China State-Backed Hackers Used AI To Launch First Massive Cyberattack: Anthropic

Anthropic said Thursday it had disrupted what it called the first large-scale cyber-espionage operation driven largely by AI, underscoring how rapidly advanced agents are reshaping the threat landscape.

In a blog post, Anthropic said a Chinese state-sponsored group used its Claude Code, a version of Claude AI that runs in a terminal, to launch intrusion operations at a speed and scale that would have been impossible for human hackers to match.

“This case validates what we publicly shared in late September," an Anthropic spokesperson told Decrypt. "We’re at an inflection point where AI is meaningfully changing what’s possible for both attackers and defenders.”

The spokesperson added that the attack “likely reflects how threat actors are adapting their operations across frontier AI models, moving from AI as advisor to AI as operator.”

“The attackers used AI’s ‘agentic’ capabilities to an unprecedented degree—using AI not just as an advisor, but to execute the cyberattacks themselves,” the company wrote in its post.

Large tech companies, financial institutions, chemical manufacturing companies, and government agencies were targeted, Anthropic said, with the attack carried out by a group the company labeled GTG-1002.

How it happened

According to the investigation, the attackers coaxed Claude into performing technical tasks within targeted systems by framing the work as routine for a legitimate cybersecurity firm.

Once the model accepted the instructions, it performed most of the steps in the intrusion lifecycle on its own.

While it did not specify which companies were targeted, Anthropic said 30 were targeted, and that a small number of those attacks succeeded.

The report also documented cases in which the compromised Claude mapped internal networks, located high-value databases, generated exploit code, established backdoor accounts, and pulled sensitive information with little direct oversight.

The goal of the operations appears to have been intelligence collection, focusing on extracting user credentials, system configurations, and sensitive operational data, which are common objectives in espionage.

“We’re sharing this case publicly to help those in industry, government, and the wider research community strengthen their own cyber defenses,” the spokesperson said.

Anthropic said the AI attack had “substantial implications for cybersecurity in the age of AI agents.”

“There’s no fix to 100% avoid jailbreaks. It will be a continuous fight between attackers and defenders,” Professor of Computer Science at USC and co-founder of Sahara AI, Sean Ren, told Decrypt. “Most top model companies like OpenAI and Anthropic invested major efforts in building in-house red teams and AI safety teams to improve model safety from malicious uses.”

Ren pointed to AI becoming more mainstream and capable as key factors allowing bad actors to engineer AI-driven cyberattacks.

The attackers, unlike earlier “vibe hacking” attacks that relied on human direction, were able to use AI to perform 80-90% of the campaign, with human intervention required only sporadically, the report said. For once, AI hallucinations mitigated the harm.

“Claude didn’t always work perfectly. It occasionally hallucinated credentials or claimed to have extracted secret information that was in fact publicly available,” Anthropic wrote. “This remains an obstacle to fully autonomous cyberattacks.”

Anthropic said it had expanded detection tools, strengthened cyber-focused classifiers, and begun testing new methods to spot autonomous attacks earlier. The company also said it released its findings to help security teams, governments, and researchers prepare for similar cases as AI systems become more capable.

Ren said that while AI can do great damage, it can also be harnessed to protect computer systems: “With the scale and automation of cyberattacks advancing through AI, we have to leverage AI to build alert and defense systems.”