Evolution of phishing attacks with Agentic AI

Phishing attacks used to be easier to spot. But now with Agentic AI it is easier than ever to create "Spear Phishing" attacks, which is a lot harder to detect.

In this article we explain how Agentic AI is being used to get the high reach of phishing attacks and the high accuracy of spear phishing, which used to require entire teams of attackers actively researching targets, now only requiring an LLM (large language model) subscription (or a self hosted LLM) and a well designed architecture, and we will show how it is being used today in online gaming, specifically in League of Legends, also how it could be used in the future.

What is the difference between "Phishing" and "Spear phishing"?

Both types of attacks serve the same purpose, stealing your sensitive information by deceiving you into entering said information in a way that will make it end up in the attacker's hands. However, a spear phishing attack does this by using the already gathered information about who you are specifically, while a phishing attack is used more as a whole fishing net that is cast in the sea, without a specific target and to large audiences at the same time.

What role do Agentic AIs play in spear phishing attacks?

Spear phishing attacks require thorough research done on the attack's subject. Depending on the subject, succesful attacks used to require a lot of time, knowledge in subject's field of work and position, knowledge in subject's general life and past. Attackers to get their hands on these informations may have been worth it for some subjects, but it could not be executed on a mass scale due to the sheer effort required to collect information on one subject alone. For these reasons spear phishing attacks were used mostly for subjects the attackers already had information on, and on people who they knew it was worth getting the sensitive data of.

What is Agentic AI?

Figure 1: Agentic AI Model Architecture. Source: Lazer SJ, Aryal K, Gupta M, Bertino E. "A Survey of Agentic AI and Cybersecurity." arXiv, 2026. Licensed under CC BY-SA 4.0.

An agentic AI is a system that enables AI (LLMs, classifiers, whatever you would like to include in the system) to use tools (the operating system its running on, internal and external APIs etc.) to execute the tasks necessary to achieve its goal. A diagram is given above to help you visualize it better.

With the recent surge of open source tools in the agentic AI field, it is getting less and less complicated for anyone to create their own AI agents. Such tools include OpenClaw, an agentic AI that works as your personal assistant, which is now one of the most starred projects on Github!

If you search for OpenClaw and do some deep diving you will see that it has had some hiccups recently which caused it to have some bad publicity, such as deleting the inbox of a Meta employee when asked to "Check this inbox too and suggest what you would archive or delete, don’t action until I tell you to.". Here is a link to the X.com post by the employee herself.

The reason OpenClaw forgot that it was asked not to take an action, was that her inbox was so large it triggered compaction. OpenClaw uses compaction to prevent it from reaching the LLM's token limit. When it must, it gathers the key facts, summarises them, and uses that as input instead. Which, in her case, made OpenClaw "forget" it was asked specifically not to take action before being asked to do so.

Agentic AI uses in cyber security

Agentic AI has big potential in defensive fields as well. Claude recently announced Claude Code Security, which scans entire codebases, finds vulnerabilities, and suggests patches.

A more fully autonomous use would be having two agents, one constantly trying to find attacks, the other constantly trying to defend against those attacks and making them obsolete, which replicates the traditional red team - blue team approach.

How close are we for fully autonomous spear phishing attacks?

So far we've mentioned how it could be done, but is it feasible to do so? As of right now, only specialized versions of this can be achieved. You can't really let an agent go off in the wild and do everything by itself, Human-Out-Of-The-Loop (HOOTL), as in looking up the linkedin, doing face-matches, creating a social graph and many many other steps that would be there in an ideal automized attack. LLMs are still costly at very large scales. However, at smaller scales, it is already being used.

Real-Life Example: Agentic AI in Social Engineering

A recent example I have personally encountered involves agentic AIs being used for spear phishing and social engineering within the game League of Legends.

