Agentic artificial intelligence (AI) capable of orchestrating operations rapidly and autonomously is transforming finance into a contested battlespace.
In March 2025, multiple Western financial institutions detected unusual algorithmic trading events suggesting that adversarial “poisoning” attacks subtly altered data inputs and market signals, distorting model predictions, generating micro-arbitrage opportunities, and undermining confidence in financial risk models. The details remain confidential, but this episode demonstrates how efforts to degrade financial models are now a form of financial warfare.
A single, imperceptible “universal adversarial perturbation” can fool trading models in both white-box and black-box settings. Adversaries do not need to block trades or increase price spreads; instead, they can engineer cognitive friction, forcing Western AI systems to doubt their own models and fall back on slower, higher-latency controls.
Finance is already recognized as a domain for statecraft, represented by the increasing centrality of instruments such as sanctions, asset freezes, and counterproliferation finance. Yet this understanding was developed for a world in which human actors still controlled campaign tempo and financial operations followed largely linear and traceable causal chains. The dawning era of AI-enabled financial operations (as we call them, AIFOs) upends these assumptions.
The age of AIFO
AIFOs are irregular warfare campaigns conducted through weaponized finance at digital tempo, using indirect and frequently nonattributable financial means—destabilizing capital flows, strengthening ransomware-finance ecosystems, and attacking financial models through data poisoning—to coerce, signal, or degrade an opponent’s political will.
Indeed, the financial service industry is no longer a mere “left-of-boom” adjunct to conflict; it is now central to adversary campaigns. State and nonstate adversaries can weaponize algorithmic systems to cause instability, disrupt markets, and coerce opponents at machine speed. Through weaknesses in AI data pipelines and supply-chain provenance, malign actors can seed corrupted telemetry, distort model behavior, and weaponize feedback loops within critical financial systems.
While “cyber-enabled financial crime” once referred to individual hacks or thefts, AIFOs now encompass ongoing, adaptable, multivector campaigns that include market manipulation, disruptions of payment rails, and sophisticated disinformation. They operate in reflexive loops, producing the very data (e.g., price signals, liquidity gaps, rumor cascades) that they subsequently exploit. Thus, adversarial AI swarms can generate unstable equilibria to be used toward strategic ends.
In turn, financial harm can produce effects comparable to physical attack: Firms fail, jobs vanish, pension values collapse, and public confidence in money and institutions can be irreparably damaged. These consequences are often more diffuse and indirect than those arising from kinetic warfare; yet the stakes are no less severe. As such, the traditional arc of conflict must be extended into domains once regarded as purely civilian: payment systems, social credit frameworks, central bank digital currencies, corporate data, and even consumer finance.
Gathering threats
On June 4, the United Kingdom’s top banking regulator expressed his deepening concern about the combination of major vulnerabilities in lenders’ tech systems (vulnerabilities exposed by AI) and worsening geopolitical tensions. Indeed, both adversary intent and capabilities are growing at an accelerating rate.
Agentic AI systems can autonomously strategize over time, adapt to changing conditions, and coordinate across domains, enabling adversaries to orchestrate financial operations at scale. They can now launch thousands of synchronized transactions or synthetic identity operations with minimal human oversight, probing and manipulating weaknesses in financial market microstructure and regulatory regimes. These swarms not only learn from defenders’ reactions and continuously exploit vulnerabilities, but they also create the very conditions they later arbitrage. Furthermore, as Brianna Rosen has argued, “attribution becomes significantly harder when autonomous agents can be deployed at scale, adapt their tactics in real time, and obscure their origins.”
Chinese doctrine has depicted financial war as “just as terribly destructive as bloody war”—and one ongoing tactic is the pursuit of foreign data under seemingly benign pretexts. People’s Republic of China (PRC)–linked firms may well present themselves as AI start-ups or research collaborators, seeking access to sensitive financial or consumer datasets for “training” purposes. In any case, the Federal Bureau of Investigation (FBI) has cautioned that research and development partnerships with Chinese firms can bring a company within reach of PRC laws requiring firms to store data in China and submit to data surveillance. PRC authorities could use such laws to gain access to sensitive US commercial and financial data. PRC models might then leverage this data to train agentic AI capable of bypassing compliance checks and identifying vulnerabilities in payment systems. The threat is gradual: a slow buildup of capability until persistent destabilization campaigns can be orchestrated.
Russia has integrated illicit finance into hybrid, “nonlinear” warfare. Since 2015, Kremlin-linked ransomware groups such as Conti have extracted hundreds of millions of dollars in cryptocurrency from Western companies. Although ransomware is often seen as a law enforcement matter, proceeds from it flow into shadow networks that support liquidity and operational capacity for state-aligned campaigns. Agentic AI has the potential to expand these proceeds. The FBI’s Internet Crime Complaint Center attributed $893 million in losses to AI-enabled schemes—a figure the FBI itself notes almost certainly understates the true exposure.
