AI-Powered Hacking Tool CyberStrikeAI Linked to Massive Fortinet Breach

A newly discovered open-source AI security testing platform called CyberStrikeAI has been directly tied to a sophisticated cybercriminal operation that compromised over 600 Fortinet FortiGate firewalls in just five weeks, according to a joint investigation by cybersecurity researchers.

The campaign, which first came to light last month, showcased the alarming potential of AI-assisted hacking at scale. The threat actor behind the operation leveraged multiple servers across different regions, with one key server at IP address 212.11.64.250 serving as a command center for the attacks.

The AI Hacking Arsenal

CyberStrikeAI represents a new generation of offensive cybersecurity tools that integrate artificial intelligence with traditional penetration testing frameworks. Built in Go programming language, the platform combines over 100 security tools into a single AI-native orchestration engine.

The platform’s capabilities read like a hacker’s wishlist:

• Network reconnaissance with tools like nmap and masscan
• Web application testing using sqlmap, nikto, and gobuster
• Exploitation frameworks including Metasploit and pwntools
• Password cracking with hashcat and John the Ripper
• Post-exploitation using Mimikatz, BloodHound, and Impacket

What makes CyberStrikeAI particularly dangerous is its AI decision engine, which supports major language models including GPT, Claude, and DeepSeek. This allows even low-skilled operators to conduct complex attack chains through simple conversational commands.

The Fortinet Connection

Team Cymru’s investigation revealed that the same IP address (212.11.64.250) used in the Fortinet campaign was observed running CyberStrikeAI on port 8080. Network traffic analysis showed communications between this server and the targeted FortiGate devices during the attack window.

The timing is particularly revealing—the FortiGate campaign infrastructure was last seen running CyberStrikeAI on January 30, 2026, suggesting the platform was actively used during the breach operation.

Global Infrastructure, Local Impact

Between January 20 and February 26, 2026, researchers identified 21 unique IP addresses running CyberStrikeAI instances. The geographic distribution paints a concerning picture:

• Primary hosting: China, Singapore, Hong Kong
• Secondary locations: United States, Japan, Europe

This distributed infrastructure suggests a sophisticated operation with global reach but potentially state-aligned interests.

The Developer Behind the Tool

The platform’s developer, operating under the alias “Ed1s0nZ”, has created an ecosystem of AI-powered security tools. Beyond CyberStrikeAI, their portfolio includes:

• PrivHunterAI: AI-driven privilege escalation vulnerability detection
• InfiltrateX: Privilege escalation scanning tool

GitHub analysis reveals the developer’s connections to organizations with alleged ties to Chinese government cyber operations. In December 2025, they shared CyberStrikeAI with Knownsec 404’s “Starlink Project”, a Chinese cybersecurity firm previously linked to state-sponsored activities.

The developer’s GitHub profile also mentioned receiving a “CNNVD 2024 Vulnerability Reward Program – Level 2 Contribution Award” in January 2026. The China National Vulnerability Database (CNNVD) is widely believed to be operated by China’s intelligence community for identifying vulnerabilities for operational use.

The AI Arms Race in Cybersecurity

This discovery underscores a broader trend in cybercrime: the weaponization of commercial AI services. Security researchers warn that tools like CyberStrikeAI dramatically lower the barrier to entry for complex network exploitation, enabling less-skilled actors to conduct sophisticated attacks.

Google’s recent report corroborates this trend, finding that threat actors are increasingly abusing AI services like Gemini across all stages of cyberattacks—from initial reconnaissance to data exfiltration.

What This Means for Defenders

The implications are stark. As adversaries embrace AI-native orchestration engines, organizations must prepare for:

• Automated targeting of exposed edge devices
• Accelerated attack cycles that outpace traditional defenses
• Lower skill requirements for conducting complex exploits
• Increased volume of AI-powered attacks

Security teams now face an environment where sophisticated attack capabilities are packaged into user-friendly interfaces, complete with audit logging, SQLite persistence, and vulnerability management dashboards.

The Fortinet breach serves as a wake-up call: the future of cybersecurity isn’t just about defending against skilled hackers—it’s about defending against AI systems that can think, adapt, and attack autonomously.

Tags: CyberStrikeAI, Fortinet breach, AI hacking tools, cybersecurity threats, state-sponsored hacking, Chinese cyber operations, offensive security, network exploitation, AI-powered attacks, vulnerability discovery, penetration testing automation, cyber threat intelligence

Viral phrases: “AI-native security testing platform,” “automated attack chains,” “lowering the barrier to entry,” “state-aligned cyber operations,” “weaponization of commercial AI,” “autonomous attack systems,” “global cyber infrastructure,” “sophisticated attack capabilities,” “AI decision engine,” “network exploitation ecosystem”

Viral sentences: “Even low-skilled operators can now conduct complex attack chains through simple conversational commands.” “The future of cybersecurity isn’t just about defending against skilled hackers—it’s about defending against AI systems that can think, adapt, and attack autonomously.” “Tools like CyberStrikeAI dramatically lower the barrier to entry for complex network exploitation.” “Security teams now face an environment where sophisticated attack capabilities are packaged into user-friendly interfaces.” “The discovery underscores a broader trend in cybercrime: the weaponization of commercial AI services.”

,