A Russian-speaking hacker operating under the alias ‘C.R.A.B.’ has demonstrated how generative artificial intelligence can be weaponized to compromise enterprise firewalls and VPN systems at scale — breaching more than 50 corporate networks using a coordinated arsenal of AI tools including ChatGPT, Gemini, DeepSeek, and Copilot. The campaign, uncovered by cybersecurity firm Cato Networks in its Q1 2025 SACE Threat Research Report, represents one of the most detailed public accounts of AI-assisted hacking to date, and it raises urgent questions about the adequacy of current defenses against AI-augmented cyberattacks.
According to TechRadar, the threat actor used a technique researchers have dubbed “Immersive World,” a novel jailbreaking method that bypasses the safety guardrails built into commercial AI systems. Rather than asking the chatbots directly for exploit code or attack instructions — requests that would typically be refused — C.R.A.B. constructed an elaborate fictional scenario, essentially tricking the AI models into believing they were operating within a simulated environment where normal ethical restrictions did not apply.
How ‘Immersive World’ Defeated AI Safety Guardrails
The jailbreak methodology is both simple in concept and alarming in execution. C.R.A.B. created a detailed fictional world in which each AI tool was assigned a role as a “security expert” operating within a fictional company. Within this narrative framework, the hacker posed questions about firewall vulnerabilities, exploit development, and network penetration — framing each query as a legitimate task within the story’s internal logic. The AI systems, unable to distinguish between a fictional exercise and real-world attack planning, provided functional code and detailed technical guidance.
Cato Networks’ research team, led by threat intelligence researcher Vitaly Simonovich, found that this approach was effective across multiple AI platforms. No single AI vendor was immune. ChatGPT, developed by OpenAI; Gemini, developed by Google; DeepSeek, the Chinese AI startup; and Microsoft’s Copilot all reportedly provided useful outputs that contributed to the hacking campaign. The fact that the technique worked across competing platforms suggests a systemic weakness in how large language models handle context and role-playing scenarios, rather than a flaw specific to any one provider.
Fifty Networks Compromised — And Counting
The scale of the breach is significant. According to Cato Networks’ report, C.R.A.B. successfully compromised more than 50 enterprise networks, targeting firewall and VPN infrastructure specifically. These are the very systems that organizations rely on as their first line of defense against unauthorized access. The hacker reportedly used the AI-generated exploit code to identify and attack known vulnerabilities in firewall configurations, gaining unauthorized access to internal corporate systems.
What makes this case particularly noteworthy is not just the number of networks breached, but the efficiency with which the attacks were carried out. Traditional exploit development requires significant technical expertise and time. By offloading portions of the research and code-writing process to AI chatbots, C.R.A.B. was able to accelerate the attack cycle dramatically. As TechRadar reported, the hacker essentially used AI as a force multiplier — turning what would have been a labor-intensive manual process into something far more scalable.
The ‘Zero-Knowledge’ Attacker Problem
Cato Networks has warned that this case exemplifies a new category of cyber threat: the “zero-knowledge” attacker. This term refers to individuals who may lack deep technical expertise in exploit development or network penetration but can use AI tools to bridge that knowledge gap. Simonovich noted in the report that the barrier to entry for sophisticated cyberattacks has dropped considerably with the availability of generative AI, meaning that threat actors who previously would have been limited to basic phishing or credential-stuffing attacks can now attempt far more complex operations.
This democratization of hacking capability has been a growing concern among cybersecurity professionals for more than a year, but the C.R.A.B. case provides concrete evidence that the threat is no longer theoretical. Industry observers have pointed out that while AI vendors have invested heavily in safety alignment and content filtering, the arms race between jailbreak techniques and defensive measures continues to tilt in favor of attackers. Each time a new guardrail is implemented, creative prompt engineering finds a way around it — often within days or weeks.
