Will an AI-enabled cyber-attack, attributed to a state actor, cause significant disruption to critical national infrastructure in any G20 country before 1 July 2026?

Started Dec 19, 2025 05:00PM UTC
Closing Jul 01, 2026 04:00AM UTC
See more details
Topics
Seasons
Artificial intelligence is rapidly transforming the cyber threat landscape, with state-sponsored actors increasingly leveraging AI to enhance the scale, speed, and sophistication of their operations. As of October 2025, 50% of respondents at critical infrastructure organizations reported already facing an AI-powered attack in the past year (Axios). In November 2025, Anthropic disclosed detecting what researchers assess as the first publicly known case of a Chinese state-sponsored group using AI to autonomously conduct approximately 80-90% of a cyber espionage campaign, with the AI performing reconnaissance, exploitation, and data exfiltration with minimal human intervention (Anthropic).

Critical infrastructure has become a primary target for state-sponsored cyber operations. Approximately 70% of all cyberattacks in 2024 involved critical infrastructure (Industrial Cyber). The Chinese state-sponsored group Salt Typhoon compromised at least nine major telecommunications providers in 2024, while Russian cyberattacks on Ukraine surged by nearly 70% in 2024, with 4,315 incidents targeting critical infrastructure including government services, the energy sector, and defense-related entities (CSIS).

Resolution Criteria:
This question will resolve based on credible reporting from major news organizations, government agencies, cybersecurity firms, or official statements from G20 member governments.

For the purposes of this question, the G20 countries are: Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Republic of Korea, Mexico, Russia, Saudi Arabia, South Africa, Türkiye, United Kingdom, and the United States. While the European Union and African Union are also G20 members, only the 19 individual countries listed above will count for resolution. Attacks impacting critical infrastructure in EU or AU member states that are not on this list (e.g., Poland, Spain, Egypt, Kenya) will not count toward resolution.

The question will resolve “Yes” if all of the following conditions are met before 1 July 2026:
1. AI-enabled cyber attack: The attack must have utilized artificial intelligence in a substantial way during its execution. This includes, but is not limited to: AI-driven reconnaissance, vulnerability discovery, autonomous exploitation, AI-generated phishing or social engineering content, AI-powered malware that adapts during execution, or AI-assisted lateral movement and data exfiltration. For resolution purposes, credible reporting that explicitly describes the attack as “AI-enabled,” “AI-powered,” “AI-assisted,” “AI-orchestrated,” or uses similar terminology indicating substantial use of AI capabilities will be sufficient.

2. State actor attribution: The attack must be credibly attributed to a state actor, state-sponsored group, or Advanced Persistent Threat (APT) group with demonstrated ties to a nation-state. Attribution must come from at least one of the following sources:

  • A G20 government or government agency
  • A major cybersecurity firm (such as CrowdStrike, Mandiant, Kaspersky, Palo Alto Networks, Microsoft Threat Intelligence, Google Threat Intelligence, or similar established firms)
  • A major technology company's security division
  • Authoritative international cybersecurity organizations (such as CISA, NCSC, or equivalent national agencies)

    If a threat actor group is attributed to the attack but state sponsorship is not explicitly confirmed, the group will qualify as state-affiliated if it appears on established APT lists (such as MITRE ATT&CK Groups, Mandiant APT Groups, or similar authoritative sources) with assessed or suspected nation-state ties. Attribution terminology such as “state-sponsored,” “state-backed,” “nation-state actor,” “APT group,” or references to specific nation-state threat groups (e.g., “APT28,” “Lazarus Group,” “Volt Typhoon”) will be considered evidence of state actor involvement. Attribution may be public or reported through credible media sources and does not need to be definitive but must represent a formal assessment with reasonable confidence.

    3. Significant disruption to G20 critical infrastructure: The attack must cause measurable operational disruption to critical national infrastructure within any G20 member country, regardless of the intended target. For the purposes of this question, critical national infrastructure includes: 

    • Energy systems (electricity grids, power plants, oil and gas facilities) 
    • Water and wastewater systems
    • Transportation systems (air traffic control, rail systems, ports), 
    • Telecommunications networks, 
    • Financial services infrastructure
    • Healthcare facilities and systems
    • Government services and networks
    • Food and agriculture systems
    • Chemical facilities
    • Nuclear facilities
    • Emergency services
    • Industrial control systems supporting any of the above sectors.

    Examples of measurable disruption include, but are not limited to:

    • Service outages affecting consumers or operations for at least 2 hours
    • Forced shutdown of systems or facilities
    • Confirmed unauthorized access to operational technology or industrial control systems that disrupts operations
    • Data theft affecting operations or services
    • Financial losses exceeding $1 million USD
    • Impacts requiring emergency response measures
    The disruption does not need to cause physical damage or kinetic effects, but must demonstrably impair the normal functioning of the infrastructure. Purely espionage operations that do not disrupt operations will not count. Disruptions caused solely by defensive measures (such as preemptive shutdowns to prevent attack) will not count.

    The following will NOT be sufficient for resolution:
    • Cyber attacks using traditional methods without substantial AI involvement
    • Attacks attributed solely to non-state actors, cybercriminal groups, or hacktivists without demonstrated state ties (even if they use AI)
    • Attacks impacting critical infrastructure outside G20 countries
    • Attempted attacks that were blocked or prevented before causing disruption
    • Disruptions lasting less than 2 hours unless they meet other significance thresholds listed above
    • Attacks causing only reputational damage, data breaches without operational disruption, or minor inconveniences
    Question clarification
    Issued on 01/14/26 08:37pm

    For the purposes of this question, "financial services infrastructure" refers to institutions and systems that are essential to national economic functioning, such as banks, payment processing networks, stock exchanges, and clearinghouses.

    Cryptocurrency exchanges are NOT considered critical financial services infrastructure for this question. The focus is on infrastructure whose disruption would impair essential economic functions (payments, banking, financial transactions), not platforms whose disruption causes financial losses to traders or investors.

    Files
    Tip: Mention someone by typing @username
    Cancel