Organizations defending networks now have roughly half an hour to detect and stop an intruder before that intruder gains full control, according to CrowdStrike’s 2026 Global Threat Report, which places the average attacker breakout time at 29 minutes. The same report documents an 89 percent year-over-year increase in AI-enabled adversary operations. That shrinking window collides with real-world events: the FBI attributed a $1.5 billion cryptocurrency theft from the Bybit exchange to North Korea, illustrating the speed and scale at which state-backed groups now operate.
What is verified so far
The strongest confirmed facts center on the Bybit breach and its attribution. The FBI issued a Public Service Announcement identifying North Korea as responsible for the $1.5 billion Bybit hack and listing specific cryptocurrency wallets used to move the funds. That alert, which appears in the bureau’s cyber section, gives exchanges and blockchain analytics firms concrete indicators they can use to flag or freeze assets linked to the theft.
The same advisory is cataloged as PSA250226 in the Internet Crime Complaint Center’s 2025 public index, confirming both its existence and its official status within the FBI’s record system. The catalog entry ties the announcement to the broader framework the bureau uses to communicate urgent cybercrime trends and state-backed operations to critical infrastructure operators, financial institutions, and the general public.
The scale of the Bybit theft is striking on its own terms. At $1.5 billion, it ranks among the largest single cryptocurrency heists ever documented by a government agency. The FBI’s decision to issue a standalone PSA, rather than fold the attribution into a broader advisory, signals high confidence in the intelligence linking the operation to North Korean actors. That confidence matters because attribution in cyber operations is often contested or delayed by months. Here, the bureau moved quickly to name the responsible state and provide actionable technical indicators.
CrowdStrike’s headline metrics, the 29-minute average breakout time and the 89 percent rise in AI-driven adversary activity, appear in the company’s own 2026 report. Breakout time refers to the interval between an attacker’s initial compromise of a single machine and the moment they move laterally to a second system on the same network. A shorter breakout time means defenders have less opportunity to isolate the first infected endpoint before the intrusion spreads. The 29-minute figure represents a dramatic compression from prior years, when breakout times were typically measured in hours.
The 89 percent increase in AI-enabled operations describes the growth rate of adversary campaigns that use generative AI or machine-learning tools for tasks such as crafting phishing lures, automating reconnaissance, or generating malicious code. CrowdStrike tracks these campaigns through its threat intelligence division, though the company has not released the raw dataset or full methodology behind either metric to the public. As a result, the numbers are best understood as directional indicators of a rapid shift rather than precise global measurements.
What remains uncertain
Several gaps separate the verified facts from the broader narrative. CrowdStrike’s 29-minute breakout figure and 89 percent AI increase are self-reported metrics drawn from the company’s own customer telemetry and incident response engagements. No independent third party has published a peer review or replication of those numbers. The sample may skew toward organizations that already use CrowdStrike products, which could affect the average in either direction. Without access to the underlying data, outside analysts cannot confirm whether the 29-minute figure reflects a global median, a mean, or a figure weighted by incident severity.
The connection between the CrowdStrike report’s AI findings and the Bybit theft is also uncertain. The FBI’s PSA does not describe the specific tools or techniques North Korean operators used to execute the breach. Whether AI-enabled tooling played a role in the Bybit hack, or whether the attackers relied on more conventional methods such as social engineering, credential theft, or supply-chain compromise, is not addressed in any public government document available at this time. Drawing a direct line between the two requires assumptions that go beyond the current evidence.
The speed at which the stolen $1.5 billion moved through cryptocurrency wallets is likewise not fully detailed in the FBI alert. The advisory provides wallet addresses but does not publish a timeline showing how quickly funds were laundered after the initial theft. Blockchain forensics firms have published their own analyses, but those remain third-party interpretations rather than official government findings. Any claim about on-chain dwell time or laundering velocity should be treated as preliminary until confirmed by law enforcement or court filings.
One hypothesis worth tracking is whether North Korean operators are applying automated or AI-assisted tools to accelerate the laundering phase, not just the initial intrusion. If future FBI-attributed wallet clusters show measurably shorter intervals between theft and conversion, that pattern could validate the broader trend CrowdStrike describes. For now, that link is speculative. Analysts can monitor subsequent PSAs for signs that laundering timelines are shrinking in ways consistent with automation.
How to read the evidence
Two categories of evidence support this story, and they carry different weight. The FBI’s PSA is a primary government source with named attribution, specific technical indicators, and an official catalog number. It represents the strongest tier of evidence available. When the bureau states that North Korea executed the Bybit theft and provides wallet addresses, that claim carries the institutional credibility and legal accountability of a federal law enforcement agency. Organizations in the cryptocurrency sector can act on those identifiers immediately by screening transactions against the listed addresses and tightening controls around related clusters.
CrowdStrike’s report sits in a different category. It is a commercial threat intelligence product released by a publicly traded cybersecurity company that has a business interest in highlighting the scale and urgency of emerging threats. That does not mean the findings are inaccurate, but it does mean readers should treat the numbers as estimates drawn from a particular slice of the global threat landscape. Without independent replication, the 29-minute breakout time and the 89 percent AI growth rate should be read as strong signals that attackers are moving faster and automating more of their operations, rather than as definitive global benchmarks.
For defenders, the practical takeaway is less about the exact number of minutes and more about the direction of travel. If sophisticated intruders can routinely pivot across a network in under half an hour, organizations must assume that traditional, manually driven detection workflows will arrive too late. Automated monitoring, rapid containment playbooks, and continuous testing of incident response procedures become essential. Similarly, if AI-enabled tooling is lowering the skill and time required to run complex campaigns, then phishing, credential stuffing, and lateral movement attempts are likely to increase in both volume and quality.
At the same time, tying every high-profile breach to AI risks obscuring the basics. The FBI’s Bybit attribution underscores that state-backed groups still succeed at massive scale without any publicly confirmed use of cutting-edge tools. Poor key management, unpatched systems, and weak internal controls can be just as decisive as any machine-learning model. Until more technical detail emerges in court documents or follow-up advisories, the Bybit case should be understood as a clear example of state-sponsored theft and a reminder that known best practices remain unevenly implemented across the cryptocurrency ecosystem.
Read together, the FBI’s attribution and CrowdStrike’s metrics point to a converging reality: highly capable adversaries, including nation-states, are operating in an environment where the time between compromise and catastrophe is shrinking. The precise role of AI in any single incident may remain murky, but the structural pressures on defenders are clear. Faster intrusions, larger thefts, and more automated campaigns mean that organizations cannot rely on after-the-fact investigations alone. They must design networks, monitoring, and response processes on the assumption that the next breach will unfold in minutes, not days.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