Thus, AI will continue to broaden these tactics into new areas: autonomous short-and-distort campaigns against critical US firms, agentic ransomware operations that recycle illicit proceeds into targeted liquidity disruptions, and AI-orchestrated disinformation designed to provoke localized bank runs. Imagine a ransomware operation timed with short-selling pressure against regional banks. Adversary swarms could coordinate ransom payments, launder funds via decentralized exchanges, and exploit liquidity spikes to trigger further instability. The panic caused by cyber disruption then becomes the exploitable signal for market arbitrage.
North Korea offers perhaps the clearest example of a government that already depends on illicit financial activities for national survival. In accordance with dictator Kim Jong Un’s byungjin line, North Korea funds its weapons programs through cyber theft and cryptocurrency manipulation. Independent blockchain-forensics data reveal the continuing expansion of these operations, confirming that “North Korea-linked hackers [stole] over $2 billion in crypto assets in 2025, the largest annual total on record,” including the theft of approximately $1.5 billion in virtual assets from the Bybit cryptocurrency exchange. One state-sponsored enterprise, the Lazarus Group, has appropriated billions of dollars in digital assets and demonstrated technical sophistication. With agentic AI, such operations can be scaled further, generating large portfolios of synthetic identities to bypass know-your-customer (KYC) regulations, timing the liquidation of stolen assets with disinformation campaigns to maximize market impact, and infiltrating financial supply chains with poisoned data to degrade allied defenses.
Future scenarios
Furthermore, financial infrastructures are inherently linked to space systems. GPS timing supports transactions, satellite communications transmit banking data, and earth observation informs commodity markets and insurance contracts. Consider a hybrid scenario in which China exfiltrates satellite-derived data on agricultural yields, using it to front-run commodity trades in US and allied markets; concurrently, Russia targets Western communication satellites with cyber or kinetic attacks, temporarily disrupting retail banking networks. The outcome would be a cascading crisis: Misinformation about data accuracy fuels market volatility, while consumers face outages in payment systems. Adversaries then ransom access to critical datasets or exploit the instability for profit.
Future financial systems are equally vulnerable. The current US administration has banned the development of a central bank digital currency, but if a digital dollar were to be created in the future, it would be deeply integrated into retail payments, bank settlements, and international transactions. Its upheaval could have widespread impacts on financial stability and public confidence.
Toward counter-AIFO doctrine
The complexity and pace of these operations demand defensive AI that is inherently agentic and, importantly, also carefully cultivated with nurtured consciousness at its core. By nurtured consciousness, we mean systems whose autonomy is limited and guided by allied institutional values, escalation norms, and long-term objectives. Unlike adversary AI, which may be trained solely for disruption or profit, nurtured defender AI is developed through deliberate exposure to allied doctrines, institutional memory, and ethical frameworks. It is therefore capable not only of reacting at machine speed but also of selecting responses aligned with democratic principles and coalition strategy.
While traditional approaches to financial defense have relied on static safeguards—compliance regulations, suspicious activity reports, and regular supervisory interventions—a counter-AIFO doctrine must incorporate adaptive maneuver. This means deploying probes that reveal adversary intent before cascades develop. It also entails outrunning attribution by sharing model provenance and telemetry across allies, reducing what once took weeks to just minutes. Above all, maneuver requires embedding a nurtured conscience in defender AI so that actions are decisive yet proportionate, ensuring adversaries cannot provoke escalation through engineered panic.
The technical controls required would include provenance, where defenders can perform know-your-model checks (a corollary of KYC); attestation, which cryptographically links models to specific hardware and training datasets; and “canary orders” that are intentionally designed to test transactions or trades, placed not to influence markets but to provoke telltale responses from adversarial groups.
In addition, the United States and its allies should make institutional reforms, such as the establishment of a Financial AI Fusion Cell. US participation in such a group should draw on a deliberate four-pillar architecture, built primarily by the Treasury’s Office of Foreign Assets Control, its Office of Intelligence and Analysis, the Department of Defense’s Chief Digital and Artificial Intelligence Office, and the FBI’s Cyber and Counterintelligence Divisions. In addition, the Securities and Exchange Commission, Commodity Futures Trading Commission, and Federal Reserve should serve as standing observers (rather than as voting members, to preserve their statutory independence). These US nodes would partner with counterparts in the United Kingdom, Australia, and NATO, and would share model telemetry, provenance data, and real-time intelligence under pre-agreed escalation thresholds.