Russian spy or teenage hacker? AI may soon make it impossible to tell, says Sony breach investigator
The trail of clues is going cold as AI makes all cyberattacks look increasingly vanilla

Image by Cybernews
- AI is scrubbing away the "digital fingerprints" investigators once used to tell nation-state hackers from lone teenagers.
- With tradecraft no longer reliable Alistair Macrae – who worked on the incident response during the Sony Playstation breach – argues attribution is dying and the focus must shift from "who?" to "how?"
- Macrae argues defenders should use AI to model likely attack scenarios in advance and prepare for them before attackers strike.
- Others in the security industry remain skeptical that AI is transforming cybercrime as radically as some predict.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
Alistair Macrae, who helped investigate the 2011 PlayStation Network breach, says AI-generated malware and code will make it far harder to tell Russian state hackers from teenage cybercriminals – forcing defenders to rethink threat intelligence.
Macrae, whose career has spanned the Royal Air Force, secondments to UK National Cyber Security Center and NATO, thinks that as attackers use AI more frequently, threat intelligence will die “because it's just all going to point to AI.”
And when attackers start shifting to AI, he adds, all those digital fingerprints are going to change. It will be much harder to decipher a Russian threat actor from a hooded bedroom teen if they’re both using an LLM to launch an attack.
“They’re all going to look like Claude, ChatGPT or Qwen, they’re going to be non-descript, very vanilla.”Alistair McCrae, OT security principal, e2e-assure.
TTPs out the window
For years, cyber investigators like Macrae have attributed attacks by painstakingly analyzing what security professionals call tactics, techniques, and procedures (TTPs).
Malware often betrays its creators' coding habits, since attack tools leave distinctive signatures. For example, North Korea-linked threat actors (often tracked as the Lazarus Group) have historically deployed customized "wiper" tools that erase data from target computers.
Clues like compile times, preferred exploits, leftover debug notes (e.g., "//test point A"), or the use of rare, non-standard programming languages can all help identify the individuals or groups behind an attack.
Macrae argues that AI is changing this completely.
Instead of exposing the characteristics of a Russian-linked espionage group such as Fancy Bear which might distinguish it from cartels such as Dragonforce, the cyber expert claims you won’t be able to.
“The DNA of those attackers is going to get scrubbed away."Alistair McCrae, OT security principal, e2e-assure.
“You’re not going to be able to distinguish between an attacker in Russia versus one in China or North Korea. It’s all just going to look like AI tools," he adds.
I ask whether the human ego might still trip some of these AI-driven criminals up – many can't resist bragging on darkweb forums. Plus, if it’s a hacktivist group, they may want to get their name out there, to hammer home whatever point they're trying to make.
Macrae agrees, up to a point: “They may hide or proxy behind an AI for an attack. But they will want kudos somewhere. They can’t resist taking credit for taking down huge corporations. They will love to brag about how they did it,” he says, adding that marrying TTPs with forum brags has been helpful to him in the past.
Murderboards at Sony
During the response to the 2011 Sony PlayStation Network attack, Macrae remembers covering whiteboards with diagrams in what became his trademark “Murderboard” - connecting logs, timelines, attack tools, and intelligence gathered from numerous sources to build a picture of how an attack unfolded.
“It wasn’t one piece of evidence,” he explains, “It was dozens of tiny clues that, together, started to tell a story.”
That detective work was possible because attackers left distinctive traces behind.
“Imagine trying to do that with AI?” he says, “All I could discover is the AI that’s written it. All of a sudden I’m pinning it onto an AI that millions of people are using.
“The trail is dead: It was Claude in the library with the lead piping!” he jokes, referring to the iconic board game Cluedo.
Identifying the AI model involved in generating malicious code, he argues, tells investigators almost nothing. The brags on forums are only “tiny breadcrumbs” if there are not TTPs to link them to.
