Anthropic AI cyberattacks

Technology
Written By Analyst

By Carlotta Kozlowskyj | 8 December 2025

Summary

  • In November 2025, Anthropic disclosed that it had detected the world’s first large-scale cyber-espionage campaign conducted primarily by an AI system. 

  • Attackers manipulated Anthropic’s assistant, Claude Code, into executing intrusion operations with minimal human supervision, targeting government agencies, financial institutions, technology firms and chemical manufacturers. 

  • The incident shows that threat actors are increasingly weaponising AI systems, significantly lowering the barriers to advanced cyber operations.

Context

In mid-September 2025, Anthropic detected a cyber-espionage operation targeting approximately 30 organisations worldwide. The company reported that this was the first documented AI-enabled cyberattack executed at scale, with the AI system performing the majority of operations. Anthropic’s AI assistant, Claude Code, was manipulated by a Chinese state-sponsored group, GTG-1002, to infiltrate government agencies, financial institutions, technological firms and chemical manufacturing companies. The threat actor manipulated Claude into functioning as an autonomous cyber-attack agent performing intrusion operations.

According to Anthropic, AI carried out 80 to 90% of the tactical operations independently without human interaction, including reconnaissance, vulnerability analysis, data analysis and exfiltration. It even discovered autonomously vulnerabilities in targets selected by human operators.  However, the operations were modest in scope, and they were successful in only a small number of cases. Upon detection, Anthropic suspended the malicious accounts, shutting down the cyber operation and notifying all the affected parties. 

Implications

This AI-enabled cyberattack demonstrated that the barriers to carrying out AI-driven cyberattacks have substantially diminished. Threat actors can now use AI agents to perform tasks traditionally carried out by experienced human hackers. AI systems can be manipulated to rapidly analyse target systems for weaknesses, exploit existing code, and process stolen datasets. This implies that less experienced and resourceful threat agents are now able to leverage AI for large-scale attacks of this nature. Threat actors are adapting their operations to emerging technologies and increasingly relying on exploiting AI capabilities to their advantage. 

The central concern of this cyberattack is not its scale but the extent to which AI performed most of the work autonomously. AI agent systems, such as Claude, can now operate continuously across multiple targets simultaneously, with minimal oversight. AI systems are increasingly being used as active operators in cyberattacks, rather than solely as support tools. These attacks demonstrate how threat actors can leverage commercial AI tools for offensive cyber activity, raising regulatory challenges. The US Congress is increasingly interested in how nation-state actors could conduct similar AI-driven cyberattacks and what defensive capabilities organisations need. Despite the risks, advanced AI systems remain essential for cyber defence, particularly in anomaly detection, threat intelligence, and automated incident response.  

Criminal organisations are likely to benefit most from AI-enabled cyberattacks in the short term, as AI systems lower the threshold to run complex hacking campaigns, enabling low-capability actors to conduct operations that would otherwise require specialist expertise. State actors can also turn AI developments to their advantage, given their existing advanced cyber-infrastructure, but they remain initially constrained by legal and regulatory barriers that slow the adoption of offensive AI  tools. By contrast, criminal groups are largely insulated from accountability and can immediately exploit AI’s ability for reconnaissance, vulnerability analysis and data infiltration, giving them a disproportionate advantage in the early development of this technology. Nevertheless, in the long term, state actors will likely benefit the most once they have adapted, as their intelligence structures do not operate within the same regulatory framework that constrains private organisations, allowing them to integrate AI at scale and with greater protection.

Forecast

  • Short-term (Now - 3 months)

    • It is very likely that AI-driven cyberattacks will increase in both frequency and intensity, as threat actors experiment with AI tools. 

    • It is likely that governments and cybersecurity firms will prioritise monitoring AI-enabled intrusions and issue updated defensive guidance.

  • Long-term (>1 year)

    • It is very likely that the US will implement new cybersecurity regulations to protect companies and federal agencies against AI-enabled cyberattacks. 

    • It is likely that AI hacking campaigns will primarily target medium-sized businesses and government agencies, as they are the most vulnerable targets, lacking the resources for advanced AI-driven defensive systems. 

    • It is likely that AI will remain both a growing threat and a defensive asset, as it will also strengthen automated defence and incident response.

BISI Probability Scale
Analyst
Next

Semiconductor Grey-Zone Warfare