AI Did the Hacking: How a Low-Skill Attacker Compromised 600+ Firewalls in 38 Days

Amazon Threat Intelligence documented an AI-augmented cyber campaign (Jan 11–Feb 18, 2026) where a low-to-medium skilled, financially motivated actor used commercial LLMs and custom orchestration (identified artifacts: DeepSeek, Claude Code, ARXON, CHECKER2) to automate scanning of exposed FortiGate management interfaces, steal and decrypt configuration files, and compromise 600+ appliances across 55+ countries; the operation enabled Active Directory credential theft and targeting of Veeam backup servers, demonstrating that AI can act as a force multiplier for large-scale opportunistic intrusions and that strong fundamentals (patching, MFA, credential hygiene, segmentation, behavioral detection) remain the primary defenses.