DEEP DIVE — From stolen military credentials to AI-generated personas seamlessly breaching critical infrastructure, digital identity fraud is rapidly escalating into a frontline national security threat. This sophisticated form of deception allows adversaries to bypass traditional defenses, making it an increasingly potent weapon.

The 2025 Identity Breach Report, published by AI-driven identity risk firm Constella Intelligence, reveals a staggering increase in the circulation of stolen credentials and synthetic identities. The findings warn that this invisible epidemic, meaning it's harder to detect than traditional malware, or it blends in with legitimate activity, is no longer just a commercial concern—it now poses a serious threat to U.S. national security.

“Identity verification is the foundation of virtually all security systems, digital and physical, and AI is making it easier than ever to undermine this process,” Mike Sexton, a Senior Policy Advisor for AI & Digital Technology at national think tank Third Way, tells The Cipher Brief. “AI makes it easier for attackers to simulate real voices or hack and steal private credentials at unprecedented scale. This is poised to exacerbate the cyberthreats the United States faces broadly, especially civilians, underscoring the danger of Donald Trump’s sweeping job cuts at the Cybersecurity and Infrastructure Security Agency.”

The Trump administration’s proposed Fiscal Year 2026 budget would eliminate 1,083 positions at CISA, reducing staffing by nearly 30 percent from roughly 3,732 roles to around 2,649.

Save your virtual seat now for The Cyber Initiatives Group Winter Summit on December 10 from 12p – 3p ET for more conversations on cyber, AI and the future of national security.

The Industrialization of Identity Theft

The Constella report, based on analysis of 80 billion breached records from 2016 to 2024, highlights a growing reliance on synthetic identities—fake personas created from both real and fabricated data. Once limited to financial scams, these identities are now being used for far more dangerous purposes, including espionage, infrastructure sabotage, and disinformation campaigns.

State-backed actors and criminal groups are increasingly using identity fraud to bypass traditional cybersecurity defenses. In one case, hackers used stolen administrator credentials at an energy sector company to silently monitor internal communications for more than a year, mapping both its digital and physical operations.

“In 2024, identity moved further into the crosshairs of cybercriminal operations,” the report states. “From mass-scale infostealer infections to the recycling of decade-old credentials, attackers are industrializing identity compromise with unprecedented efficiency and reach. This year’s data exposes a machine-scale identity threat economy, where automation and near-zero cost tactics turn identities into the enterprise’s most targeted assets.”

Dave Chronister, CEO of Parameter Security and a prominent ethical hacker, links the rise in identity-based threats to broader social changes.

“Many companies operate with teams that have never met face-to-face. Business is conducted over LinkedIn, decisions authorized via messaging apps, and meetings are held on Zoom instead of in physical conference rooms,” he tells The Cipher Brief. “This has created an environment where identities are increasingly accepted at face value, and that’s exactly what adversaries are exploiting.”

When Identities Become Weapons

This threat isn’t hypothetical. In early July, a breach by the China-linked hacking group Volt Typhoon exposed Army National Guard network diagrams and administrative credentials. U.S. officials confirmed the hackers used stolen credentials and “living off the land” techniques—relying on legitimate admin tools to avoid detection.

In the context of cybersecurity, “living off the land” refers to attackers (like the China-linked hacking group Volt Typhoon) don't bring their own malicious software or tools into a compromised network. Instead, they use the legitimate software, tools, and functionalities that are already present on the victim's systems and within their network.

“It’s far more difficult to detect a fake worker or the misuse of legitimate credentials than to flag malware on a network,” Chronister explained.

Unlike traditional identity theft, which hijacks existing identities, synthetic identity fraud creates entirely new ones using a blend of real and fake data—such as Social Security numbers from minors or the deceased. These identities can be used to obtain official documents, government benefits, or even access secure networks while posing as real people.

“Insider threats, whether fully synthetic or stolen identities, are among the most dangerous types of attacks an organization can face, because they grant adversaries unfettered access to sensitive information and systems,” Chronister continued.

Insider threats involve attacks that come from individuals with legitimate access, such as employees or fake identities posing as trusted users, making them harder to detect and often more damaging.

Constella reports these identities are 20 times harder to detect than traditional fraud. Once established with a digital history, a synthetic identity can even appear more trustworthy than a real person with limited online presence.

“GenAI tools now enable foreign actors to communicate in pitch-perfect English while adopting realistic personas. Deepfake technology makes it possible to create convincing visual identities from just a single photo,” Chronister said. “When used together, these technologies blur the line between real and fake in ways that legacy security models were never designed to address.”

