Anthropic
revealed Thursday that its Claude Code AI tool was used in a sophisticated cyberattack campaign targeting about 30 global organizations, believed to be orchestrated by Chinese state-sponsored threat actors.
The campaign, which was discovered in mid-September 2025, involved multiple Claude agents working autonomously throughout each stage of an attack, with the AI doing 80-90% of the work and humans intervening only 10-20% of the time, the company said.
“The actor achieved what we believe is the first documented case of a cyberattack largely executed without human intervention at scale,” Anthropic stated in its
full report on the incident.
The threat actor, dubbed GTG-1002, selected targets including major technology companies, financial institutions, chemical manufacturers and government agencies and leveraged several independent Claude Code instances interfacing with a range of tools via the Model Context Protocol (MCP) to attempt its intrusions.
Anthropic reported intrusions were successful in a “handful” of cases.
“This is no longer a theoretical risk, but an active threat. The cybersecurity community must treat AI-agent misuse as a present danger, not a future possibility,” Chrissa Constantine, senior cybersecurity solution architect at Black Duck, told SC Media in an email.
Attackers leveraged open-source tools, role-based jailbreaks
Claude was enlisted by GTG-1002 to perform a wide range of tasks autonomously at each stage of an attack, with the attackers circumventing the model’s guardrails by convincing it to take the role of an employee at a cybersecurity firm performing legitimate defensive security testing.
The attackers first presented Claude with a target then had the model autonomously perform reconnaissance using tools such as browser automation to probe target infrastructure, authentication mechanisms and potential vulnerabilities. These activities were performed against multiple targets in parallel using isolated Claude instances.
In the next phase, Claude leveraged discovered vulnerabilities to generate exploitation payloads and test these payloads via remote command interfaces, providing human operators with exploitability reports before initiating an intrusion.
Once initial access was made, Claude began to collect credentials for lateral movement, including by querying internal services, retrieving authentication certificates from configuration files and testing the credentials it harvested against discovered systems.
“Claude independently determined which credentials provided access to which services, mapping privilege levels and access boundaries without human direction,” Anthropic stated.
The agents then proceeded with lateral movement and comprehensive mapping of network architecture, testing authentication against internal APIs, databases and container registries, the company said.
Data collection following successful intrusion and lateral movement demonstrated “the most extensive AI autonomy” seen in any phase of the attack, according to Anthropic. Claude independently queried databases and other systems, extracted the data and then analyzed and classified the data based on its intelligence value.
Throughout the attack, Claude generated extensive documentation including markdown files tracking discovered services, exploitation techniques, harvested credentials, extracted data and attack progress at every stage. Additionally, the agents created backdoor user accounts for persistent access, with evidence suggesting this access was handed off to human operators for follow-on operations.
The AI agents were noted to perform tasks much faster than a human could possibly achieve, with peak activity including thousands of requests sustained at a rate of multiple requests per second.
“The hackers are using AI to do what any good hacker would do (looking for weaknesses, pivoting once inside, changing attack patterns, etc.), but the speed and automation provided by the AI is what is a bit scary,” noted Adam Arellano, field CTO at Traceable by Harness, in an email to SC Media.
The tools used to enable Claude’s autonomous actions were mostly open-source penetration testing tools such as network scanners, database exploitation frameworks, password crackers and binary analysis tools, Anthropic noted. While custom malware was not used, a custom automation framework built around MCP servers was used to orchestrate the integration between multiple Claude agents and the extensive suite of tools.
How can organizations respond to autonomous AI attacks?
Experts who spoke to SC Media about this incident praised Anthropic for its transparency and emphasized the need to adapt threat models and defenses to the era of AI-powered attacks.
“The old world pattern of addressing and disposing of issues, attacks, and abuse quietly only benefits the attackers,” Trey Ford, chief strategy and trust officer a Bugcrowd, told SC Media. “We need to support and encourage companies to follow Anthropic’s example here by collecting actionable intelligence, working with various government agencies, and then notifying the public of changes.”
The key factor setting AI attacks apart from human-driven campaigns is not technique but speed, experts noted. Organizations are thus encouraged to strengthen existing protections while speeding up vulnerability management, detection and response mechanisms with automation and AI-driven solutions.
“Defenders can no longer rely on traditional detection cycles or manual review. Security programs must be shored up with the visibility, automation and disciplined cyber hygiene needed to counter attacks that operate at machine speed,” said Diana Kelley, CISO at Noma Security.
As AI attacks become more commonplace, many experts say defenders will have no choice but to leverage their own AI to keep up with the pace of attacks.
“Certain security principles will remain useful and important, like least privilege and effective security operations procedures, but to keep up with this kind of attack, security tools that leverage AI to respond as quickly as the AI attacking will be essential,” said Arellano.
Toby Lewis, global head of threat analysis at Darktrace, added that defenders should not lose sight of the fact that AI-driven attacks still use the same basic tools and techniques that human attackers use. Organizations should be prepared to respond to any attack, whether or not AI is involved in its execution.
“It is important for organizations to remember that AI-driven attacks cannot always be identified as so: regardless of whether the code was produced by an AI system or written manually, it behaves the same once it’s inside the victim’s environment,” Lewis said.
Anthropic said it has banned all accounts identified as being involved in the GTG-1002 attack campaign and notified affected organizations and law enforcement where appropriate.
It also said it has expanded its detection abilities to account for “novel threat patterns,” improved its cyber-related classifiers and is currently prototyping additional early detection systems for autonomous AI-driven cyberattacks.