 1% of observed prompts. Longer payloads are commonly associated with content-based and agentic attack paths.

Enterprise data leakage through generative AI also remains a growing concern. The share of prompts classified as high risk doubled from 2% to 4% over the previous year, while organisations used an average of ten AI applications each month, including tools that had not received official approval.

Exposure varied considerably by sector. Business services recorded the highest rate of high-risk generative AI prompts, at 5.91%, meaning approximately one in every 17 interactions presented a significant risk of exposing sensitive information.

The findings suggest organisations must prepare for threats from two directions: adversaries using AI to automate cyber operations and employees or AI systems exposing sensitive data through insecure adoption.

Why does it matter?

The report suggests AI is reshaping cybersecurity on both sides of the equation. Attackers are increasingly using AI to automate complex tasks, while organisations adopting AI are creating new attack surfaces and data security risks.

As AI systems become more autonomous, cybersecurity strategies will need to extend beyond traditional endpoint and network protection to include AI agents, model security, prompt injection defences, identity verification and governance over how AI is deployed across the enterprise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Two in five UK children say they bypass online age checks

Nearly two in five UK children aged 11 to 17 say they have successfully bypassed an online age check, according nationally representative research commissioned by the Department for Science, Innovation and Technology (DSIT).

The study surveyed 2,299 children in May 2026 to examine their experiences with age assurance, VPN use and methods of bypassing age checks. It also included an additional sample of recent VPN users.

Overall, 39% said they had successfully bypassed an age check at least once, while another 14% had tried unsuccessfully. Success rates rose from 28% among 11- to 12-year-olds to 43% among older teenagers.

Many children avoided age checks altogether by choosing websites, apps or games that either had no age verification or appeared easy to bypass. Among those who successfully circumvented checks, 63% said they simply pretended to be older, most commonly by entering a false date of birth.

Most successful circumvention involved simple self-declaration systems such as tick boxes and date-of-birth fields, which children also rated as the least effective.

By contrast, 86% of respondents who had encountered government ID verification considered it effective, while third-party identity services, payment card verification and facial age estimation also received substantially higher ratings.

Privacy was the most common reason for using a VPN. However, 22% of VPN users said they had used one to access age-restricted websites, apps or games, equivalent to 7% of all children surveyed.

Parents were involved in some VPN use. Among children who had used one, 22% received help from a parent to set it up, while 43% of current users said a parent paid for the service. However, older teenagers were more likely to install VPNs without parental knowledge.

Friends were the main source of information about bypassing age checks, cited by half of children who had done so. Practical consequences appeared to be the strongest deterrents, including harder-to-defeat checks, permanent account bans, and notifying parents about circumvention attempts.

The report also found an association between bypassing age checks and exposure to harmful content. Among children who had circumvented age checks, 51% reported later encountering at least one form of harmful material, including explicit content, contact from unknown adults and requests for personal information.

The researchers cautioned that the findings rely on self-reported behaviour and do not establish that VPN use or circumvention directly caused exposure to harmful content.

Why does it matter?

The findings suggest that basic self-declaration systems provide limited protection for children and are easily circumvented. As regulators increasingly require stronger age assurance under frameworks such as the UK’s Online Safety Act, the challenge will be deploying systems that are both effective and proportionate while protecting users’ privacy.

The research also highlights that technology alone is unlikely to solve the problem. Children’s motivations, platform design, parental involvement and digital literacy all influence whether age restrictions are respected, suggesting that meaningful online safety will require a combination of technical safeguards, regulation and education.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Greece adds digital passport to Gov.gr Wallet

The Greek Ministry of Digital Governance and Artificial Intelligence has added the national passport to the Gov.gr Wallet, allowing citizens with active ordinary passports to store a secure digital version on their mobile devices.

The digital passport can be used for identification and as a travel document within Greece. Diplomatic and service passports are not currently supported.

The passport becomes the thirteenth document available through the Gov.gr Wallet, joining digital identity cards, driving licences, disability cards, unemployment cards, academic IDs, insurance information, vehicle records, driver penalty points, pet records, the Athens Ring Road permit and the Real Estate File.

According to the Ministry, more than 2.5 million digital identity cards and almost 2 million digital driving licences have already been added to the application.

The Gov.gr Wallet is available on both Android and iOS devices through wallet.gov.gr. The service was developed by the General Secretariat for Information Systems and Digital Governance and GRNET, in cooperation with the Ministry of Citizen Protection and the Hellenic Police.