Washington Lags Behind

U.S. officials acknowledge that the country remains underprepared. Multiple recent hearings and reports from the Department of Homeland Security and the House Homeland Security Committee have flagged digital identity as a growing national security vulnerability—driven by threats from China, transnational cybercrime groups, and the rise of synthetic identities.

The committee has urged urgent reforms, including mandatory quarterly “identity hygiene” audits for organizations managing critical infrastructure, modernized authentication protocols, and stronger public-private intelligence sharing.

Meanwhile, the Defense Intelligence Agency’s 2025 Global Threat Assessment warns:

“Advanced technology is also enabling foreign intelligence services to target our personnel and activities in new ways. The rapid pace of innovation will only accelerate in the coming years, continually generating means for our adversaries to threaten U.S. interests.”

An intelligence official not authorized to speak publicly told The Cipher Brief that identity manipulation will increasingly serve as a primary attack vector to exploit political divisions, hijack supply chains, or infiltrate democratic processes.

Need a daily dose of reality on national and global security issues? Subscriber to The Cipher Brief’s Nightcap newsletter, delivering expert insights on today’s events – right to your inbox. Sign up for free today.

Private Sector on the Frontline

For now, much of the responsibility falls on private companies—especially those in banking, healthcare, and energy. According to Constella, nearly one in three breaches last year targeted sectors classified as critical infrastructure.

“It's never easy to replace a core technology, particularly in critical infrastructure sectors. That’s why these systems often stay in place for many years if not decades,” said Chronister.

Experts warn that reacting to threats after they’ve occurred is no longer sufficient. Companies must adopt proactive defenses, including constant identity verification, behavioral analytics, and zero-trust models that treat every user as untrusted by default.

However, technical upgrades aren’t enough. Sexton argues the United States needs a national digital identity framework that moves beyond outdated systems like Social Security numbers and weak passwords.

“The adherence to best-in-class identity management solutions is critical. In practice for the private sector, this means relying on trusted third parties like Google, Meta, Apple, and others for identity verification,” he explained. “For the U.S. government, these are systems like REAL ID, ID.me, and Login.gov. We must also be mindful that heavy reliance on these identity hubs creates concentration risk, making their security a critical national security chokepoint.”

Building a National Identity Defense

Some progress is underway. The federal Login.gov platform is expanding its fraud prevention capabilities, with plans to incorporate Mobile Driver’s Licenses and biometric logins by early 2026. But implementation remains limited in scale, and many agencies still rely on outdated systems that don’t support basic protections like multi-factor authentication.

“I would like to see the US government further develop and scale solutions like Login.gov and ID.me and then interoperate with credit agencies and law enforcement to respond to identity theft in real time,” Sexton said. “While securing those systems will always be a moving target, users’ data is ultimately safer in the hands of a well-resourced public entity than in those of private firms already struggling to defend their infrastructure.”

John Dwyer, Deputy CTO of Binary Defense and former Head of Research at IBM X-Force, agreed that a unified national system is needed.

“The United States needs a national digital identity framework—but one built with a balance of security, privacy, and interoperability,” Dwyer told The Cipher Brief. “As threat actors increasingly target digital identities to compromise critical infrastructure, the stakes for getting identity right have never been higher.”

He emphasized that any framework must be built on multi-factor authentication, phishing resistance, cryptographic proofs, and decentralized systems—not centralized databases.

“Public-private collaboration is crucial: government agencies can serve as trusted identity verification sources (e.g., DMV, passport authorities), while the private sector can drive innovation in delivery and authentication,” Dwyer added. “A governance board with cross-sector representation should oversee policy and trust models.”

Digital identities are no longer just a privacy concern—they’re weapons, vulnerabilities, and battlegrounds in 21st-century conflict. As foreign adversaries grow more sophisticated and U.S. defenses lag behind, the question is no longer if, but how fast America can respond.

The question now is whether the United States can shift fast enough to keep up.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.

Welcome back cyberwarriors!

In this part of the series, we are looking at how PowerShell can be used to cause large-scale disruption, from slowing systems to completely knocking them offline. These techniques range from simple resource exhaustion attacks that overload CPU and memory, to disabling hardware interfaces, wiping license keys, and finally forcing systems into a blue screen or rendering them unbootable.

It must be stressed from the outset that these techniques are highly destructive. They are not tools for casual experimentation. Some of them have been in use during cyber war operations to defend Ukraine against Russia. If misused in the wrong context, however, the results can be catastrophic and irreversible.

We will begin with the basics and gradually move toward the most dangerous techniques.

Overloading RAM

Repo

https://github.com/soupbone89/Scripts/tree/main/Load%20RAM

This script works by aggressively consuming system memory. It repeatedly allocates large arrays until nearly all available RAM is exhausted, leaving only a small buffer so the operating system does not immediately collapse. The machine slows to a crawl, applications stop responding, and the system becomes unusable.

