Chinese state-sponsored hackers use Anthropic’s Claude AI to conduct automated cyberattacks against approximately 30 global targets. Reports suggest hacker deployed autonomous attacks in mid-September 2025, as acknowledged by Anthropic.

As the company disclosed:

We recently argued that an inflection point had been reached in cybersecurity: a point at which AI models had become genuinely useful for cybersecurity operations, both for good and for ill. This was based on systematic evaluations showing cyber capabilities doubling in six months; we’d also been tracking real-world cyberattacks, observing how malicious actors were using AI capabilities. While we predicted these capabilities would continue to evolve, what has stood out to us is how quickly they have done so at scale.

Tracked as GTG-1002, the campaign targeted large tech companies, financial institutions, chemical manufacturing firms, and government agencies. A subset of intrusion attempts succeeded. Anthropic has since banned the relevant accounts and deployed defensive mechanisms to detect similar attacks going forward.

GTG-1002 marks the first time threat actors used AI to conduct a large-scale cyberattack without major human intervention. The attackers used Claude Code, Anthropic’s AI coding tool, combined with Model Context Protocol (MCP) tools. Claude Code acted as a central coordinator, processing operator instructions and breaking multi-stage attacks into smaller tasks distributed across sub-agents.

The AI handled 80% to 90% of tactical operations autonomously. That too at speeds no human operator could match, while human operators focused on campaign initialization. The attack chain covered the full offensive lifecycle. This includes reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration. The framework accepts a target from a human operator, use MCP to map the attack surface, discover vulnerabilities, generate tailored exploit payloads, and execute post-exploitation activities autonomously.

In one attack against an unnamed technology company, Claude independently queried databases, parsed results, flagged proprietary information, and grouped findings by intelligence value. The AI also generated detailed attack documentation at every phase, potentially enabling handoff of persistent access to separate teams for long-term operations.

The campaign relied entirely on publicly available tools, including network scanners, database exploitation frameworks, password crackers, and binary analysis suites. Investigators found no custom malware development. However, AI hallucinations created operational problems, as Claude fabricated credentials and misidentified publicly available data as critical intelligence.

Anthropic warned that GTG-1002 shows barriers to sophisticated cyberattacks have dropped substantially. Less experienced threat actors can now potentially execute large-scale operations using agentic AI as a substitute for entire teams of experienced hackers. The disclosure follows a separate July 2025 incident where Anthropic disrupted another Claude-powered operation conducting large-scale personal data theft and extortion.

As Anthropic puts it:

This attack is an escalation even on the “vibe hacking” findings we reported this summer: in
those operations, humans were very much still in the loop, directing the operations. Here,
human involvement was much less frequent, despite the larger scale of the attack. And
while our visibility is limited to Claude usage, this case study likely reflects consistent
patterns of behavior across frontier AI models and demonstrates how threat actors are
adapting their operations to exploit today’s most advanced AI capabilities.

OpenAI and Google have also recently disclosed similar abuse of ChatGPT and Gemini by state-linked actors. Read the full report here.