A New Era Where Companies Can Be Destroyed for $5

Let me get straight to the point.

North Korean hackers stole $12 million (about 1.8 billion yen) using AI. Iran manipulated U.S. public opinion with AI-generated content. AI models are automatically producing phishing emails at a cost of just a few cents each.

The cost for attackers has dramatically decreased. Meanwhile, the cost for defenders remains unchanged, or rather, it is increasing.

What does this “asymmetry” mean? Small businesses are targeted before large corporations. The reason is simple: their defenses are weaker.

What is Happening?—Three Specific Cases

Case 1: North Korea Uses AI for ‘Vibe Coding’ to Steal $12 Million

A North Korean hacker group is mass-producing attack tools using AI-driven code generation—so-called “vibe coding.” Traditionally, developing malware required advanced programming skills and several weeks of effort. Now, simply giving instructions to AI can yield functional code in just a few hours.

To summarize what they are doing:

• Automatically generating malware with AI
• Creating fake corporate websites and recruitment pages with AI
• Contacting employees of target companies via LinkedIn
• Executing malware under the guise of fake interviews or contracts

What stands out is the quality of the “fake corporate websites.” AI-generated sites are indistinguishable from real ones in terms of design and content. Previously, creating a fake site would cost hundreds of thousands of yen and take weeks. Now, it can be done in hours at almost zero cost using AI.

As a result, approximately $12 million (about 1.8 billion yen) was stolen via cryptocurrency in a short period. This figure only accounts for publicly reported cases, and the actual amount is believed to be even larger.

Case 2: Iran Targets ‘News-Disengaged’ Audiences with AI-Generated Content

Iran’s intelligence agency is generating and disseminating large volumes of AI-generated meme images, short videos, and news-like articles on social media. The target audience is those who do not regularly follow the news—people who lack the habit of verifying the authenticity of information.

The key point here is the change in cost structure.

• Traditional Public Opinion Manipulation: Hiring human writers and designers to create content costing several tens of thousands of yen each, with a limit of a few dozen pieces per month.
• Post-AI Utilization: The cost per piece drops to a few dozen yen, generating tens of thousands of pieces automatically each month, even running A/B tests automatically.

Quantity surpasses quality. If even one out of ten thousand pieces goes viral, the objective is achieved. This “shooting many times to hit once” has been realized by AI at an ultra-low cost.

While this may seem like a matter between nations, the structure is the same. Fake reviews, fake testimonials, fake supplier emails—the same phenomenon is occurring in the information space that small businesses interact with daily.

Case 3: AI Phishing Emails Have Three Times the Open Rate of Human-Written Ones

According to multiple security firms, the open rate for phishing emails generated by AI has been reported to be about three times that of those written by humans.

Why is this? AI automatically does the following:

• Analyzes the target’s social media and public information to assess interests and hobbies
• Generates subject lines and content that are likely to elicit a response
• Optimizes the timing of sending

The estimated cost per email is around 5 to 10 yen. Sending 10,000 emails costs only 50,000 to 100,000 yen. If even one person falls for it, the damage can amount to several million to tens of millions of yen.

The ROI (return on investment) for attackers is extraordinarily high. This is the essence of cyberattacks in the AI era.

Understanding the Structure—Why Small Businesses ‘Die First’

Here, we need to consider the cost structures of attack and defense.

Looking at this table, it’s clear. Attackers can “fail as much as they want,” while defenders “cannot afford to fail even once.”

Large corporations invest tens of millions to hundreds of millions of yen annually in security and have specialized teams. What about a company with ten employees and an annual revenue of 200 million yen? They cannot afford to hire a dedicated security personnel. Outsourcing would cost 3 to 5 million yen per year. Spending 2.5% of revenue on security is not realistic.

That’s why small businesses are targeted first. Attackers are rational; they will eat away at the weakest defenses first.

So, What Should Be Done?—A Defense Line Under 5,000 Yen

The statement “I can’t defend because I have no money” is half correct and half wrong. While perfect defense is impossible, it is possible to create a line that makes attackers think, “This company is a hassle” at a low cost.

Burglars enter through houses with unlocked doors. Just locking the door significantly reduces the likelihood of being targeted.

Priority 1: Do It Today (Cost: 0 yen)

• Set up two-factor authentication (2FA) on all accounts. Google Authenticator is free. This alone can prevent over 90% of account takeovers.
• Stop reusing passwords today. A password manager (like Bitwarden) is sufficient with its free plan.
• Enforce a rule for the accounting department to “always confirm changes to bank transfer details by phone.” Business Email Compromise (BEC) has caused damages of several billion yen annually in Japan alone. The defense measure is just a “single phone call.”

Priority 2: Do It This Week (Cost: 1,000 to 3,000 yen/month)

• Enhance email filtering. Even the standard features of Google Workspace can filter out a significant amount of phishing. Paid email security services can cost a few hundred yen per person per month.
• Set up automatic backups. If ransomware encrypts your data, having backups means you won’t have to pay the ransom. Cloud backups can cost a few hundred yen per month.
• Automate Windows updates and software updates. Attacks exploiting known vulnerabilities account for over 60% of all attacks. Simply updating can neutralize 60% of attacks.

Priority 3: Do It This Month (Cost: 3,000 to 5,000 yen/month)

• Introduce AI-based vulnerability scanning tools. There are several services available for a few thousand yen per month that automatically check for holes in your company’s website or systems.
• Conduct phishing training for 15 minutes once a quarter. Use free phishing simulation tools (like the free version of KnowBe4) to give employees a “real-life experience.” Experiential learning is 100 times more effective than theoretical training.

Things You Don’t Need to Do

• Implementing expensive UTM (Unified Threat Management) devices (hundreds of thousands to millions of yen) → Do all of the above first before considering this.
• Outsourcing to a security consultant → If you don’t understand what you need to protect, outsourcing will just waste your money.
• Building a “perfect security system” → It doesn’t exist. Aim for 60 points today rather than aiming for 100 and ending up with zero.

The Real Question is: Can You Defend Against AI Attacks with AI?

If attackers are using AI, then defenders should use AI as well—this is the logic. In fact, AI-based security tools are rapidly evolving. Detecting abnormal login patterns, automatically classifying phishing emails, and automatically fixing vulnerabilities are becoming available through SaaS for a few thousand yen per month.

However, there is a pitfall here. Simply implementing AI tools will not provide protection. If the tools issue a warning that something is “suspicious,” it means nothing if there is no human to assess it.

The realistic solution for small businesses is as follows:

1. First, change human behavior (2FA, password management, verification rules).
2. Next, automate parts that can be automated with AI tools (email filtering, backups, vulnerability scanning).
3. Finally, summarize the “response procedures in case something happens” on a single sheet of paper.

The third step is surprisingly important. “If you accidentally open a suspicious email → immediately disconnect the PC from the network → call the CEO → contact XX.” Just having this flow shared on a single sheet of paper can drastically change the speed at which damage spreads.

Conclusion: Attack Costs Will Continue to Decrease. The Question is ‘The First Move’

North Korea is cultivating AI hackers with its national budget. Iran is deploying AI public opinion manipulation as a national policy. And fraud groups around the world are automating attacks with AI tools costing just $20 a month.

This trend will not stop. The cost of attacks will continue to decrease.

The question for small businesses is simple. “Did you set up 2FA today?”

This is not about a 5 million yen security investment. It’s about whether you did something today that costs nothing. That’s what separates life from death.

Perfection is impossible. But you can “lock the door.” The era where AI targets companies without locked doors has already begun.