AI is accelerating cyber crime across Asia Pacific: what insurers need to know
Artificial intelligence is changing how attacks are planned, launched, and scaled across Asia Pacific. A new CrowdStrike report points to faster malware development, high-volume phishing, and industrialised ransomware operations pushing loss frequency higher across the region.
Chinese-language underground markets remain active despite crackdowns. Platforms such as Chang'an, FreeCity, and Huione Guarantee have facilitated sales of stolen credentials, phishing kits, malware, and money laundering. Huione Guarantee alone is estimated to have processed about US$27 billion before being taken down earlier this year.
"E-crime actors are industrialising cyber crime across APJ through thriving underground markets and complex ransomware operations. Simultaneously, AI-developed malware enables adversaries to launch high-velocity, high-volume attacks," said Adam Meyers, head of counter adversary operations at CrowdStrike.
Where the impact is hitting
CrowdStrike tracked 763 victims in Asia Pacific and Japan listed on darknet leak sites between January 2024 and April 2025. India, Australia, Japan, Taiwan, and Singapore were most affected.
Targeted sectors: manufacturing, technology, industrial and engineering, financial services, and professional services. The pattern is clear: attackers prefer high-supply-chain connectivity and data-rich environments with operational urgency.
Implications for carriers and brokers
- Underwriting focus: Ask directly about AI exposure. Do applicants use generative AI, code assistants, or LLM integrations? What controls govern model outputs, data handling, and prompt injection risk?
- Control maturity over tooling: Prioritise MFA everywhere, endpoint detection and response (with 24/7 monitoring), email security with link isolation, privileged access management, and tested offline backups.
- Ransomware posture: Require restore-time SLAs, immutable backups, segmentation, and playbooks for extortion decisions. Consider coinsurance and higher retentions where controls are weak.
- Vendor risk: Map critical third parties and shared identity platforms. Collect SBOM/patch cadence where feasible and enforce identity hardening for SSO, VPN, and remote access.
- Accumulation management: Watch concentration in common vendors, MFA/SSO providers, managed service providers, and widely used file-transfer tools. Model correlated outage and data-theft scenarios.
- Coverage clarity: Tighten definitions around cyber war/state activity, data theft extortion, system failure vs. security failure, and contingent business interruption. Align waiting periods to faster attack timelines.
- Claims readiness: Pre-negotiate panel vendors. Ensure surge capacity for IR, forensics, restoration, and legal notification across APAC jurisdictions.
- Pricing and reserving: Expect higher frequency from automated phishing and quicker lateral movement. Severity remains elevated for double/triple extortion; monitor trend by sector and control adoption.
High-value controls to validate at bind and renewal
- MFA enforced for all users and admins, with phishing-resistant factors for privileged roles.
- EDR deployed to all endpoints and servers, with managed detection and response (24/7) and rapid containment.
- Email security with advanced phishing detection, link rewriting, and attachment sandboxing.
- Regularly tested, offline and immutable backups; recovery time objectives documented and proven.
- Strict privilege management, just-in-time admin, and vaulting of service accounts.
- Patch and vulnerability SLAs aligned to exploit timelines; external attack surface monitoring.
- Network segmentation that limits lateral movement; disable or tightly gate RDP.
- Third-party access controls with separate credentials, scoped permissions, and monitoring.
- IR plan with tabletops simulating AI-aided phishing, deepfake voice fraud, and fast-moving ransomware.
Broker talking points for clients
- Do you have a rehearsed decision framework for ransom demands, including legal constraints by jurisdiction?
- Can you restore core systems within business-acceptable RTOs without paying a ransom?
- Are extortion, data theft, and system failure covered with clear sublimits and definitions?
- What's your exposure to a single vendor compromise? Do you have contingent BI coverage and appropriate waiting periods?
- Who are your pre-approved IR, forensics, and crisis comms partners, and how fast can they start?
Why AI changes the loss picture
AI speeds up phishing content, makes impersonation believable, and lowers the skill required to write malware. That combination pushes more attempts into the funnel and reduces dwell-time before impact.
For insurance, that means quicker claim triggers and less time for insureds to react. The winners will be carriers and brokers who tie pricing and capacity to proven control performance, not check-the-box policies.
What to watch next
- Shifts in underground-market activity as platforms are disrupted and reconstituted elsewhere.
- More AI-assisted credential theft and MFA fatigue, especially via mobile and messaging apps.
- Expanded double/triple extortion targeting customers, suppliers, and executives simultaneously.
Source: CrowdStrike's regional threat analysis highlights the role of AI and underground markets. For broader context, see the company's annual threat reporting here: CrowdStrike Global Threat Report.
Upskilling your team
Underwriters, brokers, and claims teams now need working fluency in AI risk to ask better questions and spot weak controls. Practical training by role can help speed that up.
Explore AI training by job role to build the muscle your teams need for tighter risk selection and sharper client guidance.
Your membership also unlocks:
