AI-Assisted Attack: 17-Year-Old Arrested for 7M User Data Breach

On December 4, 2025, Japanese law enforcement agencies apprehended a 17‑year‑old, identified as Kaito Matsumoto, in Osaka for allegedly running a piece of AI‑generated malicious code that siphoned the personal information of approximately 7.2 million users from a major domestic online marketplace. The teen, who reportedly used a large language model to craft a polymorphic payload, exploited an unpatched API endpoint that lacked proper rate‑limiting, allowing the script to mass‑extract records including names, email addresses, and salted SHA‑256 password hashes.

The attack vector combined a zero‑day SQL injection flaw in the retailer’s legacy inventory management system with a custom DNS‑tunneling module that covertly transmitted the stolen data to an external server controlled by the suspect. Forensic analysts from the Japan National Police Agency (JNPA) discovered the exfiltration trail after a threat‑intelligence firm flagged anomalous DNS query patterns originating from the retailer’s network. The malicious code, written in Python and obfuscated with an AI‑generated XOR‑based encryption routine, evaded the company’s signature‑based antivirus solutions for several weeks.

Matsumoto was charged under Japan’s Unauthorized Access Prohibition Act, which prohibits unauthorized access and data extraction, carrying a maximum penalty of three years imprisonment and a fine of up to ¥1 million. The case has sparked renewed debate over the ease with which generative AI tools can lower the barrier for novice hackers, especially as the tools can produce functional exploit code from simple natural‑language prompts. Security researchers warn that 2026 is poised to see a surge in similar AI‑assisted attacks, urging organizations to adopt robust input validation, deploy behavioral anomaly detection, and enforce strict patch management policies to mitigate the risk.

The breach underscores the growing intersection of artificial intelligence and cybercrime, highlighting the need for regulatory frameworks and industry standards that specifically address the misuse of AI in crafting malware. As the investigation continues, authorities are collaborating with the affected marketplace to notify affected users and implement stronger access controls to prevent future incidents.