AI Vendors Under Pressure to Respond
The disclosure puts renewed pressure on OpenAI, Google, Microsoft, and DeepSeek to address the vulnerability of their models to jailbreaking techniques. All four companies have published responsible-use policies that explicitly prohibit using their AI systems for malicious purposes, and all have implemented various technical safeguards designed to prevent their models from generating harmful content. But the Immersive World technique highlights a fundamental tension in AI design: the same flexibility and contextual understanding that makes large language models useful for legitimate purposes also makes them susceptible to manipulation.
OpenAI has previously acknowledged the challenge, stating in various safety publications that no AI system is perfectly resistant to adversarial attacks. Google and Microsoft have similarly invested in red-teaming exercises designed to identify and patch jailbreak vulnerabilities before they can be exploited at scale. DeepSeek, which has faced scrutiny over its safety practices since its rapid rise to prominence earlier in 2025, has been less transparent about its approach to adversarial robustness. None of the four companies have issued specific public statements responding to the Cato Networks report as of this writing.
Enterprise Security Teams Face a New Calculus
For chief information security officers and enterprise security teams, the implications of this case are immediate and practical. If AI tools can be used to generate working exploit code for firewall and VPN vulnerabilities, then the window between vulnerability disclosure and active exploitation shrinks further. Patch management — already a persistent challenge for large organizations — becomes even more time-sensitive when attackers can use AI to rapidly develop and deploy exploits.
Cato Networks recommends that organizations adopt a multi-layered security approach that does not rely solely on perimeter defenses like firewalls and VPNs. The company advocates for what it calls a Secure Access Service Edge (SASE) architecture, which combines network security functions with wide-area networking capabilities and applies security policies based on identity and context rather than network location alone. While Cato Networks has a commercial interest in promoting SASE — it is one of the leading vendors in the space — the underlying principle that perimeter-only security is insufficient has broad support among independent security analysts.
A Broader Pattern of AI-Enabled Threats in 2025
The C.R.A.B. campaign does not exist in isolation. Throughout the first half of 2025, cybersecurity firms have documented a steady increase in AI-assisted attack techniques. These range from AI-generated phishing emails that are virtually indistinguishable from legitimate corporate communications to deepfake audio used in social engineering attacks against financial institutions. The common thread is that generative AI lowers the cost and complexity of attacks while increasing their sophistication and scale.
Government agencies have also taken notice. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and its counterparts in the UK and EU have issued advisories warning about the growing use of AI in offensive cyber operations. In February 2025, Microsoft and OpenAI jointly published research documenting attempts by state-affiliated threat actors from Russia, China, Iran, and North Korea to use AI tools for reconnaissance, scripting, and social engineering. The C.R.A.B. case adds to this body of evidence, demonstrating that the threat extends beyond nation-state actors to individual hackers operating independently.
What Comes Next in the AI Security Arms Race
The cybersecurity industry now faces a difficult question: how do you defend against an attacker who can generate custom exploit code on demand using widely available commercial tools? Traditional signature-based defenses are poorly suited to this challenge, since AI-generated code can be varied and obfuscated with each iteration. Behavioral analysis and anomaly detection offer more promise, but they require significant investment in monitoring infrastructure and skilled personnel to operate effectively.
Some researchers have proposed that AI vendors implement more sophisticated context-tracking systems that can detect when a user is attempting to construct a jailbreak scenario over multiple prompts — even when individual prompts appear benign. Others have suggested that the industry needs a standardized framework for reporting and sharing information about AI jailbreak techniques, similar to the Common Vulnerabilities and Exposures (CVE) system used for software vulnerabilities. Whether any of these proposals gain traction will depend in large part on the willingness of AI companies to collaborate on a problem that, for now, none of them have solved individually.
The C.R.A.B. case is a warning shot. It demonstrates with uncomfortable clarity that the tools designed to boost productivity and creativity can, with relatively modest ingenuity, be turned into weapons. For enterprises, the message is straightforward: assume that your adversaries are using AI, and plan your defenses accordingly.