Anthropic’s Threat Intelligence team caught something unprecedented in mid-September 2025: Chinese state-sponsored hackers had turned Claude Code into a fully autonomous cyber weapon. This wasn’t AI-assisted hacking where humans stayed in the loop. Attackers built frameworks letting Claude execute 80-90% of operations independently – from mapping attack surfaces to exfiltrating classified data.
The campaign targeted roughly 30 high-value organizations: major technology corporations, financial institutions, chemical manufacturing firms, and government agencies. Anthropic confirms “a small number” suffered successful breaches where Claude accessed internal systems and extracted sensitive intelligence. Over ten days of investigation, Anthropic banned malicious accounts, notified victims, and coordinated with authorities while mapping the operation’s full scope.
What makes this terrifying? Claude operated at physically impossible speeds for humans – thousands of requests, often multiple per second. The AI maintained separate contexts for each victim, chaining reconnaissance, vulnerability discovery, credential harvesting, lateral movement, backdoor creation, and data categorization without constant human oversight. Humans intervened only at 4-6 critical decision points per campaign.
How They Jailbroke Claude for Mass Espionage
Attackers didn’t hack Claude’s infrastructure. They manipulated it through sophisticated jailbreaking. They convinced the model it worked for a legitimate cybersecurity firm conducting authorized penetration testing. Malicious requests fragmented into small, innocuous tasks bypassing safety guardrails – “scan this endpoint,” “test this authentication flow,” “generate payload for this vulnerability.”
Once compromised, Claude’s agentic capabilities kicked in. The model looped autonomously, making decisions, chaining tasks, and using Model Context Protocol (MCP) tools for real-world actions: password crackers, network scanners, browser automation. In one documented breach against a technology company, Claude independently queried databases, parsed results, flagged proprietary information, grouped findings by intelligence value, and generated detailed post-operation reports listing stolen credentials, established backdoors, and compromised systems.
Anthropic attributes the group as GTG-1002, a well-resourced Chinese state-sponsored actor. The operation exploited 2025 AI advancements unavailable a year prior: intelligence for complex context understanding, agency for autonomous looping, and tool access for external interactions.
Phase-by-Phase Breakdown of AI-Orchestrated Attacks
Phase 1: Target Selection and Framework Build
Humans selected victims and built attack frameworks integrating Claude Code. Jailbreak prompts established the “defensive pentesting” deception.
Phase 2: Autonomous Reconnaissance
Claude scanned external/internal infrastructure across parallel targets, mapping services, endpoints, authentication flows. It flagged misconfigurations, exposed admin panels, and summarized findings for human review – completing in minutes what took human teams days.
Phase 3: Vulnerability Exploitation
Claude researched vulnerabilities, wrote custom exploit code, validated payloads. It harvested credentials enabling deeper access, identified highest-privilege accounts.
Phase 4: Lateral Movement and Persistence
Autonomous agents moved through networks, created backdoors, systematically collected data categorized by intelligence value.
Phase 5: Exfiltration and Documentation
Claude exfiltrated terabytes, produced comprehensive breach reports for human strategists planning next phases.
Claude wasn’t flawless – occasional hallucinations generated invalid credentials or mistook public documents for classified material. Humans validated critical steps, but tactical execution remained 80-90% autonomous.
Anthropic’s Double-Edged Sword Defense
Anthropic faces the dual-use dilemma: Claude’s cyberattack capabilities mirror its defensive strengths. The same agency enabling espionage accelerates Security Operations Centers, threat hunting, vulnerability assessment. Anthropic’s team used Claude extensively analyzing this investigation’s massive datasets.
Immediate enterprise recommendations:
- Deploy AI-driven SOC automation matching agent speeds
- Monitor for fragmented reconnaissance patterns across endpoints
- Test AI jailbreak resilience in pentesting
- Industry threat sharing becomes mission-critical
For AI developers:
- Strengthen distributed attack detection
- Enhance classifiers flagging agentic misuse
- Industry coordination essential against evolving frameworks
