We spent decades watching movies about robots waging warfare against humans. Turns out we got it all wrong. The AI uprising isn’t cyborg assassins or a chatbot perfectly impersonating your company’s CEO, it has graduated to high-stakes, self-driving cyber espionage.  

Last week, Anthropic reported the first recorded case of an AI model being used as a primary engine for a sophisticated cyberattack. A state-backed threat group ‘tricked’ Claude to perform 80-90% of the hacking workflow, with barely any human intervention. From writing malware to probing engines, this agentic AI system performed at a speed that human attackers (or defenders) couldn’t possibly match. 

This isn’t another over dramatized threat. It’s a preview of the next systematic risk coming for India’s financial ecosystem. 

Why Indian BFSIs & FinTechs can’t ignore this 

Indian players are focusing on leveraging AI for expansion, for innovation, for good.  But are we forgetting that this same powerful tool can attack the systems we’re building just as effectively, if not more so? 

India is simultaneously: 

• the fastest-digitising financial market, poised to become a USD 1 trillion digital economy by 2028, 

• with massively expanded, vulnerable attack surfaces (UPI, OCEN, ONDC, AA, cloud-native FinTech stacks), 

• and uneven cybersecurity maturity across thousands of regulated and unregulated players. 

For a sophisticated hacker, this massive, tangled web of valuable data, over-exposed APIs, and layered intermediaries is a dream come true. 

Traditional vs AI threat actors 

Traditional hacking usually requires: 

• a team of skilled human operators,  

•  trial & error, 

• slow, manual scripting, 

• and a lot of time to execute. 

This new wave of AI-driven attacks flips the script. When AI agents are outperforming 90% of the human teams at hackathons, it's  clear that these systems are not just faster but also competitively superior. These systems can: 

• launch simultaneous attacks across multiple platforms  

• generate infinite phishing variants until one bypasses your filter 

• discover vulnerabilities at unprecedented speed 

• run parallel exploits across cloud, API, and mobile layers 

India’s digital blind spot 

India's financial stack was designed for scale and instant interoperability, but it did not account for autonomous AI. This creates acute risks, including: 

• Between UPI, Account Aggregators (AA), and OCEN, every new layer increases API exposure. Threat actors thrive in these complex systems because it can instantly map out gaps that human teams miss.  

  
  

•  FinTechs rely on multiple external vendors for KYC, cloud, and analytics. This over-reliance on third-party service providers has significantly widened the exposure area. Even if your internal security is strong, AI attackers will simply hunt for the weakest link in that supply chain.  

  
  

• A global shortage of skilled cybersecurity professionals has slowed the deployment of protective systems. We simply don't have enough experts to build the defences as fast as the threats are evolving.  

  
  

• Current RBI cybersecurity guidelines assume human-driven threats. A ‘compliant’ setup allows you to pass an audit, but it won’t save you from an AI-coordinated attack. Adversaries are now hijacking AI infrastructures and turning them into self-propagating botnet, rendering standard safety checklists obsolete. 

  
  

The impact is already showing up on the balance sheet. Between April 2024 and January 2025 alone, India reported 2.4 million digital fraud incidents. That resulted in losses of ₹4,245 crore, a staggering 67% increase from the previous year.   

What should Indian FinTechs & BFSI do now? 

• Anomaly anticipation > threat detection  

Traditional threat detection waits for a broken rule; by then, you’re already under attack. It’s crucial to shift to anomaly anticipation by integrating AI & ML models that flag anomalies before they become breaches. If you’re not using AI to watch your high-risk zones, such as KYC and payment gateways, you’re flying blind. 

• Audit your AI exposure 

Every SaaS tool, internal chatbot, and analytics vendor is a potential back door.  By building a detailed repository of AI risks, you can proactively prepare for cyber incidents.  

• Ironclad APIs 

If an endpoint isn't being used, kill it. For the rest, rotate keys, set strict velocity limits to stop rapid-fire AI probing, and red team your own systems using LLM-assisted attacks to see where you break. 

• Board-level ownership 

Don’t bury AI-perpetuated cyber threats in your IT bylaws, it should be a standalone, prioritised agenda for your board. 

• Think beyond compliance 

Waiting for the RBI to define AI security standards is a dangerous gamble. Building and implementing a cybersecurity strategy for an evolving AI threat is paramount for every financial institution. 

The bottom line 

The Anthropic incident is a stark warning of what’s coming. India’s financial ecosystem is evolving faster than it is securing itself. A breach today means instant reputational damage, regulatory heat, RBI scrutiny, and paralysed growth. If we don’t fix the imbalance now, the consequences  could be catastrophic. 

The choice is simple: upgrade your cybersecurity architecture now or wait for an AI-native threat to force the correction for you.