And to add to the pain, he claims that LLMs make false flag operations, where attackers imitate another group to throw investigators off the trail - even easier.
“You can just say, ‘I want you to emulate this group,’ or ‘rewrite this code in Russian,’” he says. “Any nation state can quite easily false flag something and you’re not going to be able to pin the tail on the donkey.”
"I think attribution is going to go out the window."Alistair McCrae, OT security principal, e2e-assure.
That’s why he thinks attribution is no longer useful. “I think attribution is going to go out the window,” he says, “ We’re not so bothered about who it is now. What is it?”
Predicting crimes before they happen
Threat intelligence has largely focused on identifying the attacker – building profiles, tracking campaigns and linking incidents to known criminal groups or nation states.
In an AI-driven world Macrae argues that effort risks becoming increasingly academic.
Instead, he believes that security teams should concentrate on understanding the finite number of ways systems can be compromised and prepare for those scenarios via a simulation before an attack even begins.
“There are only a finite number of ways they can get onto that device,” he says.”If we start looking at the modelling of the attack rather than evidence from the attack then we can start doing predictive modeling. ‘If it’s this, respond like this’ ‘If it’s that, respond like that’. “
At the security firm he’s currently working for, e2e-assure, it is using AI-powered digital twin simulations of their customers’ environments, simulating likely attack paths and rehearsing their responses to each one.
The result is a library of playbooks that can be deployed the moment suspicious activity appears. Macrae likens the concept to the “precogs” in Tom Cruise film Minority Report – using AI not to investigate attacks after the event, but to anticipate how they are likely to unfold before they happen.
AI agents - overhyped and overpaid?
Not everyone agrees that AI is about to transform cybercrime as radically as Macrae predicts. Independent security researcher Marcus Hutchins – best known as the “WannaCry hero” for helping stop the 2017 ransomware attack that crippled parts of the NHS – has claimed that the industry is overstating AI’s role in the cyber attacks.
Last autumn, he criticized an MIT affiliated paper claiming that 80% of ransomware attacks were powered by AI as “exaggerated and baseless.”
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
Hutchins has also questioned the hype surrounding Anthropic’s frontier cyber model Mythos, arguing that $20,000 worth of tokens was an expensive way to discover 27-year old vulnerabilities
The researcher has also consistently argued that attackers continue to rely on tried-and-tested techniques such as phishing, spam and social engineering, rather than sophisticated AI-generated exploits.
Strong password generator
Macrae doesn’t dispute any of this. Nor does he claim to have personally investigated a case where AI carried out the majority of the attack.
But he claims there are incidents of this happening, as he points to what is believed to be one of the first documented examples of an AI-assisted attack at scale: the breach of several Mexican government agencies – as uncovered by Gambit Security earlier this year.
According to the firm’s investigation, attackers used Anthropic’s Claude Code alongside OpenAI’s ChatGPT over more than two months to compromise nine government agencies and steal hundreds of citizen records.
Gambit estimated that Claude generated around 75% of the hands-on hacking activity after its safeguards were bypassed.
Digital forensics won’t disappear overnight
For Macrae, the significance of the incident is not that AI acted alone but that it accelerated work previously carried out by skilled operators (no wonder some criminals are worried about AI taking their jobs, according to a recent Sophos report).
“Some of the things I’m seeing are very vibe code, no code experiments,” he says.
“It’s enabling anyone to do this, opening the floodgates to someone who has never been a cyber criminal before,” he adds.
Nor does he believe digital forensics is disappearing overnight: Human operators may still leave subtle clues behind, particularly in the prompts they use to instruct AI systems.
“There might be some inadvertent language markup that gives away a particular attacker,” he says.
“The way a prompt is asked … there might be something unique to the person giving the prompt.”
Those breadcrumbs may become the new artefacts of the digital investigations. But compared with the rich forensic evidence investigators have relied on for decades, Macrae believes they will be a far weaker – and a far less reliable means of attribution.