Citizen data is retrieved through the government’s Interoperability Centre.

Why does it matter?

The addition of the passport further expands Greece’s digital identity ecosystem and reflects the country’s continued investment in digital public services. By enabling citizens to carry more official documents securely on their mobile devices, the government is reducing reliance on physical credentials while improving access to public services.

The initiative also aligns with wider European efforts to strengthen digital identity infrastructure. As more governments develop interoperable digital wallets and electronic identity systems, mobile credentials are expected to play an increasingly important role in public administration and cross-border digital services.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Saudi Arabia launches AI tool for national data insights

Saudi Arabia’s Ministry of Economy and Planning has launched the beta version of INSAIGHTS, an agentic AI tool integrated into the Data Saudi Platform. The system is designed to improve how users access, analyse, and interact with national economic and social data.

INSAIGHTS allows users to convert questions into instant insights and analytics by drawing on more than 7,500 indicators available through the platform. The tool aims to support decision-makers, researchers, analysts and the public with faster access to reliable information for data-driven decisions.

The launch forms part of Saudi Arabia’s wider digital transformation agenda under Vision 2030 and the National Transformation Program. The Ministry plans to continue expanding the tool’s capabilities while using emerging technologies to improve transparency, innovation and user experiences across its digital ecosystem.

Why does it matter?

The INSAIGHTS highlights Saudi Arabia’s growing focus on AI as a tool to improve public data accessibility and strengthen evidence-based decision-making. By combining AI capabilities with extensive national datasets, the platform could help organisations and individuals extract insights more efficiently.

The initiative also demonstrates how governments are increasingly adopting agentic AI systems to enhance digital services and economic planning. As the technology develops, platforms like INSAIGHTS may become important models for using AI to improve transparency, research capabilities and public-sector innovation.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Ofcom proposes tougher rules on scam ads

Ofcom has proposed new rules requiring major online platforms to do more to prevent scam advertising, including verifying advertisers, blocking repeat fraudsters and making fraudulent adverts easier to report.

The draft Fraudulent Advertising Code is being developed under the UK’s Online Safety Act and would apply to some of the country’s largest social media platforms, search engines and other online services.

According to Ofcom, more than half of UK adults have encountered potentially fraudulent adverts online, while victims lose an estimated £200 million each year. The regulator said online platforms have not done enough to stop criminals exploiting their advertising systems.

The proposed code sets out nearly 40 measures, including banning accounts that publish scam adverts, preventing repeat offenders from opening new accounts, verifying the identity of advertisers and confirming that firms promoting banking or investment services are properly authorised.

Platforms would also be expected to strengthen account security, reduce the risk of account hijacking, test AI-powered advertising tools against misuse and establish dedicated reporting channels for trusted organisations, including law enforcement agencies, to flag fraudulent adverts for rapid removal.

Ofcom also wants platforms to use proactive technologies to detect and block fraudulent advertising before it reaches users. A separate consultation on those proposals is expected this autumn alongside a broader package of online safety measures.

The consultation remains open until 2 October, with final decisions expected next year. Once approved by Parliament, companies that fail to comply could face fines of up to £18 million or 10% of global annual revenue, whichever is higher.

Alongside the advertising proposals, Ofcom also published draft rules for Category 1 services under the Online Safety Act. These include stronger protections for journalistic content and democratic debate, improved user controls over harmful content, more effective complaints procedures and greater transparency through published risk assessment summaries.

Why does it matter?

The proposals would expand platform responsibility beyond user-generated content to the advertising systems that increasingly enable online fraud. By introducing requirements for advertiser verification, proactive detection and stronger enforcement against repeat offenders, Ofcom is seeking to make scam prevention a core responsibility of online platforms rather than relying primarily on users to identify fraudulent adverts.

The draft code also reflects a broader regulatory trend towards greater accountability for digital advertising ecosystems. As AI-generated content and increasingly sophisticated scams become more common, regulators are placing greater emphasis on platform governance, advertiser verification and proactive risk management.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

New York City targets junk fees and subscription traps

New York City has introduced two major consumer protection measures targeting hidden charges and difficult subscription cancellations, combining mandatory all-in pricing with new ‘Click-to-Cancel’ requirements.

The Click-to-Cancel rule will take effect on 1 October 2026, making New York City the first municipality to require businesses to offer subscription cancellations that are as simple as sign-up. Companies must clearly disclose subscription terms and provide straightforward cancellation mechanisms, ending practices that rely on confusing procedures or hidden recurring charges. According to the Roosevelt Institute, the rule could save New Yorkers between $21.5 million and $162.5 million each year.

