KasadaIQ actively scans the external environment to maintain a deep understanding of the automated threat landscape and add context to our intelligence holdings. These updates provide a month-to-month summary of noteworthy developments. Kasada IQ intelligence analysts provide commentary on these developments to show how they are shaping the ecosystems in which bots, business, and consumers operate.
1. AI Agents Reshape Both Customer and Adversary Behavior
Adobe Analytics reported AI traffic rose 393% year-over-year in Q1 2026 as more consumers used AI assistants for online shopping, with AI traffic converting 42% more than regular customers in March 2026. This is a sharp reversal from a year earlier, when AI traffic converted 38% worse than humans. Forbes called 2026 the first full year in which shopping is embedded directly inside GenAI platforms, with discovery, evaluation, and validation happening in a single conversational exchange. Walmart’s ChatGPT integration illustrates the scale: 10x more referrals from ChatGPT in January 2026 than January 2025.
In parallel, the Stanford Institute for Human-Centered AI (HAI) released its 2026 AI Index Report, finding that frontier models now match or exceed human baselines on PhD-level science, competition mathematics, and coding benchmarks. The coding benchmark (SWE-bench Verified) went from 60% to nearly 100% in a single year.
Analyst Comment:
On the consumer side, legitimate AI agents now browse longer and convert better than humans. The session characteristics that used to flag sophisticated ATO (headless signatures, programmatic navigation, atypical dwell) now describe a paying customer arriving via ChatGPT. On the adversary side, the coding benchmark acceleration translates directly to capability uplift. Adversaries no longer need deep development expertise to produce tooling that previously required it.
KasadaIQ’s Q1 2026 Quarterly Threat Intelligence Report recharacterized AI as adversary infrastructure, not experimentation. Nearly every AI prediction from KasadaIQ’s 2025 in review report was classified as showing early signs or starting to occur in Q1 2026. The Adobe data confirms the consumer-side of that shift. Retailers now need to distinguish three categories, not two: legitimate agentic shoppers, adversary automation and the grey zone where scraping-as-a-service operators launder requests through agent-shaped traffic.
More here, here, here, here & here.
2. Professionalized Threat Enabler Economy
Recorded Future’s Insikt Group documented the rise of the Chinese-language Telegram-based “guarantee marketplace”, Dabai Guarantee. Dabai Guarantee emerged to fill the vacuum left by Huione Guarantee’s 2025 shutdown. Dabai Guarantee consists of thousands of public and private Chinese-language Telegram groups, populated with third-party vendors providing services like:
- Money laundering
- Compromised social media and eCommerce accounts
- SIM cards
- PII
- Malware-as-a-Service
- Deepfake technology
- KYC bypass
Dabai Guarantee do not maintain a clearnet website, operating solely on Telegram, likely in response to Huione’s “bad OPSEC” practices, whose clearnet presence contributed to FinCEN sanctioning the organization in May 2025.
Analyst Comment:
Dabai Guarantee is the distribution layer for the capabilities KasadaIQ profiled in the Q1 2026 Quarterly Threat Intelligence Report. The service categories are the same component inventory that adversaries like Casio Carl and Maple Forge (identified in the Q1 Threat Report) assemble into verification bypass packages and synthetic identities. Dabai’s contribution is the escrow-mediated coordination layer. It solves the trust problem between sellers of bypass tooling and the syndicates running operations downstream, which is what enabled the 13.2M verified/KYC/2FA account sales and $24.6M in Q1 revenue we tracked. Notably, the bot-driven search function is campaign-matchmaking-as-a-service. This is the same professionalization dynamic behind Maple Forge’s tiered synthetic identity packages, but applied to team assembly rather than identity assembly.
More here & here.
3. Accommodation Accounts in High Demand
Booking[.]com confirmed a data breach impacting customer reservation information, including names, email addresses, physical addresses, phone numbers, and details shared with accommodations. Reports from users suggest that scammers are already leveraging the exposed data to craft convincing phishing messages via WhatsApp and the platform’s own messaging system.
Analyst Comment:
This incident reinforces a pattern observed across the travel industry where platform-level breaches are increasingly valued as enablers of high confidence social engineering at scale. Account takeover (ATO) data from KasadaIQ’s Q1 2026 Quarterly Threat Intelligence Report shows demand for accommodation accounts is increasing. In Q1, an increase in accommodation account sales on criminal marketplaces (+18%) and average price per account (+22%) indicated demand is shifting towards higher quality accounts with stored value. This increased demand occurred against the backdrop of several noteworthy developments, including legal uncertainty around agentic AI and supply chain impacts from global conflicts. In these circumstances, ATO becomes more lucrative because compromised accounts (stored credits, loyalty points and locked-in pricing) hold more purchasing power as retail prices increase.