• Initial Contact: A player finishes a match and sees a new friend request. The player accepts the request, assuming it is from someone they just played with.
• Deception Tactics: If the player points out that the sender wasn't in their last game, the bot deceives them by claiming, "I had streamer mode on, so the name probably looked weird," or blames a "glitch" or insists it is their alternative account.
• Gaslighting: If the player accuses them of being a bot, the AI is programmed to deny the claims naturally.
• Persona: The bot is clearly prompted to use "zoomer slang" to appear more authentic and relatable.
• The Lead: The attacker sends a message like, "GG (good game), you were good. Let's duo later.". The player can then chat with the bot briefly, but after a few messages, it says, "I'm going offline for now, but you can text me on Discord @[username]."
• The Goal: Once the player adds the bot on Discord, the conversation continues, moving the target away from the game's moderated environment to a platform where malicious links or further scams can be shared.

In my cases, I've been texted 3 separate times in 2 different regions, the bots were used for marketing an adult content account. Which was pretty easy to figure out since I had done my research earlier after realising that the adder was not in my last game and them denying it was suspicious.

After doing a few searches, I found this thread on X where a developer in Riot Games (parent company of the game League of Legends) responds to a user asking them to ban the accounts that are used for the specific type of marketting I received. Matter of fact, the adult platform account being marketed in my chats was the same as the person's initially complaining in that X thread.

But that advertised account is not the only one being advertised, I received different endings with the bots who texted me from different regions (2 from north america was pointing to the same adult content account, 1 from europe-west was pointing to a different one)

On reddit, you can also find people discussing the same type of bots, but as you can see in the comments they are not solely used for marketing adult content accounts. I asked some people in a League of Legends Discord server I am in if they have experienced this in any other games. They have not experienced this in other games, however they have experienced these bots sending them links to phishing sites to steal their League of Legends account information, which may be how they get their hands on this many accounts.

Some players have successfuly jailbroken some of the bots to talk about their initial prompts.

Personally jailbreaking one of the bots on Discord

This summer bot is interesting to me, because in the north america server of League of Legends, the bots that added me were all pointing to the same adult content account and had the same display name on Discord. The ones that contacted to me after my games in europe-west server however, were pointing to another account and their Discord display names were "summer" instead of "lilly".

North america bots always had some form lilly/lily in their League of Legends username too, unlike the only europe-west bot that had contacted me before this one, which had nothing that could make me think it was a bot in its username.

The summer bot that I jailbroke added a friend of mine in the europe-west server first, I wasn't the initial person it contacted. I asked my friend to send the Discord username the bot gives to me, but in his stream I noticed the bot had "lily" in its League of Legends username, yet after getting the username, we were still directed to an account with the display name "summer" on Discord. Which makes us think there is one big entity that is controlling all of the accounts that has contacted me and my friend so far, since all of them were either "lilly" or "summer" of some sort.

Unsuccesful jailbreaking attempts have shown us that there were precautions on the bot to prevent it from revealing its underlying LLM. As you will see in the following screenshot, although the bot seemed to try providing us with the name of the model, it seemed to have been removed from its message.

Trying to make the bot send a base64 encoded message as a workaround to the precautions resulted in us getting a gibberish string when decoded. Probably resulting from a low-capability/low-cost self hosted model.

Trying to make it send an anagram also proved unsuccesful, but I am not entirely sure if it was caused by the precautions I mentioned which may have been taken by the bot's manager.

And if you see the previous screenshot, the bot later reveals it is running on Llama. An open source model developed by Meta, which could be self hosted.

It could be a lot worse

Now imagine, instead of acting like a player from your last game, it actually was a player from your last game. Imagine it being harder, or even, impossible to jailbreak. Imagine in every game you joined you had to wonder if one of these players were an agentic AI, playing the game with you to just try and get information/money out of you at the end. Maybe something even worse, like blackmailing materials.

Elon Musk is already challenging the top League of Legends players to a match against Grok, and mind you, Grok won't have any other access to the computer that humans don't. It will "see" the monitor using a camera directed at it, just like a human would, and its reaction time will be limited to be human like even if it was to exceed it. So if AI is able to blend in so unnoticably in fields that require as much human input as gaming, with miliseconds of reaction times and human-like behaviour, what keeps it away from acting like humans in social media?

It is very likely that the dead internet theory is going to be a lot more mainstream soon. Thanks for reading.