The FBI is using artificial intelligence to hack into computer systems, scanning for vulnerabilities and exploiting them at speeds impossible for human operators. A senior FBI official confirmed the practice at a national security conference this week, calling AI a “game changer” for the bureau’s cyber operations.
What the FBI Revealed
Todd Hemmen, Deputy Assistant Director of the FBI’s Cyber Division, spoke at a national security and AI conference on Tuesday about how the agency’s computer network operations program uses AI for what he called “on-network or remote access operations” - government speak for hacking.
“AI has tremendous benefits, not entirely different than the benefits that are being enjoyed by some of our adversarial nation-state actors,” Hemmen said, according to 404 Media.
The FBI uses AI across three key phases of cyber operations:
Reconnaissance: “AI can scan those surfaces very, very efficiently. So it’s that initial scanning in terms of where are the vulnerabilities, how can I exploit and gain access,” Hemmen explained.
Exploitation: Once vulnerabilities are found, AI helps the FBI gain access to target systems.
Lateral movement: After initial access, AI assists agents in moving through networks to reach additional data and capabilities.
Hemmen described “the speed at which we are able to conduct - autonomous isn’t the right word - but AI-enabled attacks” as a major advantage.
“AI as having applicability across, again, every single tactic that would be relevant to those on-network operations,” he added. “So it’s a game changer in that sense.”
A History of FBI Hacking
The FBI has been developing hacking capabilities for over two decades. The bureau’s “Network Investigative Techniques” (NITs) have been documented since at least 2002, when agents first deployed malware to identify suspects hiding behind anonymization tools.
The most controversial case came in 2015 with Operation Playpen, when the FBI seized a dark web child abuse site but kept it running for 13 days while deploying malware to unmask visitors. A single warrant signed by a Virginia magistrate authorized searches of computers worldwide - eventually affecting systems in dozens of states and multiple countries.
The Electronic Frontier Foundation argued this violated Rule 41 of the Federal Rules of Criminal Procedure, which limited search warrants to a judge’s jurisdiction. In 2016, the Supreme Court approved changes expanding Rule 41, allowing judges to authorize hacking of computers anywhere in the world.
The FBI has also:
- Purchased NSO Group’s Pegasus spyware, reportedly for potential use against domestic targets
- Used classified hacking tools in ordinary criminal investigations
- Exploited non-public vulnerabilities without disclosing them to software vendors
The AI Escalation
Adding AI to this existing capability represents a significant escalation. Where human operators might take hours or days to scan a network for weaknesses, AI systems can do it in minutes or seconds. The technology can also identify attack patterns and exploitation opportunities that humans might miss.
This mirrors what security researchers have warned about AI-powered attacks from criminals and nation-states. The FBI is essentially deploying the same techniques, just with legal authority (from its perspective) to do so.
After 404 Media’s report, the FBI issued a statement claiming all operations “comply with constitutional requirements, applicable statutes, executive orders, DOJ regulations, and Attorney General guidelines.” The bureau said AI deployments are “inventoried, reviewed, and reported per Executive Order requirements and OMB guidance.”
What This Means
The FBI’s AI hacking capabilities raise several concerns:
Scale: AI enables mass surveillance operations that would be impossible manually. A system that can scan millions of potential targets for vulnerabilities changes the economics of surveillance dramatically.
Oversight: While the FBI claims compliance with legal requirements, the history of Rule 41 warrants shows how easily oversight can be stretched. Courts have struggled to evaluate technical hacking operations they don’t fully understand.
Vulnerability hoarding: If the FBI is using AI to find software vulnerabilities for exploitation rather than disclosure, ordinary users remain at risk from the same flaws.
Mission creep: Techniques developed for counterterrorism and child exploitation cases have historically expanded to routine criminal investigations.
The bureau’s candid acknowledgment that AI provides “the same benefits” as adversarial nation-states suggests we’re in an AI arms race - one where the tools of surveillance grow more powerful while oversight mechanisms remain stuck in the pre-AI era.
The Bottom Line
The FBI now has AI systems that can scan networks for vulnerabilities, exploit them, and move through compromised systems - all at machine speed. Whether existing legal frameworks can meaningfully constrain these capabilities remains an open question.