In practice, this type of attack can serve multiple purposes. It can be used as a denial-of-service tactic to lock down a workstation or server, or it can act as a distraction, forcing administrators to focus on degraded performance while other activity takes place unnoticed in the background.

Execution is straightforward:

PS > .\loadram.ps1

Before execution the system may appear stable, but once the script runs memory consumption spikes and responsiveness slows significantly.

Overloading CPU

Repo:

https://github.com/soupbone89/Scripts/tree/main/Load%20CPU

This script applies the same principle to processor cores. It launches high-priority mathematical operations across every CPU thread, pinning usage at 100% until the script is terminated. Just as with RAM exhaustion, this method can disrupt normal operations or serve as a cover while other malicious tasks are executed.

Run the script like so:

PS > .\loadcpu.ps1

The machine becomes unresponsive, fans spin up, and users quickly realize something is wrong.

Windows License Killer

Repo:

https://github.com/soupbone89/Scripts/tree/main/Windows%20License%20Killer

This script takes a more subtle but equally damaging approach. It clears Windows product keys by wiping out OEM, retail, and volume license entries from the registry. Once executed, the system is effectively stripped of activation data. After restarting the Software Protection Service, Windows appears unlicensed and may refuse to validate against Microsoft servers.

Execution:

PS > .\license.ps1

You can attempt to check the product key afterward with:

PS > (Get-WmiObject -query 'select  from SoftwareLicensingService').OA3xOriginalProductKey

The result will be empty, confirming the license data is gone.

USB and Network Killer

Repo:

https://github.com/soupbone89/Scripts/tree/main/USB%20and%20Network%20Killer

This script disables both network adapters and USB controllers, cutting a machine off from connectivity and removable storage entirely. Once triggered, there is no way to transfer files, connect to the network, or even plug in a recovery device without significant manual intervention.

Administrators might deploy this in a crisis to instantly isolate a machine during incident response, but in the wrong hands it is a sabotage tool that leaves the user effectively locked out.

Run it as follows:

PS > .\killer.ps1

Mayhem by PowerSploit

Repo:

https://github.com/PowerShellMafia/PowerSploit/tree/master/Mayhem

The PowerSploit framework includes a dedicated module called Mayhem, containing two of the most destructive PowerShell functions available: Set-CriticalProcess and Set-MasterBootRecord. Both go far beyond simple resource exhaustion, directly attacking the stability of the operating system itself.

Set-CriticalProcess

Windows protects certain processes, such as smss.exe and csrss.exe, by marking them as critical. If they are terminated, the system triggers a Blue Screen of Death. The Set-CriticalProcess command allows you to tag any process with this critical status. Killing it immediately forces a system crash.

The crash itself does not cause permanent damage. After reboot, Windows resumes normal operation. This makes it useful as a temporary denial tactic forcing downtime, but not wiping the machine.

To use it, first copy the Mayhem module from the repository to:

C:\Program Files\WindowsPowerShell\Modules\

Then run:

PS > Set-CriticalProcess

Confirm with Y, and expect the machine to blue screen in moments.

Set-MasterBootRecord

This is the most destructive of all. Unlike Set-CriticalProcess, which only disrupts a running session, this attack corrupts the Master Boot Record (MBR), which is the first sector of the hard drive. The MBR contains the bootloader and partition table, and without it Windows cannot load.

Once overwritten, the system may only display a custom message, refusing to boot into the OS. This tactic mirrors the behavior of destructive malware and ransomware wipers, leaving the target machine completely unusable until the bootloader is repaired or reinstalled.

Example execution:

PS > Set-MasterBootRecord -BootMessage 'Pwned by Cyber Cossacks!'

To automate a reboot and ensure the payload takes effect immediately:

PS > Set-MasterBootRecord -BootMessage 'Pwned by Cyber Cossacks!' -Force -RebootImmediately

After reboot, the system will no longer load Windows.

Summary

The techniques described in this article show just how far PowerShell can be pushed when used as a weapon. What begins with simple disruption through RAM and CPU exhaustion quickly escalates into far more destructive actions such as disabling hardware, wiping licensing data, and crashing or even bricking systems by targeting their most fundamental components. In a cyber war context, these capabilities are significant because they move beyond espionage or lateral movement and directly affect the ability of an adversary to operate. The destructive potential cannot be overstated: once unleashed, these techniques can ripple across organizations, producing effects that are not easily reversed. That is why understanding them is important not only for those who might employ them, but also for defenders who need to recognize the damage they can cause and prepare accordingly.

The post PowerShell for Hackers: How to Crash and Burn Windows with Powershell first appeared on Hackers Arise.