The proposed Junk Fees rule would require businesses to display the full price upfront, including all mandatory charges. Companies would be prohibited from advertising misleading prices and would have to include service and processing fees in advertised prices. Businesses that violate either rule could face consumer restitution and civil penalties starting at $525 per violation.

Consumer Reports estimates that hidden fees cost the average family of four around $3,200 annually. The Department of Consumer and Worker Protection has published guidance explaining the proposed all-in pricing rules, with public consultation remaining open until a hearing on 7 August.

Why does it matter?

The measures reflect a growing regulatory effort to tackle so-called ‘dark patterns’—design practices that make prices harder to understand or subscriptions more difficult to cancel. By requiring transparent pricing and straightforward cancellation, New York City is shifting responsibility from consumers to businesses to ensure commercial practices are fair by design.

The rules could also influence wider consumer protection policy. As many companies operate nationally or globally, local requirements on pricing transparency and subscription management may encourage businesses to adopt similar practices across multiple markets, potentially shaping future regulation in other jurisdictions.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Cybercrime accounts for one in five crimes in Spain

Spain recorded 488,426 cybercrimes in 2025, accounting for 19.8% of all reported crime, according to the Spanish Ministry of Interior’s latest Cybercrime Report. The figure shows a 5.1% increase from 2024, demonstrating the growing threat of digital crime nationwide.

Computer fraud and online scams continued to dominate cybercrime, accounting for nearly nine in ten reported offences with 429,677 cases. Internet-related forgery increased by 11.3% to 21,690 cases, while sexual offences rose by 21% and illegal access or interception offences surged by 40.7%, highlighting the growing diversity of cybercriminal activity.

The number of cybercrime victims reached 383,285, up 9.3% from 2024. People aged 51 to 65 were the most frequently targeted, particularly through credit card fraud and travel cheque scams, accounting for 146,737 victims. Although most victims were male, the types of cybercrime varied considerably across age groups and demographics.

Critical infrastructure operators experienced 90 cyberattacks in 2025, a 43.8% decrease from the previous year. The transport sector accounted for 42.2% of incidents, followed by the information and communications technology sector with 15.5%.

Why does it matter?

The report shows that cybercrime has become a mainstream form of criminal activity, accounting for nearly one in five reported offences in Spain. The continued growth in fraud, online scams and unauthorised access highlights how digital crime is evolving alongside greater reliance on online services by individuals, businesses and public institutions.

Although attacks on critical infrastructure declined, the overall increase in cybercrime and victim numbers suggests that law enforcement and cybersecurity authorities will need stronger investigative capabilities, cross-border cooperation and preventive measures to keep pace with increasingly sophisticated digital threats.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

European Commission panel recommends social media restrictions for under-13s

A special panel convened by the European Commission has recommended restricting access to social media and other high-risk digital services for children under 13, arguing that platforms should prove they are safe before minors are allowed to use them.

The report was prepared by the co-chairs of the Special Panel on Child Safety Online, Prof. Dr. Jörg M. Fegert and Dr. Maria Melchior, whom European Commission President Ursula von der Leyen appointed in March 2026 to advise on child safety online and possible age restrictions for social media.

The panel met three times between March and June 2026 to examine scientific evidence on the impact of social media and digital environments on minors, review existing EU and national rules, and develop recommendations to better protect and empower children online.

The report uses the term ‘social media+’ to describe social media and other digital services that expose minors to potentially harmful features, including addictive design, infinite scroll, autoplay, recommender systems, persistent notifications, AI companions, video games and video-sharing platforms.

The co-chairs argue that providers, not children or parents, should bear the burden of demonstrating that their services are safe by design and appropriate for young users. Until then, they recommend restricting access for children under 13, while allowing member states to introduce additional precautionary measures for older adolescents if needed.

The recommendations also call for proportionate age-assurance systems, stronger safety-by-design requirements, limits on addictive platform features, more effective complaints mechanisms for minors and stronger enforcement of existing EU legislation, including the Digital Services Act, GDPR and AI Act.

The report also urges the EU to close legislative gaps on child sexual abuse online by adopting permanent obligations requiring providers to prevent, detect, report and block abuse, including in interpersonal communications.

