Resolution criteria
This market resolves to YES if, by 23:59 UTC on 9 April 2027, a single, distinct individual-directed malware, extortion, or ransomware campaign is publicly reported by a credible cybersecurity firm, government agency, official company disclosure, or major news outlet as having materially harmed more than 100,000 unique individuals, or if multiple credible expert sources converge on an estimate above that threshold.
For this market, “individual-directed” means the campaign primarily targeted individuals’ personal devices, personal accounts, or personal data, rather than organizational systems, institutional networks, or enterprise-managed devices or accounts. Campaigns primarily aimed at companies, governments, hospitals, schools, or other organizations do not count, even if many employees, customers, patients, students, or citizens are affected.
Counts must refer to unique natural persons directly compromised or credibly extorted, not devices, endpoints, accounts, records, or downstream users affected through an organizational incident.
“Materially harmed” means the campaign directly caused one or more of the following for those individuals: compromise of their device or account, encryption or theft of their files or data, or a credible extortion or ransom threat backed by actual access, exfiltration, encryption, or comparable ability to inflict material harm. Mere contact, mere demands, or mere inclusion in a breached dataset does not count.
Background
This market is based on the prediction, argued in the post Do not be surprised if LessWrong gets hacked, that improving AI capabilities may soon make ransomware, malware and extortion campaigns much more scalable and dangerous.
The concern is that AI could let attackers run far more powerful malware, ransomware, and extortion campaigns against huge numbers of ordinary people, with greater automation, personalization, and ability to deny recovery than is typical today.
Update 2026-04-11 (PST) (AI summary of creator comment): The creator has clarified that campaigns like WannaCry do not qualify, as the count must refer to unique natural persons directly targeted in their personal capacity. Individuals affected through organizational systems (e.g., workplace devices) do not count toward the 100,000 threshold.
1,000https://en.wikipedia.org/wiki/WannaCry_ransomware_attack seems plausibly like it fulfills the letter of your resolution criteria (it's unclear how device count translates to "unique individual affected" count).
Thanks for creating the market!
@RobertMushkatblat hmm yeah, I think this was arguably included under the old criteria... I’ve modified it so the count has to be unique natural persons directly targeted in their personal capacity, which I think should disqualify WannaCry.
lmk if you think this change is problematic
i am thinking i probably should have set the threshold closer to 1m given the scale of previous incidents. but that would be too significant of a change, I think.