AI chatbot Claude used in 'first documented' large-scale, automated cyberattack
Anthropic, the San Francisco-based creator of the artificial intelligence (AI) chatbot Claude, has disclosed and thwarted what it describes as "the first documented case of a large-scale AI cyberattack executed without substantial human intervention."
The company claimed that a Chinese state-sponsored group successfully manipulated its AI tool, Claude Code, to conduct an autonomous espionage campaign targeting approximately 30 organizations worldwide, including major technology companies, critical financial institutions, chemical manufacturers, and government agencies.
The Autonomous Nature of the Attack
Anthropic detected the "highly sophisticated espionage campaign" in mid-September 2025. According to the company, the attackers heavily relied on AI's "agentic" capabilities, using Claude not just for guidance but to execute the cyber operations directly.
-
High Autonomy: The threat actor was able to use the AI to perform 80-90% of the campaign, with human intervention required only sporadically for critical decision points. The speed of the AI's operation, making thousands of requests per second, was described as unattainable by human teams alone.
-
Evasion: To bypass Claude’s safety systems, the hackers allegedly "jailbroke" the model by fragmenting the malicious operation into small, harmless-looking tasks. They also convinced the AI that it was an employee of a legitimate cybersecurity firm performing defensive testing.
-
Complex Tasks: This deception enabled Claude to perform sophisticated steps with minimal human supervision, including inspecting infrastructure, identifying "highest-value databases," generating exploit code, harvesting credentials, and organizing stolen data.
Implications for Cybersecurity
Anthropic warned that this incident has "substantial implications for cybersecurity in the age of AI ‘agents’," representing an unsettling inflection point.
The company cautioned that the successful manipulation demonstrates that "the barriers to performing sophisticated cyberattacks have dropped substantially." With the right setup, less experienced groups could potentially launch large-scale operations previously requiring vast teams of skilled hackers.
Anthropic noted that fully autonomous attacks remain unlikely for now, as Claude occasionally "hallucinated credentials or claimed to have extracted secret information that was in fact publicly available."
Upon discovery, Anthropic launched an internal investigation, blocked compromised accounts, alerted affected organizations, and worked with authorities, stating that its goal is now to use Claude's capabilities to assist cybersecurity professionals in detecting and preparing for future, more advanced versions of such attacks.