Beyond restrictions, the report emphasises digital empowerment through stronger media literacy for children, parents, teachers and caregivers, greater participation by young people in policymaking, improved parental guidance, increased support for civil society organisations and helplines, and more investment in offline activities such as sports, arts and youth spaces.

The report concludes that protecting children online requires an ecosystem-wide approach involving regulators, digital service providers, educators, parents, caregivers and children themselves. It argues that children’s rights should apply online just as they do offline, balancing protection with opportunities to learn, participate and communicate.

Why does it matter?

The report could significantly influence future EU policy on children’s access to digital services, platform design and online safety. By recommending a default restriction for children under 13 and placing responsibility on providers to demonstrate that their services are safe, it shifts the debate away from parental responsibility towards platform accountability.

Although the recommendations are not legally binding, they are likely to inform future discussions on the Digital Services Act, the AI Act and wider EU child protection policies. If adopted, they could reshape how online platforms design services for younger users across Europe.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Swiss Army moves from Microsoft 365 to OpenDesk

The Swiss Armed Forces’ Cyber Command is replacing Microsoft 365 with OpenDesk, an open-source office and collaboration suite developed by Germany’s Centre for Digital Sovereignty in Public Administration (ZenDiS).

According to the Swiss magazine Republik, all employees of the Cyber Command and its Cyber and Electromagnetic Activities unit are expected to migrate to OpenDesk by October 2026.

The move reflects concerns that Microsoft’s increasing reliance on cloud-based services no longer meets the military’s operational requirements. Cyber Command chief Simon Müller said products subject to legislation such as the US CLOUD Act are unsuitable for certain military contexts, while the migration is intended to give the Swiss military greater control over its data and software environment.

The transition also aligns with Switzerland’s broader efforts to strengthen digital sovereignty by increasing the use of open-source software. OpenDesk is being developed by ZenDiS to provide public administrations with an alternative to proprietary office and collaboration platforms while reducing dependence on individual technology providers.

Why does it matter?

The migration highlights how digital sovereignty is increasingly influencing public-sector technology choices, particularly in defence and cybersecurity. By reducing reliance on foreign cloud providers and adopting open-source alternatives, governments seek greater control over sensitive data, software infrastructure and procurement. Switzerland’s move also reflects a broader European trend towards diversifying digital infrastructure and reducing strategic dependence on major US technology companies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

CISA shares lessons from GitHub credential exposure

CISA has published details of an internal CISA incident response triggered after an investigative reporter alerted the agency to Amazon AWS GovCloud keys and other internal information exposed in a public GitHub repository.

The agency said the information was identified by a security researcher whose company continuously scans public code repositories. The repository was not part of CISA’s official GitHub environment but belonged to a contractor’s personal GitHub account.

According to CISA, its Office of the Chief Information Officer immediately took the repository offline and preserved it for forensic analysis. The agency also suspended its development environment, reset affected credentials and revoked the contractor’s system access.

The investigation found that the contractor had uploaded copies of a CISA build and deployment repository to a personal GitHub account while attempting to build cloud infrastructure independently. The repository contained infrastructure-as-code, build scripts, administrator credentials and build credentials.

Forensic analysis found no evidence that the exposed credentials had been used outside CISA environments and no customer or mission data was compromised.

CISA subsequently rotated all credentials associated with environments where the contractor had administrator privileges, expanded repository allow and deny lists, and restricted users’ ability to upload code to public repositories before restoring the development environment.

The agency said the incident reinforced the value of taking external vulnerability reports seriously, applying Zero Trust principles to development environments and maintaining detailed logging that enabled rapid investigation.

It also identified several areas for improvement, including stricter controls over public repositories, better secrets detection, clearer GitHub and cloud incident response playbooks, simpler reporting channels for security researchers, stronger development environment guardrails and more mature cryptographic key management.

CISA also said organisations should maintain clear reporting channels for incidents affecting their own environments and publish reporting instructions in multiple locations rather than relying solely on a security.txt file.

The agency said publishing its own incident response experience is intended to help other organisations strengthen their security practices and improve preparedness for similar incidents.

Why does it matter?

The incident illustrates how easily sensitive credentials can be exposed through routine developer workflows and personal code repositories, even within organisations responsible for cybersecurity. It also highlights the importance of rapid detection, credential rotation and strong access controls when managing cloud infrastructure.

By publicly documenting both its response and the lessons learned, CISA is encouraging organisations to treat incident reporting, secrets management, Zero Trust architecture and developer governance as integral parts of software security rather than afterthoughts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!