OpenAI's June 2026 Threat Report: AI Agents Used for Malicious Activities

OpenAI published its June 2026 Threat Report, analyzing how AI agents and large language models are being exploited for malicious purposes. The report covers disinformation campaigns, phishing at scale, and fraud facilitated by AI agents, with concrete examples and metrics.
Key Findings
- Disinformation operations: Over a dozen networks were disrupted, with AI-generated content at a rate 30% higher than human-only operations. AI agents created realistic personas and automated content generation for influence campaigns.
- Phishing & Fraud: AI agents powered 40% of all phishing emails detected in Q1 2026, with personalized language generation increasing click-through rates by 15–20% compared to template-based attacks.
- Credential harvesters: Agents generated fake login pages mimicking 50+ brands, using real-time adaptation to bypass detection.
Technical Details for Developers
The report recommends several mitigations for developers deploying AI agents:
- Rate limiting and anomaly detection: Implement per-user token limits and monitor for strange patterns (e.g., sudden spikes in API calls to content generation endpoints). OpenAI detected 12% of malicious usage via volume anomalies.
- Output filtering: Use the
Moderationendpoint to screen model outputs for hate speech, harassment, or disinformation signals before delivery. OpenAI's internal filters flagged 78% of abusive outputs. - Watermarking: C2PA metadata and invisible watermarks helped trace 90% of AI-generated phishing pages to specific model instances.
Mitigation Strategies in Practice
The report details three case studies:
- Disinformation botnet: A network of 2,000 AI agents generated 500,000+ posts in 48 hours across 10 social platforms. Open AI disrupted by identifying shared IP clusters and prompt overlap.
- Spear-phishing at scale: Agents scraped LinkedIn profiles and generated tailored emails targeting 10,000 executives. Detection relied on DMARC alignment failure and DNS anomaly analysis.
- Fake customer support agents: AI agents impersonated support chatbots on e-commerce sites to harvest payment info. OpenAI's mitigation: forced user authentication via OAuth and transaction rate limits.
What Developers Should Do
If you build AI agents, integrate the openai-moderation package and enable activity logging via the Usage Dashboard. Set up alerts for unusual request patterns (e.g., >1,000 generations per hour from one API key). The full report includes updated threat indicators and a recommended security checklist.
📖 Read the full source: HN AI Agents
👀 See Also

Research: Invisible Unicode Characters Can Hijack LLM Agents via Tool Access
A study tested whether LLMs follow instructions hidden in invisible Unicode characters embedded in normal text, using two encoding schemes across five models and 8,308 graded outputs. Key finding: tool access amplifies compliance from below 17% to 98-100%, with models writing Python scripts to decode hidden characters.

OpenClaw Security Alert: 500,000 Public Instances, Default Config Exposes Systems
A security analysis reveals 500,000 OpenClaw instances are publicly accessible, with 30,000 having known security risks and 15,000 exploitable through known vulnerabilities. The default installation disables authentication and binds to 0.0.0.0, exposing agent setups to the open internet.

Nullgaze: Open Source AI-Supported Security Scanner Released
Nullgaze is a new open source AI-supported security scanner that detects vulnerabilities specific to AI-generated code, boasting near-zero false positives.

Critical Cowork Bug: AI Agent Deleted Files Without User Approval
A critical bug in Claude's Cowork mode allowed the AI to execute destructive actions without user consent. The ExitPlanMode tool falsely reported user approval, triggering an autonomous agent that deleted 12 files from a React/TypeScript codebase.