AI-powered cyberattacks could threaten global financial stability by allowing attackers to find and exploit weaknesses across shared financial infrastructure faster than firms can respond, the International Monetary Fund has warned.

The risk is becoming more acute as banks, payment providers and market infrastructure operators rely on common software, cloud services, networks and payment systems. The IMF said extreme cyber incidents could trigger funding strains, raise solvency concerns and disrupt wider markets if multiple institutions were hit at the same time.

For payments firms, the warning raises a practical question: whether resilience is being built deeply enough into the infrastructure that moves money, rather than treated as a separate compliance or risk function.

AI changes the speed of attack

Advanced AI models can reduce the time and cost needed to identify vulnerabilities, according to the IMF, making it easier for attackers to target weaknesses in widely used systems at scale.

The fund cited Anthropic’s controlled release of Claude Mythos Preview, an advanced AI model with cyber capabilities, as an example of how quickly the risk is developing. The model was able to find and exploit vulnerabilities in major operating systems and web browsers, even when used by non-experts, according to the IMF.

Some buffers remain. Access to the most advanced AI cyber tools is still limited, and closed, industry-specific financial software can be harder to target than open-source infrastructure. But the

IMF warned that those protections may weaken as capabilities spread, model training improves and leaks occur.

The concern for regulators is that shared technology dependencies could allow one vulnerability to affect many institutions at once, with consequences for payments, liquidity, market confidence and core financial services.

Payments resilience comes into focus

Scott Dawson, CEO of payments technology provider DECTA, said the IMF’s warning reflects risks already visible across payments and fintech.

“AI is amplifying the scale and accelerating the speed of cyber threats and FIs are dealing with this on a continual basis, with these attacks able to adapt and evolve,” he said.

Dawson said the growing interconnection of payments infrastructure means resilience needs to be designed into systems from the outset.

“Payments are becoming ever more interconnected, so resilience must be considered and integrated as a priority within the infrastructure of the system. This means embedding security, monitoring, and building redundancy and fraud prevention directly into payment architecture. No longer should they be treated as standalone risk and compliance functions,” he said.

He added that AI also has a defensive role, particularly in fraud detection, but said businesses will need infrastructure that can evolve faster than the threats facing it.

“What will be key for many businesses around the world is ensuring the infrastructure supporting financial systems is evolving faster than that of the threat,” Dawson said. “That means unlocking industry collaboration, robust and appropriate regulation, and investment in payment infrastructure to reduce what is now a systemic risk.”

AI cuts both ways

The IMF also said AI can strengthen cyber defence. Financial institutions are already using AI-supported tools to detect threats, prevent fraud, identify vulnerabilities and respond to incidents.
The issue is whether firms can connect those tools to wider governance, business continuity, disaster recovery and oversight. Supervisors, the IMF said, will need to assess not only whether firms can prevent attacks, but whether they can contain incidents and recover quickly when defences fail.

Azimkhon Askarov, co-CEO and partner at fintech company CONCRYT, said the warning shows AI in financial services cannot be treated only as a productivity or innovation story.
“This is not simply a hypothetical concern: if powerful models can attack core financial infrastructure, the consequences extend far beyond individual institutions,” he said. “We’re talking about the resilience of the banking system itself, the exposure of core operating systems and payment networks to bad actors, and ultimately the erosion of trust in the financial systems that underpin the global economy.”

Askarov said the same capabilities that create new vulnerabilities can also be used to identify and fix them.

“The important learning here is the dual-use nature of AI, and how the same AI capabilities that can create vulnerabilities can also be used to find and fix them,” he said. “But that only works if the people building and deploying AI in financial services are asking the hard questions about responsibility rather than purely capability.”

Regulation may lag the threat

The IMF called for cyber risk to be treated as a financial stability issue, with policymakers focusing on resilience standards, public-private threat intelligence, incident response and the channels through which failures could spread across the system.

It also said international cooperation will be essential, as cyberattacks can move across borders and affect financial systems that depend on the same technology providers.
Askarov said regulation will be needed, but warned that rulemaking may struggle to keep pace with AI development.

“Regulation will come, and it should, but it won’t move at the speed this technology is developing,” he said. “In the meantime, the onus is on businesses operating in this space to think seriously about how AI gets deployed, and what they’re accountable for when it doesn’t go as planned.”

For payments firms and financial institutions, the IMF’s warning turns AI-enabled cyberattacks into an infrastructure question. The issue is not only how to stop attacks, but how to keep core services running when attacks move faster, spread further and target the systems finance relies on.