One Person, 72 Hours, One Wrecked AWS Account: How AI Handed a Lone Criminal the Keys to a Global Enterprise

Security firm Sygnia says a single attacker used artificial intelligence to tear through a major cloud environment at a pace that would normally require a full criminal crew. The unnamed victim was extorted.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial photograph, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • A single criminal broke into a large Amazon Web Services cloud environment in roughly 72 hours, according to incident-response firm Sygnia.
  • The attacker used AI tools to speed up reconnaissance (the process of scouting a target's systems) and build attack tools on the fly.
  • No single password or software flaw opened the door; the criminal chained together multiple smaller weaknesses across the victim's cloud setup.
  • The unnamed victim, described as a global enterprise, was financially extorted after the attacker demonstrated the ability to shut down critical services.
  • Sygnia published its findings in a research report this week, first covered by Dark Reading.

A single criminal just proved that you no longer need a gang to pull off an enterprise-scale cloud heist. You need AI and a weekend.

Cybersecurity and incident-response company Sygnia released research this week describing how one attacker broke into a large Amazon Web Services (AWS) environment, which is the cloud computing platform that thousands of businesses use to store data and run their software, and extorted an unnamed global company. The whole operation took approximately 72 hours.

How did the hackers get in?

The attacker got a foothold through an internet-facing application that exposed an AWS access key, a kind of digital password that grants commands over cloud resources. From there, the criminal did not simply grab what was nearby. Instead, the key was fed into four separate automated workflows, meaning pre-written sequences of actions the AI tool could run without stopping for human input, to harvest credentials, build backdoors, copy out data, and scout for new access points simultaneously.

Every time a new set of credentials turned up, the attacker ran them through the same four workflows again.

No single catastrophic flaw made this possible. Sygnia says the attacker threaded together weaknesses across application services, source-code repositories, CI/CD pipelines (the automated systems companies use to build and update their software), and data stores. Individually, none of those gaps would have been enough. Together, they handed over the keys to the building.

What made this unusual was speed. Sygnia's researchers looked at attacker-written scripts, the sheer number of cloud techniques used, and the parallel timing of activity and concluded that a single person accomplished in three days what would typically take a team several weeks. AI-assisted workflows handled the grunt work: scanning the environment, adapting commands to fit what the attacker found, and generating tools on the spot.

To pressure the victim into paying, the attacker performed a series of reversible but painful disruptions. These included blocking access to S3 buckets (online storage containers), throttling computing services to zero capacity, and wiping message queues. The message was clear: pay, or the next round is permanent.

Sygnia vice president Avi Dayan put it plainly. If an AI tool can steal data or break out of a contained system in under a minute, a security team waiting for a human analyst to review an alert will always be too slow.

Organisations that want to close this gap should focus on four things: monitoring every account and asset in real time, tightening identity and access controls so stolen keys cannot roam freely, automating their own detection and response so they can match the attacker's pace, and writing down exactly what to do the moment something looks wrong so there is no delay when it matters most.

If you are a customer of a large company and you receive unexpected emails asking you to confirm account details or reset passwords in the coming weeks, treat them with suspicion and contact the company directly through its official website.

© 2026 Threat Vectr